This document describes a problem where Citrix GoToMeeting does not connect through the Cisco Web Security Appliance (WSA).
Cisco recommends that you have knowledge of these topics:
- Cisco WSA
- Citrix GoToMeeting
The information in this document is based on these hardware and software versions:
- Cisco WSA Versions 7.x and 8.x
- Citrix GoToMeeting Versions 5 and later
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
When the Cisco WSA is used in a transparent proxy deployment, Citrix GoToMeeting does not connect through the WSA. Also, when you configure GoToMeeting for the HTTPS passthrough action in the Decryption Policies, it has no effect.
As described in the Citrix White Paper, GoToMeeting performs these actions in order to connect:
When GoToMeeting endpoint software is started, it attempts to contact the GoToMeeting service broker via the Endpoint Gateway (EGW) by initiating one or more outbound SSL-protected TCP connections on ports 8200, 443 and/or 80. Whichever connection responds first will be used and the others will be dropped.
In an explicit proxy environment, GoToMeeting connects with an HTTP CONNECT request, and the WSA tunnels the data between the client and the server. There are no issues with this type of connection. However, in transparent mode, the GoToMeeting client is unable to perform authentication.
Cisco recommends that you bypass the authentication process with a client IP address-based (subnet) identity in order to workaround this issue effectively. However, it is important to note that even with decryption enabled, GoToMeeting should work when authentication is disabled.
This section describes how to bypass the authentication process for GoToMeeting traffic in the WSA. Complete these steps in order to add the GoToMeeting server IP addresses in a new custom URL category list:
- From the web management GUI, navigate to Web Security Services > Custom URL Category and click Add Custom Category.
- Add these IP address ranges to the Sites list: