cancel
Showing results for 
Search instead for 
Did you mean: 
jspanitz
Level 7

MWG7 Webex / Gotomeeting SSL Stream Detector

I know this has been brought up many times in the past, but now that 7.1.6 has stream detection, I wanted to rehash it again

We have MWG 7.1.6.1.0 deployed using the following settings:

  • Explicit proxy
  • Transparent auth to AD
  • SSL Scanner

And of course Webex and Gotomeeting are still an issue.  Seems like stream detection may work, but the SSL Scanner is killing the traffic before the Stream Detector kicks in.  So what's the best way to bypass the SSL Scanner for this type of traffic.  Is it still (please don't say yes ) by adding ip addresses to the SSL Scanner Tunneled Hosts list?  Or can we stick in a stream detection rule in the SSL Scanner ruleset to detect the protocol and skip scanning?

John

Message was edited by: jspanitz on 3/13/12 11:40:09 AM CDT
0 Kudos
5 Replies
hbajaj
Level 9

Re: MWG7 Webex / Gotomeeting SSL Stream Detector

Ya you can try adding Stream Detection rule in SSL Scanner rule set before sub rule-set Handle CONNECT Call. This rule set enables SSL Scan engine. So placing Stream Detection rule before Handle CONNECT rules set, with action as "Stop rule set" is worth trying, if it does not work then try placing Stream Detection Rule before SSl Scanning rule set and make an exception in SSL Scanning rule set to skip "gotomeeting" and other webex apps to not enter SSL Scanning rule set and jump to next rule-set. So criteria can be something like:

If the following crtieria is mattched:

URL.host <does not  match>  gotomeeting.

if you can afford "Stop Cycle" then you don't need to add exception n SSL Scanning rule set for gotomeeting.

Please let me know how it works...

Heena

0 Kudos
alexott
Level 11

Re: MWG7 Webex / Gotomeeting SSL Stream Detector

Stream detector need some data from server to make decision about content. Because there is no decrypted data exist before SSL Scanner is enabled, then I don't think that it will work, although I hadn't tried it.

hbajaj
Level 9

Re: MWG7 Webex / Gotomeeting SSL Stream Detector

If that is the case then does not seem we should skip scanning for Stream detection if it can not work without decryption. However I have not tested Stream Detection myself. I tried to look for rule set in library but can not see one.

0 Kudos
alexott
Level 11

Re: MWG7 Webex / Gotomeeting SSL Stream Detector

Streaming detector rule you can find in rule library in "Gateway Antimalware" ruleset.

0 Kudos
asabban
Level 17

Re: MWG7 Webex / Gotomeeting SSL Stream Detector

Hello,

If I got the conversation right I think you won´t be able to allow Webex/Gotomeeting by using the Stream Detector.

- To detect the stream the stream detector needs decrypted content

- If you decrypt the data, Webex/Gotomeeting stop working, because the traffic can´t be decrypted

In my opinion the only way to allow Webex/Gotomeeting is manual whitelisting from SSL Scanner. At the moment you will have to use static lists (I can provide lists if required). In the rule set library there are rule sets for Webex and Gotomeeting which will start working with 7.2 and subscribed lists. They contain a list that is hosted and maintained by McAfee which you need to add to your policy. So you do not need to manually maintain the list any longer.

Best,

Andre

0 Kudos