Any Luck With HTTP Proxy And WSS://? (Nest Cameras)

I've been fighting a long, desperate battle to keep using an HTTP Proxy in my XTM, but the final nail in the coffin might have been placed today when my boss asked, "Why can't I look at my Nest cameras at home?" Sure enough, I find lots of old articles indicating the only way around this would be to turn off the Proxy...

Has there been any headway made on this over the past few years? I've tried adding exceptions and such, but nothing seems to work at all...

Comments

  • What are example URLs used for the access ?
    Perhaps you can set up a HTTP packet filter To: a Domain Name (perhaps a wildcard domain name)

  • If the problem is the Nest cameras getting out to the Internet, then create a packet filter policy above the proxies, going From the IP addresses of the Nest cameras and going To Any-External, using whatever ports they need. The cameras' traffic won't ever touch the proxies.

    Gregg Hill

  • It's the opposite. The cameras are home security cameras, but the boss wants to view them on his web browser. His phone, on WiFi, works fine. I've set up the most likely URLs as exceptions in the Proxy, with no success, but I might try a packet filter next. Another issue is that the IP addresses assigned to these keep changing.

    It's a known issue since 2010... Hard to believe it hasn't been addressed yet.

  • The HTTP proxy will check for basic protocol aspects even if there is a domain name exception in the proxy action.
    Do try using a HTTP packet filter.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Troy_Jollimore ,

    Thanks for posting.

    The Nest cameras don't really play well with the HTTP/S proxies. The WatchGuard proxies are strict proxies, meaning they're looking for RFC standard compliant traffic. Making an HTTP proxy exception removes some of the checks from the proxy, but not all of them. The only way to completely avoid it is to use a packet filter.

    If you know the FQDN(s) of whatever the boss is using to access them, you can try making a http or https packet filter from Any-Trusted to the FQDN of the service. That might be able to assist with the IP changing on you. If that rule is above your general HTTP/HTTPS proxies, that should allow you to continue using it.

    (About Policies by Domain Name (FQDN))
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/policies/fqdn_about_c.html

    If you keep running into an issue, I'd suggest opening a case by clicking the support center link on the top right of the page so one of our techs can assist.

    Thank you,

    -James Carson
    WatchGuard Customer Support

Sign In to comment.