" /> " /> " />

Watchguard HTTPS-DPI and Dropbox

  • 05/10/2012 08:00:00

<p>Standard HTTPS DPI policy on a Watchguard XTM device will not allow Dropbox to connect, resulting in a " class="img-responsive"/>

Standard HTTPS DPI policy on a Watchguard XTM device will not allow Dropbox to connect, resulting in a "Unable to establish a secure connection" error. Here comes a quick guide to allow Dropbox through your XTM Device.

I have been working on the dropbox problem after a Customer's pressions.

Dropbox won't work with HTTPS DPI because it has a hardcoded SSL certificate in its client. Once the request passes through the HTTPS DPI worker of the Firebox, the re-signed payload cannot be opened by the client, which results in a Dropbox error "Unable to establish a secure connection".

This is not a Watchguard bug IMHO. It is a Dropbox characteristic. Well, actually, it is a PKI feature.

I have solved the problem as follows after a little in-depth analysis.

After running wireshark a little, I found out Dropbox (luckily) makes a DNS query to the following URL:

v-client.sjc.dropbox.com

(Query runs from Italy, I am not sure it works worldwide, but the proof does).

The result of this DNS query is a CNAME with lots of results, A records.

To allow Dropbox working through an HTTPS DPI you can follow this procedure:

  • Find (or use) the mentioned DNS URL
  • Open the HTTPS Proxy Action
  • In the Bypass List on "Content Inspection" click "DNS Lookup"
  • Type the URL in the "Lookup this domain name" box and click on "Lookup". The list of IP addresses should appear below
  • Click on OK and verify the Bypass list is correctly populated.

Click ok and save your configuration to the Firebox and launch the Dropbox client. It should work. I have successfully applied this policy to XTM 11.5.3+ versions of XTM OS.

Also note that Dropbox can change (as in adding or removing) IP addresses without any notification. This makes the administrative effort a bit annoying, so you might consider putting a reminder to check for updates periodically or when a user reports connection errors from the Dropbox client.

Note at last that some features of the Dropbox website can be controlled using the Application Blocker under File Transfer.

 

  • Contacts

Data Protection & Copyright

RIGHTS CHAIN LTD.

Networking & IT

RIVOLUZIONE DIGITALE SRL

Social Profile