6 Replies Latest reply on Nov 5, 2009 12:08 PM by craiger

    GotoAssist/GotoMeeting usage with Auth Proxy

    DBO

      Anybody been able to get this to work across Secureweb/Webwasher?  I have been able to get it to work once but never after that.

        • 1. Re: GotoAssist/GotoMeeting usage with Auth Proxy
          Jon Scholten

          Hello DBO,

           

          GotoAssist/GotoMeeting can be somewhat of a moving target. The IP ranges that the Citrix servers (owners of GotoAssist/GotoMeeting) use, can change, they do provide a list of their servers that they use which can be found here:

          http://www.citrixonline.com/iprange

           

          Which is referenced in this KB article: http://support.citrix.com/article/ctx105034

           


          I bring this up because the McAfee Web Gateway, which if SSL Scanning is enabled, you will need to enter bypasses in so that the traffic is not scanned. This can be done under SSL Scanner > Global Certificate List/Certificate List then 'Add new exception' for 'https://gotoassist.com' or 'https://gotomeeting.com' by host and Tunnel.

           

          This will make it so these domains are not scanned. This should work, but if you see that the application is contacting another server (which can be verified in the access log under Reporting > View Log Files) then that destination may need to be bypassed as well.

           

          This may vary in transparent setups in which case the McAfee Web Gateway may only be recieving the IP address of the destination server, in which case alternate solutions may need to be explored.

           

          Please also let me know if authentication is apart of your question as well, you mentioned "Auth Proxy".

           

          I will work on putting together a more detailed KB article and I shall update this thread with the number of the KB. If you require any immediate assistance with this issue definitly get in touch with support who can work through the issue with you.

           

          Best Regards,

          Jon Scholten

          • 2. Re: GotoAssist/GotoMeeting usage with Auth Proxy
            DBO

            I have open tickets in the past for this issue but after loosing too many nights on it, I just drop the issue...  We definitively need complete documentation on this issue and the webex remote share sessions also.

             

            We do NTLM auth for all user

            We do not do Scan Encrypted traffic

            We have tried Bypass ICAP server

             

            PS: Thank you for the answer.  I am just hoping that somebody here was able to get it to work and would share the info.

            PS2: The IronMail Messanging forum have allways been very helpfull, I hope that this new one will be as usefull for WebWasher that is much more complex....

            • 3. Re: GotoAssist/GotoMeeting usage with Auth Proxy
              Jon Scholten

              Hello again Daniel,

               

              Well it sounds like it could just be authentication tripping the application from starting/communicating properly, if it is then it would be best if you were to work it out with us in support to get the exact issue nailed down to work with your configuration.

               

              Best Regards,

              Jon Scholten

              • 4. Re: GotoAssist/GotoMeeting usage with Auth Proxy
                rippie

                Everyone !

                 

                Gotomeeting is a tricking thing to get to work through Webwasher. We found it was easier just to open up for the 2 ports it requires for outbound traffic.

                 

                If my memory serves me right, im not sure we could get the traffic through webwasher on gotomeeting. Please check with Wireshark that the traffic actually hits the webwasher, if it does not, check your firewall if it allows the 2 ports on outbound.

                 

                Ronnie

                • 5. Re: GotoAssist/GotoMeeting usage with Auth Proxy

                  I found a fix that has been working here for several months now.  Before, a few people were able to access GoToMeeting (G2M), but the vast majority would not be able to.  When they attempted to enter their meeting, it would timeout, and they would be presented with the G2M error popup telling them to check their firewall settings, etc.  I compared everything between users & PCs that could access G2M presentations and those who couldn't.  What I found was that PCs with certain registry keys (listing available proxy servers, last good connection info, etc.) were able to access meetings.  PCs without these keys were largely unable to access meetings.  I realize it seems like a user or machine permissions issue, but it's not (at least not here).  We created a completely powerless domain user, and accessed a G2M meeting on a completely powerless machine *with* the reg keys, and it got right through.  The G2M Connection Wizard creates all of the entries under:

                  HKEY_CURRENT_USER\Software\Citrix\GoToMeeting\ConnectionInfo\ (which obviously is a mirror of the actual user profile found in HKEY_USERS\xxxxxxxxxxx\Software.....)

                   

                  The simplest way to add the reg keys to one PC is to run the G2M Connection Wizard, which I attached.  It can be downloaded from the G2M site here: https://www2.gotomeeting.com/wizard?Portal=www.gotomeeting.com.

                   

                  For large-scale deployments, there's probably a way to include it in your PC image(s) if you're using those, or maybe you can use a utility to push it out.

                  • 6. Re: GotoAssist/GotoMeeting usage with Auth Proxy

                    We've had this issue open for some time and still cannot get GotToMeeting to work properly through the Webwasher.  What we have discovered is that the GoToMeeting software does not handle NTLM passthough proxy authentication, and the only way to get the meetings to work properly is to add the registry setting for "last known connection" that points to a HTTP/HTTPS proxy on the firewall (sans authentication, of course).  The biggest issue I have with this is that GoToMeeting uses a large number of servers, that not only allow for web meetings but also allow for "GoToMyPC" connections.  This presents a huge problem for organizations who wish to control the remote connections to their internal network.  We have basically refused to provide support for GoToMeeting unless there is a ticket opened asking for specific times/dates that the firewall proxy will be made available.  We also make every effort to steer the communication completely away from our internal network to our guest wireless services using off-network laptops.

                     

                    My understanding of the GoToMeeting service is that it is very cheap and many people use it for that reason.  It appears to me to be a way in which, by providing proxy support for their lack of authentication compatability, they are creating a window for their GoToMyPC franchise to become possible on corporate networks. I have no proof that this is their offical strategy but, after having to deal with the troubles they create for our security infrastructure, it sure seems to me to be the case.