SSL Decryption Goto Meeting issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSL Decryption Goto Meeting issues

Not applicable

Hi all,

I have been having an issue with Goto Meeting and SSL decryption since August 2010 and support/development has been very slow to resolve this issue.  I am wondering if anyone else has a better work around or experience this issue.  I am very frustrated that I can not use SSL decryption which was a key feature in the decision to purchase the Palo Alto appliance. 

 

Problem:

When I enable SSL Decryption, users who try to connect to a Goto Meeting session get the error message:  Certificate Mismatch, they can not join a meeting.  From my understanding this happens because the PaloAlto device uses the Goto Meeting Certificate to identify the Goto Meeting Application.  Since it actually uses the Goto Meeting Certificate initially it later does not match the Certificate I created to decrypt the rest of the session, hence the Certificate Mismatch.  It was ironic when support originally wanted to start a Goto Meeting to troubleshoot this.

Work arounds from support:

Put all IP addresses from Citrix in a SSL Decryption exception list for ssl decryption.  This works for a little while until Citrix changes their IPs. This would work if I am allowed to do exceptions by URL instead of IP.  Support came up with a way to learn the IPs but it requires users to keep trying until it finally works (this obviously is not a good solution, as users expect it to work the first time).

Work arounds that I tried:

I tried to make an SSL Decryption exception list for the URL categories belonging to Goto meeting but it still has the Certificate mismatch.

8 REPLIES 8

L4 Transporter

The feature that we have in place will automatically learn based on the hosted meeting. This obviously leaves a problem with the joiner of the meeting. At this time the only work around it to specify the IP addresses of GOTOMeetings sites. This is not a closed issue and it is being worked on by our developers.

Is there any update for this? Initial call Dated Aug 2010... Please provide direction here, what's outstanding that needs to be done to get this working? how long before a solution is found ?

Thank you.

sorry, got the initial call wrong... still be good to know when a solution is expect. thanks

I agree, this needs to be addessed, it is an issue for my users as well.

L2 Linker

We do not seem to populate the list of IP addresses to not decrypt when users
only join the meetings. The reason is that ssl sessions don't include the common name in the response. We're still investigating

This issue is getting annoying. We told this is being worked on ( 24 May 11 ) so by all accounts we should have a workable fix by now. If there is any subsequent fix im unaware of please advise, as of 3.1.9 i still see the issue.

Also, please don’t mention an upgrade to PANOS 4 as a solution , not a option.

I look forward to a positive reply.

Thank you

L0 Member

We were able to get around this issue by creating a custom URL Category for decryption exceptions.  Populate the category with domain names that you want to exclude (you can also wildcard for subdomains), then assign that category to your exception rule.  The destination address should be set to any so that the exception rule is triggered only upon category match.  So far this seems to work.

L1 Bithead

In firewalls running 3.1.7, I was able to use a custom URL category to create an exception for the domain *.citrixonline.com.  I think Citrix Online domains/IPs are the main culprit when SSL decrypt breaks GoToMeeting or another Citrix product. 

My opinion:  When implementing SSL Decryption, create rules that allow for exceptions for both sources and destinations, and the use of a custom URL category is super helpful as well.

  • 5028 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!