Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16066
Views
4
Helpful
24
Replies

Cisco Spark clients behind a Corporate firewall

darren.collins
Level 1
Level 1

‎03-19-2015 03:05 AM - edited ‎03-17-2019 04:59 PM

Hi,

I've been asked to allow use of the Cisco Spark application from within our Corporate LAN, but it just doesn't seem to work at all. The marketing material suggests that this is an enterprise-grade tool but it seems to fall a long way short in it's current form.

Outbound connectivity from our LAN to the outside world is policed (and audited) and web traffic is relayed via CWS. Your KB suggests that we need to open some ports for this app to work:

tcp 443/8443 for signalling

udp 8000-8100 & 33434-34598 for media

(although in another article it says tcp/udp 33434 only). To which destination addresses are these ports required? We cannot open tcp/443 to all external destinations (and I imagine we are not alone in this).

Packet captures for the Cisco Spark app show that it happily relays traffic through the system-assigned proxy server, and it can display the contents of rooms, but it cannot interact with them at all (cannot send messages or attachments).

Can this be made to work behind a corporate firewall without opening it for web traffic to the entire world?

Labels:
24 Replies 24

darren.collins
Level 1
Level 1
In response to Sebastian Leuser

‎12-16-2015 01:06 AM

Hi, on the second run of the application it no longer crashes, but it still fails to connect. The log file is full is errors like this:

2015-12-16 08:57:01,428 ERROR [10] Api.AuthClient - error from host idbroker.webex.com, message The remote server returned an error: (407) Proxy Authentication Required.

2015-12-16 08:57:01,428 ERROR [10] Api.AuthClient - TrackingId WIN_dc3354d5-acb5-474d-8404-0847c1ab147f_25

2015-12-16 08:57:01,428 ERROR [10] Api.AuthClient -

2015-12-16 08:57:01,428 ERROR [1] Views.LoginView - Verify email error

All of the settings options in the top-left menu are greyed out. At no point has it asked for proxy credentials.

There's also a lot of attempts to upload information to Localytics which came as a surprise:

2015-12-16 08:57:01,443 DEBUG [1] Api.LocalyticsSparkClient - Tagged event: Email

2015-12-16 08:57:01,443 DEBUG [7] Api.LocalyticsSparkClient - Beginning localytics upload.

2015-12-16 08:57:01,443 INFO [7] Api.LocalyticsSparkClient - Uploading to: https://analytics.localytics.com/api/v2/applications/f6caf4bcced64da2cb7d7d1-70dd6b62-bb80-11e4-2d22-004a77f8b47f/uploads

2015-12-16 08:57:01,443 INFO [7] Api.LocalyticsSparkClient - LocalyticsPath: C:\Users\XXXXXX\AppData\Local\Spark\localytics

2015-12-16 08:57:01,459 ERROR [7] Api.LocalyticsSparkClient - error from host analytics.localytics.com, message The remote server returned an error: (407) Proxy Authentication Required.

There was also a managedException file containing:

1.0.0.3125

System.ArgumentNullException;Value cannot be null.|CommonLanguageRuntimeLibrary!System.Threading.Monitor.Enter+0xFFFFFFFF:0x0;System.Data.SqlServerCe.dll!System.Data.SqlServerCe.SqlCeCommand.Dispose+0x0:0x2E;System.Data.SqlServerCe.dll!System.Data.SqlServerCe.SqlCeCommand.Finalize+0x0:0x1A;

And an unmanagedException file containing:

1.0.0.3125

KERNELBASE.dll+0xc44d;mscorwks.dll+0x89a14;mscorwks.dll+0x1080e4;mscorwks.dll+0x284200;mscorwks.dll+0x14dc0a;mscorwks.dll+0x14dc0a;mscorwks.dll+0x14dccb;mscorwks.dll+0x14db79;mscorwks.dll+0x15392f;mscorwks.dll+0x1503de;mscorwks.dll+0x15473d;mscorwks.dll+0x2a0df;mscorwks.dll+0x2a07b;mscorwks.dll+0x29fa1;mscorwks.dll+0xbeb88;mscorwks.dll+0xbeb99;mscorwks.dll+0xb2e3e;mscorwks.dll+0x96508;kernel32.dll+0x1338a;ntdll.dll+0x397f2;ntdll.dll+0x397c5;

0 Helpful

Sebastian Leuser
Level 7
Level 7
In response to darren.collins

‎12-16-2015 01:27 AM

Maybe could dehealy or cmcgarry take a look on the logs

0 Helpful

mpatriota
Level 1
Level 1
In response to darren.collins

‎12-16-2015 03:07 AM

The app for mobile and windows works fine behind from wsa proxy, the big problem is the udp port because it´s impossible to tunneling trough the proxy and my firewall do not accepted NAT to a unknown destination(any).

