Cortana not working on Meetinghouse Internet

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
rsidwell
Member
Posts: 51
Joined: Fri Nov 07, 2014 3:57 pm
Location: Riverside, California, USA

Re: Cortana not working on Meetinghouse Internet

Postby rsidwell » Fri Nov 20, 2015 8:53 am

Looks like the church is using Zscaler for internet content filtering. It can't see data in encrypted https packets, so it effectively does a man-in-the-middle attack to decrypt the data for filtering. The word "attack" seems strong, but since they are doing it without our knowledge or consent, it is appropriate. If it bothers you, don't use the church's network! If it doesn't, you can probably add the Zscaler root certificate to your trust store to avoid the problem. (But even then, I advise against using the church's network for home banking!)

nelsonfam
Church Employee
Church Employee
Posts: 20
Joined: Wed Jul 16, 2014 9:43 am

Re: Cortana not working on Meetinghouse Internet

Postby nelsonfam » Fri Nov 20, 2015 8:56 am

jkentner wrote:I took a screen shot using my laptop. The certificate on the left is when connecting directly to the cable modem, the certificate on the right is when connected through the firewall. The Church is using Zpath with is a Zscaler product. The issue getting to https://www.bing.com is the same issue when doing a search on Windows Phone or via Cortana on Windows 10. I am working with GSC on this. I will post what I find out.
Capture.PNG



ZScaler forces Safe Search and they become a proxy for all bing.com traffic and this may be causing the issue. I don't have a windows phone to test with unfortunately.

If you have access to TM.lds.org what's the serial number of your firewall? Or can you tell me what specific Meetinghouse you are at and I can check to see if ZScaler has a location registered for your firewall.

User avatar
jkentner
Member
Posts: 115
Joined: Sun Dec 26, 2010 9:49 am
Location: Olathe, Kansas

Re: Cortana not working on Meetinghouse Internet

Postby jkentner » Fri Nov 20, 2015 10:37 am

rsidwell wrote:Looks like the church is using Zscaler for internet content filtering. It can't see data in encrypted https packets, so it effectively does a man-in-the-middle attack to decrypt the data for filtering. The word "attack" seems strong, but since they are doing it without our knowledge or consent, it is appropriate. If it bothers you, don't use the church's network! If it doesn't, you can probably add the Zscaler root certificate to your trust store to avoid the problem. (But even then, I advise against using the church's network for home banking!)


I agree, however, the real issue for me and others is on the phone side. Viewing the cert changes on a desktop is just a means of troubleshooting since the phone is using Bing on the backend. I know about every Sunday during a lesson, I will search out a word to get a better insight to what we are talking about. Having to explain to the sisters in the congregation to turn off WiFi when you search, or to navigate on your phone to a specific site to add the cert just gives pain thinking about it. I am hoping that it is as a simple Zscaler exception or just a misconfiguration on the firewall.

User avatar
jkentner
Member
Posts: 115
Joined: Sun Dec 26, 2010 9:49 am
Location: Olathe, Kansas

Re: Cortana not working on Meetinghouse Internet

Postby jkentner » Fri Nov 20, 2015 11:26 am

nelsonfam wrote:
jkentner wrote:I took a screen shot using my laptop. The certificate on the left is when connecting directly to the cable modem, the certificate on the right is when connected through the firewall. The Church is using Zpath with is a Zscaler product. The issue getting to https://www.bing.com is the same issue when doing a search on Windows Phone or via Cortana on Windows 10. I am working with GSC on this. I will post what I find out.
Capture.PNG



ZScaler forces Safe Search and they become a proxy for all bing.com traffic and this may be causing the issue. I don't have a windows phone to test with unfortunately.

If you have access to TM.lds.org what's the serial number of your firewall? Or can you tell me what specific Meetinghouse you are at and I can check to see if ZScaler has a location registered for your firewall.


Thank you NelsonFam for looking into this. I have checked at 3 of our buildings so far, and all of them have the same issue. I did refresh the config on our firewall in our Stake Center (unit number is 518506, SN FTX163584D0) and it still has the same issue. The GSC (case# INC04239057) suggested factory resetting/reregistering all of our firewall's that have the issue, but that will be really painful, especially if it doesn't work.

nelsonfam
Church Employee
Church Employee
Posts: 20
Joined: Wed Jul 16, 2014 9:43 am

Re: Cortana not working on Meetinghouse Internet

Postby nelsonfam » Mon Nov 23, 2015 2:07 pm

jkentner wrote:
nelsonfam wrote:
jkentner wrote:I took a screen shot using my laptop. The certificate on the left is when connecting directly to the cable modem, the certificate on the right is when connected through the firewall. The Church is using Zpath with is a Zscaler product. The issue getting to https://www.bing.com is the same issue when doing a search on Windows Phone or via Cortana on Windows 10. I am working with GSC on this. I will post what I find out.
Capture.PNG



ZScaler forces Safe Search and they become a proxy for all bing.com traffic and this may be causing the issue. I don't have a windows phone to test with unfortunately.

If you have access to TM.lds.org what's the serial number of your firewall? Or can you tell me what specific Meetinghouse you are at and I can check to see if ZScaler has a location registered for your firewall.


Thank you NelsonFam for looking into this. I have checked at 3 of our buildings so far, and all of them have the same issue. I did refresh the config on our firewall in our Stake Center (unit number is 518506, SN FTX163584D0) and it still has the same issue. The GSC (case# INC04239057) suggested factory resetting/reregistering all of our firewall's that have the issue, but that will be really painful, especially if it doesn't work.



Ok so I checked your firewall FTX163584D0 in the ZScaler portal and I see that it does have a "location" defined so that will enable Bing Safe Search to work properly. I'll have to get a windows phone and do a packet capture to see what's blocked. Reactivating the firewall is never the solution unless it is completely dead and offline. You can "Refresh" the configuration in TM on the Tools page and that will put the latest changes onto your firewall without reactivating. If you don't see that feature I will get with the developers to have it enabled since it's quite useful to make sure you have the latest config.

User avatar
jkentner
Member
Posts: 115
Joined: Sun Dec 26, 2010 9:49 am
Location: Olathe, Kansas

Re: Cortana not working on Meetinghouse Internet

Postby jkentner » Mon Nov 23, 2015 4:37 pm

@NelsonFam: Thanks for working on this. I did refresh the firewall configuration via TM and that did not change anything. I wish I could get a WIndows Phone to you to test, but if you can actually fix the issue with the certificate changing on https://www.bing.com, that should also fix the issue with the phone since the Cortana engine is just routing via Bing.

JamesAnderson
Senior Member
Posts: 766
Joined: Tue Jan 23, 2007 2:03 pm

Re: Cortana not working on Meetinghouse Internet

Postby JamesAnderson » Tue Jan 05, 2016 9:59 pm

I ran some of the URLs in the traceroute through this Zscaler site, http://zulu.zscaler.com/ which tests for a variety of malicious issues and spam, but does not give content filter categorizations (that is not the issue though).

All came well under the threshhold of 50/100 for 'suspicious' sites or 75/100 for 'malicious' sites. Malicious sites include domains blacklisted in various antispam sites for spamming, or may be phishing or malware as often defined by Google Safe Browsing. However, I've found in parsing spam payloads that it often misses a lot of content as yesterday it missed a spam payload where the domain was on one of the key blacklists out there but not the one Zscaler seems to only rely on. So while Zpath is good, it's not something we can exclusively rely on to get things right so another product may need to be used to fully get the story on sites, and to deal with filtering issues, which include 'false negatives'.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest