Watchguard HTTPS-DPI and Dropbox" class="img-responsive"/>
Standard HTTPS DPI policy on a Watchguard XTM device will not allow Dropbox to connect, resulting in a "Unable to establish a secure connection" error. Here comes a quick guide to allow Dropbox through your XTM Device.
I have been working on the dropbox problem after a Customer's pressions.
Dropbox won't work with HTTPS DPI because it has a hardcoded SSL certificate in its client. Once the request passes through the HTTPS DPI worker of the Firebox, the re-signed payload cannot be opened by the client, which results in a Dropbox error "Unable to establish a secure connection".
This is not a Watchguard bug IMHO. It is a Dropbox characteristic. Well, actually, it is a PKI feature.
I have solved the problem as follows after a little in-depth analysis.
After running wireshark a little, I found out Dropbox (luckily) makes a DNS query to the following URL:
(Query runs from Italy, I am not sure it works worldwide, but the proof does).
The result of this DNS query is a CNAME with lots of results, A records.
To allow Dropbox working through an HTTPS DPI you can follow this procedure:
- Find (or use) the mentioned DNS URL
- Open the HTTPS Proxy Action
- In the Bypass List on "Content Inspection" click "DNS Lookup"
- Type the URL in the "Lookup this domain name" box and click on "Lookup". The list of IP addresses should appear below
- Click on OK and verify the Bypass list is correctly populated.
Click ok and save your configuration to the Firebox and launch the Dropbox client. It should work. I have successfully applied this policy to XTM 11.5.3+ versions of XTM OS.
Also note that Dropbox can change (as in adding or removing) IP addresses without any notification. This makes the administrative effort a bit annoying, so you might consider putting a reminder to check for updates periodically or when a user reports connection errors from the Dropbox client.
Note at last that some features of the Dropbox website can be controlled using the Application Blocker under File Transfer.