Webex Meetings audio and video connections fail via transparent ProxySG
search cancel

Webex Meetings audio and video connections fail via transparent ProxySG

book

Article ID: 266067

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS

Issue/Introduction

WebEx Meetings audio and video connections fail via transparent ProxySG for mobile devices (Apple iOS and Android). When client attempts to join video or audio from the WebEx application "Untrusted certificate" error message is displayed. SSL interception is disabled for all WebEx IPs and domains. Policy trace indicate that WebEx transactions are allowed and SSL is tunneled on the proxy.

Environment

  • Transparent proxy traffic redirection
  • An intermediate network device (Load balancer, L3 switch/router, firewall, etc) is rewriting IP destination address header to redirect traffic to the ProxySG
  • HTTPS/TLS is used for the transaction

Cause

In case of transparent redirection client is not aware of proxy presence and performs a typical TLS handshake without any TLS tunnel negotiation (HTTP CONNECT). Proxy determines an OCS address (destination) for a TLS transaction from:

  • SNI extension from the Client Hello message in the TLS handshake
  • IP destination header of the ingress client packet

If both of options are unavailable proxy cannot determine an OCS address.

WebEx mobile app may not include SNI extension negotiating TLS for audio and video calls. For example, SNI might be missing in Client Hello originated by the WebEx app to IP address 170.72.18.50.

Since the original destination IP address has been re-written with the proxy IP address and OCS destination info is unavailable (missing SNI), proxy considers itself responsible for processing this transaction and terminates it locally. Client completes TLS handshake with the proxy instead of the OCS. "Untrusted certificate" error is returned by the client due to missing WebEx certificate in the TLS handshake. 

 

Resolution

Packet captures collected between a client and the intermediate network device doing IP destination header rewrites should help to identify the OCS destination address. Once identified this IP must be bypassed from the transparent proxy redirection and allowed to be reached directly via local internet breakout.