Ya you can try adding Stream Detection rule in SSL Scanner rule set before sub rule-set Handle CONNECT Call. This rule set enables SSL Scan engine. So placing Stream Detection rule before Handle CONNECT rules set, with action as "Stop rule set" is worth trying, if it does not work then try placing Stream Detection Rule before SSl Scanning rule set and make an exception in SSL Scanning rule set to skip "gotomeeting" and other webex apps to not enter SSL Scanning rule set and jump to next rule-set. So criteria can be something like:
If the following crtieria is mattched:
URL.host <does not match> gotomeeting.
if you can afford "Stop Cycle" then you don't need to add exception n SSL Scanning rule set for gotomeeting.
Please let me know how it works...
Stream detector need some data from server to make decision about content. Because there is no decrypted data exist before SSL Scanner is enabled, then I don't think that it will work, although I hadn't tried it.
If that is the case then does not seem we should skip scanning for Stream detection if it can not work without decryption. However I have not tested Stream Detection myself. I tried to look for rule set in library but can not see one.
Streaming detector rule you can find in rule library in "Gateway Antimalware" ruleset.
If I got the conversation right I think you won´t be able to allow Webex/Gotomeeting by using the Stream Detector.
- To detect the stream the stream detector needs decrypted content
- If you decrypt the data, Webex/Gotomeeting stop working, because the traffic can´t be decrypted
In my opinion the only way to allow Webex/Gotomeeting is manual whitelisting from SSL Scanner. At the moment you will have to use static lists (I can provide lists if required). In the rule set library there are rule sets for Webex and Gotomeeting which will start working with 7.2 and subscribed lists. They contain a list that is hosted and maintained by McAfee which you need to add to your policy. So you do not need to manually maintain the list any longer.