So, im able to chat, send and receive files and pictures but unable to do vídeo calls.

0 Helpful

diegolara86
Level 1
Level 1
In response to darren.collins

‎12-16-2015 03:31 AM

Dear Spark Team,

We have problems with UDP ports in our WSAV Ironport.

We could have the list of IP addresses of the solution to release the connection in our firewall (ASA) or this service is the same as Scansafe (that is delivered by a list of Cisco's DCs)?

Is it possible to redirect by external DNS / URL?

Thanks.

Diego Lara

0 Helpful

Konstantopoulos Konstantinos
Level 5
Level 5

‎12-29-2015 01:27 AM

Hello. I've downloaded and installed version 1.0.0.3155 the issue that I am facing regarding the connection of Spark through proxy is stated below:

2015-12-29 11:21:19,693 ERROR [10] Certificate.CertificateValidator - SSL cert chain for original host avatar-a.wbx2.com eventual host avatar-a.wbx2.com does not match pinned cert

2015-12-29 11:21:19,843 DEBUG [1] Helpers.ThreadPoolManager - Thresdpool Threads completed execution, Continue Exiting

2015-12-29 11:21:19,863 DEBUG [1] Api.LocalyticsSparkClient - Session closed.

2015-12-29 11:21:29,758 DEBUG [6] Collaborate.Sq - Application Starting.  Spark 1.0.0.3155

Please do correct me if I am wrong but the issue has to do with the certificate of our proxy server (Cisco WSA S170) and those that are exchanged between the Spark app and the servers.

Thank you.

0 Helpful

davebro2
Level 1
Level 1
In response to Konstantopoulos Konstantinos

‎01-09-2016 10:26 AM

Your assessment is correct.  To be clear, what's going on is that the non-browser Spark clients have implemented certificate pinning  as a security measure to prevent a man-in-the-middle attack .

Because disabling pinning would leave us vulnerable security-wise, the recommended configuration of a proxy is not to modify HTTPS traffic to the following domains:

*.wbx2.com

identity.webex.com

idbroker.webex.com

Dave

Konstantopoulos Konstantinos
Level 5
Level 5
In response to davebro2

‎01-12-2016 02:59 AM

Hello David.

Thank you very much for your response.The instructions that you gave me helped to resolve the issue with the desktop client of Spark. I've configured an exception in our WSA in order to bypass HTTPS inspection for these domains.

0 Helpful

davebro2
Level 1
Level 1
In response to Konstantopoulos Konstantinos

‎01-13-2016 01:11 PM

Konstantopoulos,

Good to hear. For future reference, firewall and proxy requirements for Spark are documented here ongoing:

Cisco Spark | Firewall and Network Requirements for th...

Dave

0 Helpful

admaughan1975
Level 1
Level 1
In response to davebro2

‎04-25-2016 02:17 PM

So we noticed that it was first trying an SSL v 2.0 connection then when that failed at our firewall it went on to try the domains you have listed with a different version of TLS.  Is that normal behavior?  I can't find any documentation on the implementation of TLS/SSL so I don't know if this is normal behavior or something I'm doing wrong.

0 Helpful

yasir.shaikh1
Level 1
Level 1

‎06-28-2016 08:20 PM

Hi configuring ASA but getting some issues.

I allowed IPs of destination (443) but still application doesn't work. When I allowed the IPs that I found in wire shark traces, then it went through successfully with activation mail.

So I need list of ranges for these destination to configure firewall.

Definitely these below should have IP ranges:

 

identity.webex.com
idbroker.webex.com
*.wbx2.com
*.webex.com
*.ciscospark.com
*.clouddrive.com
*.crashlytics.com
*.localytics.com
*.rackcdn.com

Cheers,

Yasir

0 Helpful
Customers Also Viewed These Support Documents