cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
149076
Views
20
Helpful
10
Replies

allowing whatsapp through proxy

madhankumar.g
Level 1
Level 1

Hi,

We have Ironport S670 in our network for web filtering. Recently we migrated from forward mode to transparent mode to allow mobile applications to work through proxy.

Most of the applications started working such as skype and all. But still "Whatsapp" is not working through proxy.

Is there a way to allow or bypass to make this application work thorugh transparent proxy. Please suggest and let me know if any additional information is required. Thanks.

Regards,

Madhan kumar G

1 Accepted Solution

Accepted Solutions

Jai Koolwal
Level 1
Level 1

Hi Madhan!

We have come across this issue in the past and based on some tests we have the following information to share with you -

The WhatsApp application sends non-SSL data over SSL port 443. This causes the SSL handshake to fail between the server and the WSA.
In WhatsApp's case, the destination server does not return any error but just closes the WSA's 'Client Hello' (sent as a part of SSL handshake) and hence the WSA is unable to tunnel this transaction. We have an existing Feature Request which aims to be able to process such traffic successfully through the WSA.
The details of the FR are # "CSCzv18663[Feature Request] Treat servers that RST our Client Hello as non-SSL"
Once this feature request is fulfilled, you should be able to get whatsapp running through the WSA!
If you want more details regarding this, please feel free to open a case with us!


HTH
Jai Koolwal
CSE, Cisco Systems

View solution in original post

10 Replies 10

Jai Koolwal
Level 1
Level 1

Hi Madhan!

We have come across this issue in the past and based on some tests we have the following information to share with you -

The WhatsApp application sends non-SSL data over SSL port 443. This causes the SSL handshake to fail between the server and the WSA.
In WhatsApp's case, the destination server does not return any error but just closes the WSA's 'Client Hello' (sent as a part of SSL handshake) and hence the WSA is unable to tunnel this transaction. We have an existing Feature Request which aims to be able to process such traffic successfully through the WSA.
The details of the FR are # "CSCzv18663[Feature Request] Treat servers that RST our Client Hello as non-SSL"
Once this feature request is fulfilled, you should be able to get whatsapp running through the WSA!
If you want more details regarding this, please feel free to open a case with us!


HTH
Jai Koolwal
CSE, Cisco Systems

Hi Jai Koolwal,

Thanks for the valuable input.

Regards,

Madhan kumar G

is there any workaround until this FR is processed. Any expected date?

Regards,

Hi Mustapha,

We are following below workaround temporarily.

Whatsapp initial connection is made on port 5222. This is not working through the IronPort. So, we configured destination port based NAT for the port 5222 in the firewall to allow lan subnets destined to this port where whatsapp is required.

So initial connection is made on 5222 without going through proxy and rest of the traffic goes on 443 via transparent proxy. This works and we are able to send texts, images, videos etc.

Regards,

Madhan kumar G

Did NOT work with me! I have PBR on my ASA, forwarding only port 80 and 443 and I opened port 5222 for my clients, but that didn't work.

Regards,

Hi Mustapha,

Your proxy is in Forward mode or Transparent mode?

Proxy needs to be in Transparent mode for this workaround to work.

Regards,

Madhan kumar G

Hi,

My Proxy is in transparent mode !

Regards,

Hi Madhan Kumar, We too have the same issue. Can you please explain how you configured your firewall. We are using ASA 5550 firewall and IronPort S680 Web Security Appliance.

MRosemberg
Level 1
Level 1

Hi friends,

You don't need a transparent proxy. You need to open the port 5222 like SSL port.

Don't forget to open it in your firewall too.

Best regard's,

Hello Jai,

do you have any updates on this Feature Request?

Regards