Configuring Line messaging app traffic traversing transparent ProxySG appliance

book

Article ID: 168228

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

  • The ProxySG appliance is deployed transparently and SSL interception is configured
  • Line messaging fails to connect on port 443

Cause

There are two reasons for this behavior.

  1. Because Line Messaging uses non-standard SSL, interception breaks the connection with the servers at the following addresses: 203.104.174.12, 16 and 18.
  2. Further, the Line messaging client does not trust the ProxySG/Microsoft PKI signed certificates used to perform SSL interception when accessing line.naver.jp and w.line.me.

Resolution

To resolve this issue, configure ProxySG to bypass SSL interception for the hosts involved. 

Example hosts: 

  • line.naver.jp (domain) 
  • w.line.me (domain) 
  • need to bypass/tcp tunnel non-standard SSL traffic "203.104.174.12, 16 and 18", Naver Line whole range is 203.104.160.0 - 203.104.175.255.

We then will need to bypass the Line messaging IP range “203.104.160.0 - 203.104.175.255” from the ProxySG, steps as below:

  1. Login to Management Console > Configuration > Services > Proxy Services
  2. Create a new "Service" (name it as you see fit)
  3. In this new "Service", follow setup as below:

To bypass:
Proxy settings: Proxy: SSL
Listeners: Source: All ; Destination IP: 203.104.160.0/20 ; Port range: 443 ; Action: Bypass

To TCP Tunnel:
Proxy settings: Proxy: TCP Tunnel
Listeners: Source: All ; Destination IP: 203.104.160.0/20 ; Port range: 443 ; Action: Intercept

Note: The addresses provided are valid as of March 2, 2016 and may change. If they do, use a packet capture to identify the new hosts used to handle Line messaging communication or contact Symantec support.