cancel
Showing results for 
Search instead for 
Did you mean: 
stifi
Level 7

How to configure Web Gateway to allow GoToAssist sessions

Jump to solution

Happy new year to all

I wonder how to configure web gateway to generally pass GoToAssist (e.g. to McAfee support). I could imagine that I have to bypass the ssl scanner so I need somehow a trigger to configure such an exception. URL's might not be a really usable trigger as URL's are always may be changing. So I considered to trigger on the user-agent as this might provide a generic bypass which would be on my desire.

Unfortunately I do not have the chance to test with a GoToAssist Client to see if there is a usable user-agent. Furthermore I'm interested also in other approaches, so please let my know about your configuration.

Rgs, Stefan

0 Kudos
1 Solution

Accepted Solutions
bwallace1
Level 9

Re: How to configure Web Gateway to allow GoToAssist sessions

Jump to solution

Hi Stifi -

You can refer to this thread - specifically comment #13 from sgoers:

"The best practice is to use a McAfee subscribed list, allowing McAfee to manage the IP range"

https://community.mcafee.com/message/297069#297069

Here is our Best Practices guide about McAfee Maintained Subscribed Lists and how to use them:

https://community.mcafee.com/docs/DOC-4771

0 Kudos
5 Replies
mbagheryan
Level 12

Re: How to configure Web Gateway to allow GoToAssist sessions

Jump to solution

Did you check the citrix ip range enabled in ssl scanner?

0 Kudos
bwallace1
Level 9

Re: How to configure Web Gateway to allow GoToAssist sessions

Jump to solution

Hi Stifi -

You can refer to this thread - specifically comment #13 from sgoers:

"The best practice is to use a McAfee subscribed list, allowing McAfee to manage the IP range"

https://community.mcafee.com/message/297069#297069

Here is our Best Practices guide about McAfee Maintained Subscribed Lists and how to use them:

https://community.mcafee.com/docs/DOC-4771

0 Kudos
stifi
Level 7

Re: How to configure Web Gateway to allow GoToAssist sessions

Jump to solution

I'm aware about that mcafee managed ip list. However since I'm not interested to have a remote session with citrix but wich mcafee for example this list will be pretty useless to me. So my plan would be to bypass the ssl scanner for such traffic based on the user agent, which identifies the client, if that would be possible.

Will ask mcafee to arrange a remote session to me so I can figure out if there exists such a gotassist dedicated user agent which I could trigger on. Will come back with the results.

0 Kudos
asabban
Level 17

Re: How to configure Web Gateway to allow GoToAssist sessions

Jump to solution

As far as I know this won't work. The User-Agent header is sent (if it is sent at all) within the SSL tunnel. But once we enable SSL Scanner to look into the SSL tunnel the traffic will no longer work.

So what we would need is decrypt SSL, look into the data, find a User-Agent header (or anything else that explicitly identifies the traffic), then not decrypt SSL. Since we already decrypted SSL we cannot go back to not decrypt SSL.

You may give it a try and let me know the outcome, so far I wasn't able to find a better solution than destination IP based whitelists.

Best,

Andre

0 Kudos
stifi
Level 7

Re: How to configure Web Gateway to allow GoToAssist sessions

Jump to solution

Guys you were all right. There is no user-agent on which I could trigger on for a rule since the http header is of course encrypted. And yes, since I have also adviced by mcafee support to integrate that McAfee subscribed list and is perfectly fine working I'm done.

Many thanks for your hints.

0 Kudos