This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Webex and HTTPS proxy

Having an impossible time getting webex meetings to work. In the HTTP logs I see: 2009:04:15-13:51:55 astaro httpproxy[27554]: [ 0xca0fa58] ssl_log_errors (ssl.c:41) C: 27554:error:140ED0E5:SSL routines:SSL23_PEEK:ssl handshake failure:s23_lib.c:165: 2009:04:15-13:51:55 astaro httpproxy[27554]: [ 0xc9ab750] ssl_log_errors (ssl.c:41) C: 27554:error:140ED0E5:SSL routines:SSL23_PEEK:ssl handshake failure:s23_lib.c:165: 2009:04:15-13:51:55 astaro httpproxy[27554]: [ 0xc834e88] ssl_log_errors (ssl.c:41) C: 27554:error:140ED0E5:SSL routines:SSL23_PEEK:ssl handshake failure:s23_lib.c:165: 2009:04:15-13:51:55 astaro httpproxy[27554]: [ 0xc8f2158] ssl_log_errors (ssl.c:41) C: 27554:error:140ED0E5:SSL routines:SSL23_PEEK:ssl handshake failure:s23_lib.c:165: In an attempt to fix this issue, I first added "webex.com" to an exception list for URL filtering and certificate checks. Then I added a DNS group definition for webex.com, which I then added to the transparent mode skiplist. Still won't work. Almost seems like it isn't skipping hosts (server1.webex.com, server2.webex.com, etc.). Any thoughts or ideas?

This thread was automatically locked due to age.

Parents

0 BAlfson over 16 years ago

Scott, I don't know, but maybe this is like the Microsoft update thing where you need two different certs, one loaded into the browser and the other via mmc.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 16 years ago in reply to BAlfson

Very possible. The only things I've found to work so far are: 1) Adding our endpoint (workstation) to the transparent mode skiplist 2) Disabling HTTPS scanning globally Neither of these are particularly useful solutions for, what are hopefully, obvious reasons.

Edit: I downloaded the webex cert through a proxy bypass machine and imported it through the MMC into the machine trusted root on a proxied system, but still no luck.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 16 years ago in reply to Scott_Klassen
I opened a support case with Astaro. They remotely connected to my system and declared the issue fixed. When I asked what the support person did to fix the issue, the response was:

"It was the HTTPS scanning that causes issues with webex.. Turning that off will allow webex to work.. You should be all set."

So, they turned off HTTPS scanning and wouldn't have told me if I hadn't asked. I haven't replied to the engineer yet, because I'm quite miffed right now and any response I might give atm wouldn't be very nice. Beyond that, it seems a "throw the baby out with the bathwater" solution more geared towards clearing an open ticket than resolving a customer problem.
__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Scott_Klassen over 16 years ago in reply to Scott_Klassen
I opened a support case with Astaro. They remotely connected to my system and declared the issue fixed. When I asked what the support person did to fix the issue, the response was:

"It was the HTTPS scanning that causes issues with webex.. Turning that off will allow webex to work.. You should be all set."

So, they turned off HTTPS scanning and wouldn't have told me if I hadn't asked. I haven't replied to the engineer yet, because I'm quite miffed right now and any response I might give atm wouldn't be very nice. Beyond that, it seems a "throw the baby out with the bathwater" solution more geared towards clearing an open ticket than resolving a customer problem.
__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BAlfson over 16 years ago in reply to Scott_Klassen

Scott, did he turn off scanning or did he create an exception or adding the webex site to the transparent mode skiplist?

I didn't mean the webex cert; I meant the Astaro cert. Here's the thread where Gert explains what to do for Microsoft: https://community.sophos.com/products/unified-threat-management/astaroorg/f/55/p/43993/156033#156033

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 16 years ago in reply to BAlfson

Yes, he he unticked Scan HTTPS (SSL) Traffic.

The Astaro cert is installed correctly on the workstations. Other https sites work just fine, it's only the webex.com domain with this issue.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 16 years ago in reply to Scott_Klassen

Right, but you need to install it in both the browser and via mmc... are you saying you've done that?

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 16 years ago in reply to BAlfson

The proxy certificate is installed in the machine store through Group Policy, so it is correct per Gerts posting. I can verify that it exists through the MMC.

I'm wondering if Webex may be using an anonymous cipher, per https://community.sophos.com/products/unified-threat-management/astaroorg/f/55/t/44004 . Without knowing for certain and knowing any possible side-effects of Svens fix, I'm reticent to try implementing it.

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 16 years ago in reply to Scott_Klassen

I've PM'd him to respond to my request for more information on that thread.

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 BrucekConvergent over 16 years ago in reply to BAlfson

Scott, I gave you a call; but try this:

# cc set http ciphers DEFAULT
# /var/mdw/scripts/httpproxy restart

CTO, Convergent Information Security Solutions, LLC

https://www.convergesecurity.com

Advice given as posted on this forum does not construe a support relationship or other relationship with Convergent Information Security Solutions, LLC or its subsidiaries. Use the advice given at your own risk.
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 16 years ago in reply to BrucekConvergent

Scott, I gave you a call; but try this:

# cc set http ciphers DEFAULT
# /var/mdw/scripts/httpproxy restart

BrucekConvergent can you provide more information as to what the above commands do and when to use it?
Cancel
Vote Up 0 Vote Down

Cancel
0 Scott_Klassen over 16 years ago in reply to wingman

Good news/bad news.

Bad:  Unfortunately that fix is only in the case of anonymous ciphers being used, which isn't the case this time.

Good:  My Astaro support case was escalated and the full range of WebEx IPs was sussed out.

Here's the fix for anyone else who may need it:
1)  Create a network definition for [FONT=Calibri]64.68.96.0/19.[/FONT]
[FONT=Calibri]2)    Add the network object to the transparent mode skiplist.[/FONT]
[FONT=Calibri][/FONT]
[FONT=Calibri]Case resolved.[/FONT]

__________________
ACE v8/SCA v9.3

...still have a v5 install disk in a box somewhere.

http://xkcd.com
http://www.tedgoff.com/mb
http://www.projectcartoon.com/cartoon/1
Cancel
Vote Up 0 Vote Down

Cancel
0 AlanT_01 over 16 years ago in reply to BrucekConvergent

The issue Sven mentioned isn't affecting this case. The easiest solution here, according to webex's KB is to bypass the proxy. Create a network definition for 64.68.96.0/19 and add it to the transparent mode skip list.

(http://support.webex.com/SelfServiceWeb/portlets/ViewArticle/showSingleArticle.do?_articleId=WBX264)
Cancel
Vote Up 0 Vote Down

Cancel