cancel
Showing results for 
Search instead for 
Did you mean: 
New Contributor

Whitelisting GotoMeeting specific subdomains in Cloudfront's CDN through Proxy

Hi,

 

I have read the thread about the necessary domains that needs to be whitelisted if the connection is to be proxied, here:

 

https://support.logmeininc.com/gotomeeting/help/optimal-firewall-configuration-g2m060010

 

I'm ok with using wildcards with most of the domains as they are specific to GoToMeeting, but one in particular is :

 

*.cloudfront.net

Third-party CDN used by multiple GoTo products

 

Which if whitelisted will allow access to all/most of the content hosted on AWS' Cloudfront, instead of only allowing the gotomeeting access.

 

AWS assigns an specific subdomain to its tenants, does anybody know what will the specific subdomain(s) I would need whitelisted here?

 

Thanks for the help in advance

 

 

 

Thanks

6 REPLIES
LogMeIn Contributor

Re: Whitelisting GotoMeeting specific subdomains in Cloudfront's CDN through Proxy

Hi Javier,

I will try to gain more clarity for you with regards to .cloudfront.net's importance with GoTo services.

 

Active Contributor

Re: Whitelisting GotoMeeting specific subdomains in Cloudfront's CDN through Proxy

Is there an update available for this issue? Allowing ALL of cloudfront.net free reign on a network is a huge security risk. Cloudfront itself is already a network security risk, just in the way that they create random names for the sites that they host (URL's like d39vf9bwtb4sua.cloudfront.net for example) There's no way to determine what content might live at the URL, or who the real company is that's hosting the data. To be secure, there should be human readable domains such as gotomeeting.cloudfront.net, logmein.cloudfront.net, etc. Is there a list available for the LMI/GTM cloudfront domains? No way I'm opening up a network that contains HIPAA protected info to every cloudfront.net subdomain just to use GoToMeeting. Setting an exception for *.cloudfront.net is ripe for abuse.
LogMeIn Contributor

Re: Whitelisting GotoMeeting specific subdomains in Cloudfront's CDN through Proxy

@HarryH3 @Javier_M  Here's an update on this topic-- 

We don't have dedicated cloudfront domains , but these are the specific SendGrid IPs where LMI emails originate:

167.89.0.92
167.89.56.17
167.89.56.18
167.89.56.19
167.89.58.180
167.89.62.27
167.89.63.188
167.89.81.41
168.245.22.13
168.245.37.23
168.245.41.143
168.245.65.2
168.245.69.157
168.245.77.74
168.245.9.226

 

 

Active Contributor

Re: Whitelisting GotoMeeting specific subdomains in Cloudfront's CDN through Proxy

Thanks Ash, but I get the feeling that cloudfront.net is used for more than just email.  The page linked in the top post is a list of sites that need to be able to get through the firewall for certain GTM/LMI products to function properly.

 

It specifically lists: *.cloudfront.net as "Third-party CDN used by multiple GoTo products".

 

Can you confirm if cloudfront.net is used only for email, and is not required for LMI or GTM to function properly?

 

Thanks!

 

 

LogMeIn Contributor

Re: Whitelisting GotoMeeting specific subdomains in Cloudfront's CDN through Proxy

@HarryH3  Yes, as far as I've been told, that is the only reason to whitelist cloudfront:  LMI Emails.

Active Contributor

Re: Whitelisting GotoMeeting specific subdomains in Cloudfront's CDN through Proxy

Thanks Ash, I'll leave cloudfront blocked. Perhaps LMI will publish the actual FQDN of the cloudfront site they use so that those of us that have to protect sensitive data could whitelist ONLY that one address, rather than opening attack vectors from any and every subdomain hosted by cloudfront.