I know this has been brought up many times in the past, but now that 7.1.6 has stream detection, I wanted to rehash it again
We have MWG 220.127.116.11.0 deployed using the following settings:
And of course Webex and Gotomeeting are still an issue. Seems like stream detection may work, but the SSL Scanner is killing the traffic before the Stream Detector kicks in. So what's the best way to bypass the SSL Scanner for this type of traffic. Is it still (please don't say yes ) by adding ip addresses to the SSL Scanner Tunneled Hosts list? Or can we stick in a stream detection rule in the SSL Scanner ruleset to detect the protocol and skip scanning?
JohnMessage was edited by: jspanitz on 3/13/12 11:40:09 AM CDT
Ya you can try adding Stream Detection rule in SSL Scanner rule set before sub rule-set Handle CONNECT Call. This rule set enables SSL Scan engine. So placing Stream Detection rule before Handle CONNECT rules set, with action as "Stop rule set" is worth trying, if it does not work then try placing Stream Detection Rule before SSl Scanning rule set and make an exception in SSL Scanning rule set to skip "gotomeeting" and other webex apps to not enter SSL Scanning rule set and jump to next rule-set. So criteria can be something like:
If the following crtieria is mattched:
URL.host <does not match> gotomeeting.
if you can afford "Stop Cycle" then you don't need to add exception n SSL Scanning rule set for gotomeeting.
Please let me know how it works...
Stream detector need some data from server to make decision about content. Because there is no decrypted data exist before SSL Scanner is enabled, then I don't think that it will work, although I hadn't tried it.
If that is the case then does not seem we should skip scanning for Stream detection if it can not work without decryption. However I have not tested Stream Detection myself. I tried to look for rule set in library but can not see one.
If I got the conversation right I think you won´t be able to allow Webex/Gotomeeting by using the Stream Detector.
- To detect the stream the stream detector needs decrypted content
- If you decrypt the data, Webex/Gotomeeting stop working, because the traffic can´t be decrypted
In my opinion the only way to allow Webex/Gotomeeting is manual whitelisting from SSL Scanner. At the moment you will have to use static lists (I can provide lists if required). In the rule set library there are rule sets for Webex and Gotomeeting which will start working with 7.2 and subscribed lists. They contain a list that is hosted and maintained by McAfee which you need to add to your policy. So you do not need to manually maintain the list any longer.