Content Filter and GoToMyPC
With the content filter service enabled on our firewall GoToMyPC stops working unless I allow the 'Not Rated' category. I tried adding all the GoTo* domains to a whitelist but connections were still blocked. I tried adding individual GoTo* IP addresses to my whitelist and this worked but there are hundreds of IP addresses. I tried adding the IPs with CIDR notation but, although the UI allowed me to add them without error, they do not appear to work. A complete list of the IPs and domain names can be found here: https://support.goto.com/meeting/help/optimal-firewall-configuration-g2m060010.
Has anyone found a way to use the content filter service to block the 'Not Rated' category but still allow GoToMyPC?
Answers
Hi @DAVIDK,
Thank you for contacting SonicWall Community.
The scenario of yours is specific to GoToMyPC and needs to be diagnosed by performing a packet capture on the firewall when GoToMyPC application runs to determine the root cause of the issue and rectify it. As per your information, you have excluded some of the IPs from CFS and that leads to the access. In this case, did you identify the IPs excluded using packet monitor? If not, please remove the CFS exclusion and perform a packet monitor for the GoToMyPC traffics. You would definitely see few packets dropped on the SonicWall with drop reason pertained to Content Filter Service. Take those IPs and perform a reverse DNS lookup and find if the IPs actually resolve to a domain name. If yes, please cross verify the domains with the known list given by GoToMyPC.
Please try this and keep us informed how it goes.
Have a good one.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
To verify the IP addresses being blocked I used the Event Logs on the firewall and, basically, did what you suggest - noted a blocked IP, confirmed it matched one of the domain names or ip address blocks mentioned for GoToMyPC, added the IP to the CFS whitelist, then confirmed GoToMyPC worked. The issue is two fold:
1) Entering the domain names listed at https://support.goto.com/meeting/help/optimal-firewall-configuration-g2m060010 does not fix the problem.
2) There are hundreds of IP addresses listed at https://support.goto.com/meeting/help/optimal-firewall-configuration-g2m060010 and it seems the users get a different IP address each time they connect. Rather than enter the hundreds of individual IP addresses I tried entering the IP and CIDR blocks listed but it doesn't appear CFS works with CIDR notation.
Hi @DavidK,
Thanks for the answers.
As per the document shared by you, it looks like most of the sessions involve HTTPS. I would recommend you to perform a packet capture on the SonicWall for the GoToMyPC traffic and find the Server Name Indication (SNI) information from the Client Hello packet or the certificate Common Name (CN) from the Server Hello packet and exclude the either one of them or both in the CFS allowed domain list. This should do the trick.
If you face any difficulties finding the SNI and CN from the captured packets, please feel free to take help from our Support folks by submitting a support case for assistance on this.
Have a good day!!!
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services