6 Replies Latest reply on Jun 9, 2011 12:09 PM by jsimon2010

    WCCP and webex

      So I'm in a beta test right now with MWG 7.1.  For the most part things are going OK, although there are some features that are lacking.

       

      The details:

      (2) appliances using WCCP redirection

      -integrated auth over https

      -ssl scanning enabled

       

      Issue:  Can't connect to webex session.  I have globally whitelisted the *.webex.com domain.  I get to the point where I can put in my username and email, and then it just sits there connecting.  At first I thought it was an issue between the two appliances having sessions split via WCCP over both of them.  I shut down the other appliance and still can't connect.  If in my browser I explicitly proxy to the remaining web gateway, all is well works fine, etc.  I was hoping to see if anyone here on the community board has experienced this issue with webex specifically with WCCP configured.  I'm at a loss as to what to try next.  I have looked at the logs and all connection requests are to .webex.com domains.

       

       

       

      What would be nice is the ability to exempt traffic from going through the proxy entirely.  Ie..if a request goes to a certain IP/DNS name, I would put this in the config, and if the gateway ever saw this traffic it would just send it right back where it came from. 

        • 1. Re: WCCP and webex
          Jon Scholten

          Hi there,

           

          With WebEx type traffic it needs to be exempt from the SSL scanner. You have attempted to do this with the bypass for *.webex.com... but in a transparent environment, this would be seen as an IP because its secure. The Web Gateway would not see the GET request like it does with HTTP traffic. So... you need to bypass based on the IP in certain situations.

           

          For this, WebEx publishes lists of their ranges:

          http://support.webex.com/SelfServiceWeb/portlets/ViewArticle/showSingleArticle.d o?_articleId=WBX264

          http://support.webex.com/SelfServiceWeb/portlets/ViewArticle/showSingleArticle.d o?_articleId=WBX40189

           

          Citrix does the same thing:

          http://www.citrixonline.com/iprange

           

          I have created a rule you can import which references these ranges. See attached. You would want to place this ruleset towards the top.

           

          Hope this helps in understanding the problem better.

           

          On your last comment, it is possible to do this on your cisco device using ACLs essentially exempting it from WCCP (but it would be based on IP). There isnt currently a way for the Web Gateway to send the traffic back where it came from, the best solution to that would be tunneling or encapulating the traffic somehow.

           

          ~Jon

          • 2. Re: WCCP and webex

            Doh, totally forgot about that!  I applied the IP range and it works like a charm. 

             

            Yes, we could definately block certain ranges from going to the proxy via ACL on our router, and I've done that before at other places.  The rub is that it is nice to be able to exempt certain IP's from proxying without having to go through another IT group

             

            Great forum as usual.  Interested to see what the latest version of the gateway brings!

            • 3. Re: WCCP and webex

              Would it be safe to assume that LiveMeeting is another vendor that would need to be addressed in a simular manner?

               

              http://social.technet.microsoft.com/Forums/en-US/olmmedia/thread/b575252a-86d6-4 b2d-9bba-35495c09932f/

               

              Message was edited by: jsimon2010 on 6/8/11 12:54:21 PM CDT
              • 4. Re: WCCP and webex
                jspanitz

                You know, the question I have about all this bypassing is what if a file is transferred over webex or gotomeeting. Bypassing everything leaves us wide open to what we are trying to protect against.  Is this really the best way to handle the traffic?

                • 5. Re: WCCP and webex
                  Jon Scholten

                  The traffic within these SSL tunnels are not HTTP traffic, instead they are propietary traffic designed by the webex and citrix, to the Web Gateway or any other device attempting to interpret this data, it will appear as binary garbage. I'm not sure if LiveMeeting is the same, based on J's link, it looks like they simply need to bypass authentication, so it very well could be some sort of HTTP traffic. But.. often the designers of the software also hardcode the trusted CA, so SSL scanning will not allow it to be scanned (and have the software work).

                   

                  Hope this helps in understanding the issue.

                   

                  ~Jon

                  • 6. Re: WCCP and webex

                    My experience with Live Meeting is that is follows the same behaviors as Citrix and WebEx.  I am dealing with this in the following manner:

                     

                    I created a top level ruleset where the criteria is URL.Destination.IP is in range list WebExRanges (thank you jon!).  I added the Live Meeting and Citrix blocks to this list.  Then set the Authentication to RawCredential (because I have noticed authentication failures).  This allows us to also add additional rules such as Anti-Malware and the like.  Finally, I stop the cycle as to bypass the SSL scanner ruleset and the NTLM Authenticaiton ruleset.

                     

                    Using this solution, users are able to get sound in thier meeting with these conferenece services.

                     

                    All of our desktops/laptops are protected with a antivirus client so there is a line of defense there as well. 

                     

                    If anyone has a better plan or suggestions, I would be happy to hear about it. 

                     

                    Message was edited by: jsimon2010 on 6/9/11 12:09:22 PM CDT