A large number of colleagues recently had their leased laptops refreshed with a new model and they chose to install Windows 7, a decision which I can’t really fault. Unfortunately as with many things these days we quickly found a few issues, one of which was with Microsoft’s Live Messenger and our Blue Coat ProxySG appliances. I almost immediately suspected the Blue Coat ProxySG appliance so I decided to look there first.
I started with a quick packet capture on the Blue Coat ProxySG appliance. I logged into the appliance and setup a filter to capture just the traffic to/from the IP address of my laptop. Our proxy servers have thousands of clients utilizing them at any one time so trying to perform a packet capture without a filter would be equivalent to trying to take a drink of water from a fire hydrant.
[root@linux ~]# telnet proxy.acme.org Trying 10.1.2.100... Connected to proxy.acme.org (10.1.2.100). Escape character is '^]'. Using telnet exposes your password. Using ssh is a safer choice. Username: admin Password: ******** SG800>enable Enable Password: ******** SG800#pcap filter expr "host 10.1.1.2" ok SG800#pcap start ok
With the packet trace running I went about duplicating the problem from my laptop.
SG800#pcap stop ok SG800#pcap info packet capture information: Packets captured: 76 Bytes captured: 9034 Packets written: 76 Bytes written: 11290 Max packet ram: 0 Packet ram used: 0 Packets filtered: 6113 Bridge capture all: Disabled Current state: Stopped Filtering: On Filter expression: expr "host 10.1.1.2" SG800#pcap transfer ftp://ftp.acme.org username password ok
I retrieved the packet capture from the FTP server and used WireShark to examine the data. The packet trace showed the proxy server sending a RST packet closing the connection to the SOCKS port.
Another trick I learned a long time ago with the ProxySG appliances; try https://proxy.acme.org:8082/SYSInfo (you should obviously replace the hostname in the preceding URL if you want to try it out on your ProxySG appliance). In the IM debug information I found the following reference;
6983.574 MSN 5523C010: Can't proceed with unknown version: MMSG-VER-MSNP18 6983.574 MSN 5523C010: VER: MMSG-VER-MSNP18 not supported 6983.560 Admin: Accepted SOCKS client connection from 10.1.1.2 (policySession: 3895168, socksTrans: 7B5A004)
The log entries above suggest that this latest version of the Live Messenger is using a protocol version that isn’t yet supported by the Blue Coat ProxySG appliance, or at least isn’t supported in the 4.3.x software branch. I did a quick Google search and found a relative knowledge-base article on Blue Coat’s website that provides all the details around which IM versions are specifically supported on which ProxySG software releases. There is an option to just tunnel the SOCKS connection which I’ll need to investigate.