KB Article | Forcepoint Support

Notes & Warnings

For additional information on specific websites and applications that are known to require bypass, please see:

Problem Description

When attempting to use GoToAssist or other LogMeIn collaboration products, the connection does not complete.


Citrix collaboration products do not support HTTPS connections through a proxy, so a proxy bypass rule is required.

To perform proxy bypass, review Optimal Firewall Configuration and Whitelisting and LogMeIn FAQ for a list of current GoTo and LogMeIn URL ranges.

Review the below solutions for when the Content Gateway is configured for the following deployments:
WCCP transparent proxy set to network device or switch
If Content Gateway uses WCCP to transparent proxy and redirect is set to a network device or switch and not the firewall:
Static ARM bypass can be used to bypass the traffic. To add the URL ranges to the Content Gateway ARM static bypass list:
  1. In Content Gateway Manager, go to Configure > Networking > ARM > Static Bypass and click Edit File.
  2. In the Rule Type drop-down box select bypass.
  3. Leave the Source IP field empty.
  4. For the Destination IP field, add the range or CIDR of one of the URL ranges.
  5. Click Add.
  6. Repeat steps 3-6 for each range.
  7. When all URL ranges have been added, click Apply.
WCCP transparent proxy set directly to the ASA or other edge firewall
If Content Gateway uses WCCP to transparent proxy and is set directly to the ASA or other edge-device firewall:
If the WCCP Redirect is direct to the firewall, a topological loop can occur and would need a bypass within the Cisco ASA or firewall's command line itself for the Citrix and LogMeIn IP ranges.  For additional information, review #2186 - Redirection limitations for WCCP on Cisco ASA.
Note Forcepoint Technical Support does not support changes to the firewall command line for WCCP enabled firewalls. Consult the documentation for the device for instructions on creating bypasses.
If Content Gateway uses an explicit proxy that uses a PAC file:
Add entries for the Citrix URLs in the exceptions block of your PAC file. A separate line is required for each distinct IP address range. As an example:
if (shExpMatch(url, "Citrix and LogMeIn IP Range")) {return "DIRECT";}
Note Forcepoint Technical Support does not support custom PAC files. For additional information, review Specifying a URL in a PAC file that should bypass the proxy.

Note Hybrid customers can utilize unfiltered destinations to modify their generated PAC file. For additional information, review Adding or editing hybrid service unfiltered destinations
If Content Gateway uses an explicit proxy that uses an IP address in LAN settings:
The IP ranges can be added to LAN settings under the proxy information as a bypass.
  1. Open Internet Options
  2. Go to the Connections tab
  3. Click  the LAN settings button
  4. Under Proxy Server where the Proxy IP is specified over port 8080, click Advanced
  5. Enter the Citrix and LogMeIn IP ranges into the Exceptions field
  6. Press OK
  7. Press Apply then OK to save the changes.
This information can also be set via GPO for all domain users in the environment. For instructions on GPO, see Microsoft's documentation for your Server version.

Keywords: goto assist; logmein; citrix collaboration products; goto; arm bypass; static bypass; return direct; pac file; explicit proxy; proxy bypass; browser proxy bypass; browser proxy settings; whitelist

Article Feedback

Thank you for the feedback and comments.