04-05-2011 10:07 AM
I have been having an issue with Goto Meeting and SSL decryption since August 2010 and support/development has been very slow to resolve this issue. I am wondering if anyone else has a better work around or experience this issue. I am very frustrated that I can not use SSL decryption which was a key feature in the decision to purchase the Palo Alto appliance.
When I enable SSL Decryption, users who try to connect to a Goto Meeting session get the error message: Certificate Mismatch, they can not join a meeting. From my understanding this happens because the PaloAlto device uses the Goto Meeting Certificate to identify the Goto Meeting Application. Since it actually uses the Goto Meeting Certificate initially it later does not match the Certificate I created to decrypt the rest of the session, hence the Certificate Mismatch. It was ironic when support originally wanted to start a Goto Meeting to troubleshoot this.
Work arounds from support:
Put all IP addresses from Citrix in a SSL Decryption exception list for ssl decryption. This works for a little while until Citrix changes their IPs. This would work if I am allowed to do exceptions by URL instead of IP. Support came up with a way to learn the IPs but it requires users to keep trying until it finally works (this obviously is not a good solution, as users expect it to work the first time).
Work arounds that I tried:
I tried to make an SSL Decryption exception list for the URL categories belonging to Goto meeting but it still has the Certificate mismatch.
05-24-2011 10:42 PM
We do not seem to populate the list of IP addresses to not decrypt when users
only join the meetings. The reason is that ssl sessions don't include the common name in the response. We're still investigating
07-04-2011 02:56 PM
This issue is getting annoying. We told this is being worked on ( 24 May 11 ) so by all accounts we should have a workable fix by now. If there is any subsequent fix im unaware of please advise, as of 3.1.9 i still see the issue.
Also, please don’t mention an upgrade to PANOS 4 as a solution , not a option.
I look forward to a positive reply.
09-06-2011 11:00 AM
We were able to get around this issue by creating a custom URL Category for decryption exceptions. Populate the category with domain names that you want to exclude (you can also wildcard for subdomains), then assign that category to your exception rule. The destination address should be set to any so that the exception rule is triggered only upon category match. So far this seems to work.
09-07-2011 03:34 PM
In firewalls running 3.1.7, I was able to use a custom URL category to create an exception for the domain *.citrixonline.com. I think Citrix Online domains/IPs are the main culprit when SSL decrypt breaks GoToMeeting or another Citrix product.
My opinion: When implementing SSL Decryption, create rules that allow for exceptions for both sources and destinations, and the use of a custom URL category is super helpful as well.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!