03-19-2015 03:05 AM - edited 03-17-2019 04:59 PM
Hi,
I've been asked to allow use of the Cisco Spark application from within our Corporate LAN, but it just doesn't seem to work at all. The marketing material suggests that this is an enterprise-grade tool but it seems to fall a long way short in it's current form.
Outbound connectivity from our LAN to the outside world is policed (and audited) and web traffic is relayed via CWS. Your KB suggests that we need to open some ports for this app to work:
tcp 443/8443 for signalling
udp 8000-8100 & 33434-34598 for media
(although in another article it says tcp/udp 33434 only). To which destination addresses are these ports required? We cannot open tcp/443 to all external destinations (and I imagine we are not alone in this).
Packet captures for the Cisco Spark app show that it happily relays traffic through the system-assigned proxy server, and it can display the contents of rooms, but it cannot interact with them at all (cannot send messages or attachments).
Can this be made to work behind a corporate firewall without opening it for web traffic to the entire world?
12-16-2015 01:06 AM
Hi, on the second run of the application it no longer crashes, but it still fails to connect. The log file is full is errors like this:
2015-12-16 08:57:01,428 ERROR [10] Api.AuthClient - error from host idbroker.webex.com, message The remote server returned an error: (407) Proxy Authentication Required.
2015-12-16 08:57:01,428 ERROR [10] Api.AuthClient - TrackingId WIN_dc3354d5-acb5-474d-8404-0847c1ab147f_25
2015-12-16 08:57:01,428 ERROR [10] Api.AuthClient -
2015-12-16 08:57:01,428 ERROR [1] Views.LoginView - Verify email error
All of the settings options in the top-left menu are greyed out. At no point has it asked for proxy credentials.
There's also a lot of attempts to upload information to Localytics which came as a surprise:
2015-12-16 08:57:01,443 DEBUG [1] Api.LocalyticsSparkClient - Tagged event: Email
2015-12-16 08:57:01,443 DEBUG [7] Api.LocalyticsSparkClient - Beginning localytics upload.
2015-12-16 08:57:01,443 INFO [7] Api.LocalyticsSparkClient - Uploading to: https://analytics.localytics.com/api/v2/applications/f6caf4bcced64da2cb7d7d1-70dd6b62-bb80-11e4-2d22-004a77f8b47f/uploads
2015-12-16 08:57:01,443 INFO [7] Api.LocalyticsSparkClient - LocalyticsPath: C:\Users\XXXXXX\AppData\Local\Spark\localytics
2015-12-16 08:57:01,459 ERROR [7] Api.LocalyticsSparkClient - error from host analytics.localytics.com, message The remote server returned an error: (407) Proxy Authentication Required.
There was also a managedException file containing:
1.0.0.3125
System.ArgumentNullException;Value cannot be null.|CommonLanguageRuntimeLibrary!System.Threading.Monitor.Enter+0xFFFFFFFF:0x0;System.Data.SqlServerCe.dll!System.Data.SqlServerCe.SqlCeCommand.Dispose+0x0:0x2E;System.Data.SqlServerCe.dll!System.Data.SqlServerCe.SqlCeCommand.Finalize+0x0:0x1A;
And an unmanagedException file containing:
1.0.0.3125
KERNELBASE.dll+0xc44d;mscorwks.dll+0x89a14;mscorwks.dll+0x1080e4;mscorwks.dll+0x284200;mscorwks.dll+0x14dc0a;mscorwks.dll+0x14dc0a;mscorwks.dll+0x14dccb;mscorwks.dll+0x14db79;mscorwks.dll+0x15392f;mscorwks.dll+0x1503de;mscorwks.dll+0x15473d;mscorwks.dll+0x2a0df;mscorwks.dll+0x2a07b;mscorwks.dll+0x29fa1;mscorwks.dll+0xbeb88;mscorwks.dll+0xbeb99;mscorwks.dll+0xb2e3e;mscorwks.dll+0x96508;kernel32.dll+0x1338a;ntdll.dll+0x397f2;ntdll.dll+0x397c5;
12-16-2015 01:27 AM
12-16-2015 03:07 AM
The app for mobile and windows works fine behind from wsa proxy, the big problem is the udp port because it´s impossible to tunneling trough the proxy and my firewall do not accepted NAT to a unknown destination(any).
So, im able to chat, send and receive files and pictures but unable to do vídeo calls.
12-16-2015 03:31 AM
Dear Spark Team,
We have problems with UDP ports in our WSAV Ironport.
We could have the list of IP addresses of the solution to release the connection in our firewall (ASA) or this service is the same as Scansafe (that is delivered by a list of Cisco's DCs)?
Is it possible to redirect by external DNS / URL?
Thanks.
Diego Lara
12-29-2015 01:27 AM
Hello. I've downloaded and installed version 1.0.0.3155 the issue that I am facing regarding the connection of Spark through proxy is stated below:
2015-12-29 11:21:19,693 ERROR [10] Certificate.CertificateValidator - SSL cert chain for original host avatar-a.wbx2.com eventual host avatar-a.wbx2.com does not match pinned cert
2015-12-29 11:21:19,843 DEBUG [1] Helpers.ThreadPoolManager - Thresdpool Threads completed execution, Continue Exiting
2015-12-29 11:21:19,863 DEBUG [1] Api.LocalyticsSparkClient - Session closed.
2015-12-29 11:21:29,758 DEBUG [6] Collaborate.Sq - Application Starting. Spark 1.0.0.3155
Please do correct me if I am wrong but the issue has to do with the certificate of our proxy server (Cisco WSA S170) and those that are exchanged between the Spark app and the servers.
Thank you.
01-09-2016 10:26 AM
Your assessment is correct. To be clear, what's going on is that the non-browser Spark clients have implemented certificate pinning as a security measure to prevent a man-in-the-middle attack .
Because disabling pinning would leave us vulnerable security-wise, the recommended configuration of a proxy is not to modify HTTPS traffic to the following domains:
*.wbx2.com
identity.webex.com
idbroker.webex.com
Dave
01-12-2016 02:59 AM
Hello David.
Thank you very much for your response.The instructions that you gave me helped to resolve the issue with the desktop client of Spark. I've configured an exception in our WSA in order to bypass HTTPS inspection for these domains.
01-13-2016 01:11 PM
Konstantopoulos,
Good to hear. For future reference, firewall and proxy requirements for Spark are documented here ongoing:
Cisco Spark | Firewall and Network Requirements for th...
Dave
04-25-2016 02:17 PM
So we noticed that it was first trying an SSL v 2.0 connection then when that failed at our firewall it went on to try the domains you have listed with a different version of TLS. Is that normal behavior? I can't find any documentation on the implementation of TLS/SSL so I don't know if this is normal behavior or something I'm doing wrong.
06-28-2016 08:20 PM
Hi configuring ASA but getting some issues.
I allowed IPs of destination (443) but still application doesn't work. When I allowed the IPs that I found in wire shark traces, then it went through successfully with activation mail.
So I need list of ranges for these destination to configure firewall.
Definitely these below should have IP ranges:
identity.webex.com |
idbroker.webex.com |
*.wbx2.com |
*.webex.com |
*.ciscospark.com |
*.clouddrive.com |
*.crashlytics.com |
*.localytics.com |
*.rackcdn.com |
Cheers,
Yasir
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide