WSA and GoToMeeting Connection Problems

Introduction

This document describes a problem where Citrix GoToMeeting does not connect through the Cisco Web Security Appliance (WSA).

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Cisco WSA
• Citrix GoToMeeting

Note: This document assumes that the Cisco WSA is deployed in transparent mode.

Components Used

The information in this document is based on these hardware and software versions:

• Cisco WSA Versions 7.x and 8.x 
• Citrix GoToMeeting Versions 5 and later

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Note: This document references software that is not maintained or supported by Cisco. The information is provided as a courtesy for your convenience. For further assistance, please contact the software vendor.

Problem

When the Cisco WSA is used in a transparent proxy deployment, Citrix GoToMeeting does not connect through the WSA. Also, when you configure GoToMeeting for the HTTPS passthrough action in the Decryption Policies, it has no effect.

As described in the Citrix White Paper, GoToMeeting performs these actions in order to connect:

When GoToMeeting endpoint software is started, it attempts to contact the GoToMeeting service broker via the Endpoint Gateway (EGW) by initiating one or more outbound SSL-protected TCP connections on ports 8200, 443 and/or 80. Whichever connection responds first will be used and the others will be dropped.

In an explicit proxy environment, GoToMeeting connects with an HTTP CONNECT request, and the WSA tunnels the data between the client and the server. There are no issues with this type of connection. However, in transparent mode, the GoToMeeting client is unable to perform authentication.

Solution

Cisco recommends that you bypass the authentication process with a client IP address-based (subnet) identity in order to workaround this issue effectively. However, it is important to note that even with decryption enabled, GoToMeeting should work when authentication is disabled.

This section describes how to bypass the authentication process for GoToMeeting traffic in the WSA. Complete these steps in order to add the GoToMeeting server IP addresses in a new custom URL category list:

1. From the web management GUI, navigate to Web Security Services > Custom URL Category and click Add Custom Category.
   
   
2. Add these IP address ranges to the Sites list:
   
   
   • 216.115.208.0/20
   • 216.219.112.0/20
   • 66.151.158.0/24
   • 66.151.150.160/27
   • 66.151.115.128/26
   • 64.74.80.0/24
   • 202.173.24.0/21
   • 67.217.64.0/19
   • 78.108.112.0/20
   • 68.64.0.0/19
   • 206.183.100.0/22

Note: These IP addresses might change at any time. Cisco recommends that you verify the current IP address ranges with the Citrix IP address list.

Caution: The Citrix links that are referenced in this document are provided as a courtesy only. Cisco does not guarantee their accuracy or effectiveness.