5 Replies Latest reply on Apr 13, 2012 3:30 AM by asabban

    MWG7 Webex / Gotomeeting SSL Stream Detector

    jspanitz

      I know this has been brought up many times in the past, but now that 7.1.6 has stream detection, I wanted to rehash it again

       

      We have MWG 7.1.6.1.0 deployed using the following settings:

      • Explicit proxy
      • Transparent auth to AD
      • SSL Scanner

       

      And of course Webex and Gotomeeting are still an issue.  Seems like stream detection may work, but the SSL Scanner is killing the traffic before the Stream Detector kicks in.  So what's the best way to bypass the SSL Scanner for this type of traffic.  Is it still (please don't say yes ) by adding ip addresses to the SSL Scanner Tunneled Hosts list?  Or can we stick in a stream detection rule in the SSL Scanner ruleset to detect the protocol and skip scanning?

       

      John

       

      Message was edited by: jspanitz on 3/13/12 11:40:09 AM CDT
        • 1. Re: MWG7 Webex / Gotomeeting SSL Stream Detector

          Ya you can try adding Stream Detection rule in SSL Scanner rule set before sub rule-set Handle CONNECT Call. This rule set enables SSL Scan engine. So placing Stream Detection rule before Handle CONNECT rules set, with action as "Stop rule set" is worth trying, if it does not work then try placing Stream Detection Rule before SSl Scanning rule set and make an exception in SSL Scanning rule set to skip "gotomeeting" and other webex apps to not enter SSL Scanning rule set and jump to next rule-set. So criteria can be something like:

          If the following crtieria is mattched:

          URL.host <does not  match>  gotomeeting.

           

          if you can afford "Stop Cycle" then you don't need to add exception n SSL Scanning rule set for gotomeeting.

           

          Please let me know how it works...

           

          Heena

          • 2. Re: MWG7 Webex / Gotomeeting SSL Stream Detector
            alexott

            Stream detector need some data from server to make decision about content. Because there is no decrypted data exist before SSL Scanner is enabled, then I don't think that it will work, although I hadn't tried it.

            • 3. Re: MWG7 Webex / Gotomeeting SSL Stream Detector

              If that is the case then does not seem we should skip scanning for Stream detection if it can not work without decryption. However I have not tested Stream Detection myself. I tried to look for rule set in library but can not see one.

              • 4. Re: MWG7 Webex / Gotomeeting SSL Stream Detector
                alexott

                Streaming detector rule you can find in rule library in "Gateway Antimalware" ruleset.

                • 5. Re: MWG7 Webex / Gotomeeting SSL Stream Detector
                  asabban

                  Hello,

                   

                  If I got the conversation right I think you won´t be able to allow Webex/Gotomeeting by using the Stream Detector.

                   

                  - To detect the stream the stream detector needs decrypted content

                  - If you decrypt the data, Webex/Gotomeeting stop working, because the traffic can´t be decrypted

                   

                  In my opinion the only way to allow Webex/Gotomeeting is manual whitelisting from SSL Scanner. At the moment you will have to use static lists (I can provide lists if required). In the rule set library there are rule sets for Webex and Gotomeeting which will start working with 7.2 and subscribed lists. They contain a list that is hosted and maintained by McAfee which you need to add to your policy. So you do not need to manually maintain the list any longer.

                   

                  Best,

                  Andre