Allow LogMeIn Rescue Through a Transparent ProxySG or Advanced Secure Gateway

book

Article ID: 169302

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

In a typical ProxySG or Advanced Secure Gateway transparent proxy deployment with SSL interception, the LogMeIn service fails to connect.

LogMeIn is a live remote-assistance tool used by many companies to provide support. Users download a file,(Support-LogMeInRescue.exe) and they run it to initiate the connection. When the user is behind a transparent proxy, the connection fails. See the example below:

Disconnected
12:30PM Connecting...
12:30PM This session has expired and can no longer be used. To start a new session this applet must be downloaded again.


User-added image

Cause

LogMeIn live remote support requires users to download a Java Applet component, then establish a connection with the remote support agent. This communication fails because it uses a connection TCP port 443 that is not actually using the SSL protocol. When the ProxySG detects this and attempts to decrypt it, the connection is broken. 

For example:
Policy trace show first POST request sent to secure.logmeinrescue.com/Customer/Download.aspx in order to download LogMeIn applet component.

connection: service.name=HTTPS client.address=<client IP> proxy.port=443
time: 2016-08-08 06:28:53 UTC
POST https://secure.logmeinrescue.com/Customer/Download.aspx

Referer: https://<Vendor Support site>/ServicePortal/...
User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko
url.category: Remote Access [email protected] Coat
server.response.code: 200
client.response.code: 200


Then in subsequent web requests, the LogMeIn application sends a GET request to secure.logmeinrescue.com (Notice that the user-agent string is Product=LogMeIn Rescue;Component=Applet)

connection: service.name=HTTPS client.address=<client IP> proxy.port=443
time: 2016-08-08 06:29:28 UTC
GET https://secure.logmeinrescue.com/myrahost/list.aspx?weighed=1
User-Agent: Product=LogMeIn Rescue;Component=Applet;Version=7.8.408.1842;LMIOS=854784;
url.category: Remote Access [email protected] Coat
server.response.code: 200
client.response.code: 200

Resolution

To resolve this issue, you will need to exempt LogMeIn from being SSL-intercepted. Apply the following Content Policy Language (CPL) to disable SSL Interception based on the Server certificate hostnames of logmein, logmeinrescue.

<ssl-intercept>
url.domain=logmein.com ssl.forward_proxy(no)
url.domain=secure.logmeinrescue.com ssl.forward_proxy(no)
server.certificate.hostname.substring="logmein" ssl.forward_proxy(no)
server.certificate.hostname.substring="logmeinrescue" ssl.forward_proxy(no)

 

Attachments