KB Article | Forcepoint Support

Notes & Warnings

For additional information on specific websites and applications that are known to require bypass, please see: Websites that have difficulty transiting Content Gateway
 

Problem Description

When attempting to use GoToAssist or other LogMeIn collaboration products, the connection does not complete.

Resolution

Citrix collaboration products do not support HTTPS connections through a proxy, so a proxy bypass rule is required.

To perform proxy bypass, review Optimal Firewall Configuration and Whitelisting and LogMeIn FAQ for a list of current GoTo and LogMeIn URL ranges.

If Content Gateway uses WCCP to transparent proxy:
  1. If the WCCP redirect is set to a network device or switch and not the firewall:
Static ARM bypass can be used to bypass the traffic. To add the URL ranges to the Content Gateway ARM static bypass list:
  1. In Content Gateway Manager, go to Configure > Networking > ARM > Static Bypass and click Edit File.
  2. In the Rule Type drop-down box select bypass.
  3. Leave the Source IP field empty.
  4. For the Destination IP field, add the range or CIDR of one of the URL ranges.
  5. Click Add.
  6. Repeat steps 3-6 for each range.
  7. When all URL ranges have been added, click Apply.
 
  1. If the WCCP redirect is set directly to the ASA or other edge-device firewall:
If the WCCP Redirect is direct to the firewall, a topological loop can occur and would need a bypass within the Cisco ASA or firewall's command line itself for the Citrix and LogMeIn IP ranges.  For additional information, review #2186 - Redirection limitations for WCCP on Cisco ASA.
 
Note Forcepoint Technical Support does not support changes to the firewall command line for WCCP enabled firewalls. Consult the documentation for the device for instructions on creating bypasses.

 
If Content Gateway uses an explicit proxy that uses a PAC file:
Add entries for the Citrix URLs in the exceptions block of your PAC file. A separate line is required for each distinct IP address range. As an example:
if (shExpMatch(url, "Citrix and LogMeIn IP Range")) {return "DIRECT";}
 
Note Forcepoint Technical Support does not support custom PAC files. For additional information, review Specifying a URL in a PAC file that should bypass the proxy.

 
If Content Gateway uses an explicit proxy that uses an IP address in LAN settings:
The IP ranges can be added to LAN settings under the proxy information as a bypass.
  1. Open Internet Options
  2. Go to the Connections tab
  3. Click  the LAN settings button
  4. Under Proxy Server where the Proxy IP is specified over port 8080, click Advanced
  5. Enter the Citrix and LogMeIn IP ranges into the Exceptions field
  6. Press OK
  7. Press Apply then OK to save the changes.
This information can also be set via GPO for all domain users in the environment. For instructions on GPO, see Microsoft's documentation for your Server version.

Article Feedback



Thank you for the feedback and comments.