How do I allow Logmein®123

Article #:

Product

Castle

1861 / KB-78

Guardian

All

Summary

 

Problem

The Logmein123 application reports errors

Solution

You will need to exclude the Logmein123 application from HTTPS Decrypt and inspect, and Authentication.

Although the Logmein URLs are part of the Remote Desktop category, you need to add them to a custom category so as not to affect operations of similar applications.

When configuring security protocol, it is recommended to allow the LogMeIn URLs to ensure that a connection to all components of LogMeIn is permissible (updating the application, communicating status events such as when online, offline, and so on). The client-to-host connection uses peer-to-peer connections, encrypted within a 256-bit AES tunnel. The services themselves communicate using port 443 (HTTPS/SSL), so no additional ports need to be opened within a firewall.

1. Create a custom category with the following URLs:
logmein.com — LogMeIn's main site
logmeinrescue.com — Powers the LogMeIn Rescue service
logmeinrescue-enterprise.com — Powers account specific Rescue features (not needed on normal accounts)
logme.in — LogMeIn common login service allowing login to LogMeIn.com, join.me, and cubby.com
hamachi.cc — Powers the LogMeIn Hamachi service
internapcdn.net — Powers updates to multiple LogMeIn products.
LogMeIn123.com — Site used to connect to a LogMeIn Rescue technician
123rescue.com — Site used to connect to a LogMeIn Rescue technician
support.me — Site used to connect to a LogMeIn Rescue technician
join.me — LogMeIn's screen sharing service
cub.by — Redirects back to Cubby services
cubby.com — LogMeIn's cloud storage and syncing service
apprep.smartscreen.microsoft.com
secure.logmeinrescue.com
login.microsoftonline.com
symcb.com
2. Create a Decrypt and inspect HTTPS inspection policy, where the What is the custom category created in step 1.
3. Add the custom category created in step 1 to Web proxy > Authentication > Exceptions.
4. Smoothwalls running the Carisbrooke Castle Release or later should do the following:

If you have a transparent authentication policy (in Web proxy > Authentication > Manage policies) for the interface processing LogMeIn traffic, add the following changes:

Behavior — Allow Transparent HTTPS incompatible sites and filter others using name from certificate

else create a new transparent authentication policy, on the relevant interface, containing the above.

5. Smoothwalls running a release or update earlier than Carisbrooke can add the following to the URL patterns section of the Transparent HTTPS incompatible category:
^https://212.118.234.[0-9]+
^https://91.224.153.[0-9]+

See https://help.smoothwall.net/Latest/Content/modules/guardian3/cgi-bin/guardian/customcategory.htm.

Smoothwalls running Carisbrooke or later may want to add the above changes to the Transparent HTTPS incompatible category if the LogMeIn application still fail decrypt and inspect.

Note: Step 6 is a last resort, as this could potentially open access to sites you do not wish your users to access — all sites that do not send an SNI header may be allowed through, as well as the site's certificate not being retrieved from the server for verification.

Attribution:

Last updated:

Author:

Contributions by:

27th February 2017

 

DMT

SK

SN

 

Copyright © 2000-2016 Smoothwall All rights reserved.