Cannot Sync through a corporate proxy

I am connecting via a corporate proxy that performs TLS connection inspection. This means that the client gets a non-trusted intermediate certificate. The 1Password client will successfully login and retrieve the configuration but will not sync changes back to my account. I created a side-by-side configuration file to point to a cntlm proxy to see if this resolved the issue but it is still occurring.

I am seeing the following lines repeated in the log file (I have masked out the identifiers):

I176926msThreadId(20)1Password::api:1673 │ 176927ms │ network connection ok
I176928msThreadId(4)1Password::api:1673 │ 176928ms │ Using proxy configuration, address: True, valid address: True, username: False, password: False
I176935msThreadId(4)1Password::api:1673 │ 176935ms │ proxy is in use
I176935msThreadId(4)1Password::api:1673 │ 176935ms │ network configured in 317ms
I179604msThreadId(4)1Password::api:1673 │ 179605ms │ > authorize account #1; account uuid: xxxxxxxxxxxxxxxxxxx; device uuid: xxxxxxxxxxxxxxxxxxxxx; user uuid: xxxxxxxxxxxxxxxxx
sessionId: xxxxxxxxxxxxxxxxxxxx
time: 2,669ms

I171366msThreadId(4)1Password::api:1673 │ 171366ms │ watchtower update started
I171368msThreadId(4)1Password::api:1673 │ 171368ms │ watchtower update completed
W175302msThreadId(11)1Password::notifier:153 │ 175302ms │ notifier connection failed for account 1: Io(Os { code: 10061, kind: ConnectionRefused, message: "No connection could be made because the target machine actively refused it." })
W176617msThreadId(4)1Password::api:1679 │ 176617ms │ Network request #120 failed in 1,090ms, status ConnectionClosed (The underlying connection was closed: The connection was closed unexpectedly.)
I176617msThreadId(4)1Password::api:1673 │ 176617ms │ checking network and applying any changes
I176701msThreadId(4)1Password::api:1673 │ 176701ms │ > sync
account id: 1; type: I; session id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> HTTP overview
> HTTP account/attrs
> HTTP PATCH vault/h4aspiuqwfblda36pfl7ktfcta/19/items
batch push complete; updated: 0; failed: 0; new vault content version: 0; success: False
time: 2,334ms

1Password Version: 7.3.67
Extension Version: Not Provided
OS Version: Windows 10
Sync Type: Not Provided

Comments

  • Hey, @hurdlea! TLS inspection will be a problem. Do you have the option to whitelist applications and exempt them from inspection? I'm assuming not or you'd likely have just done that, but better to ask. I'm happy to provide any info you need from us in order to accomplish that, if it's an option. If not, there won't be a way to make 1Password for Windows work in your environment, so I'd suggest using 1Password X instead:

    https://support.1password.com/getting-started-1password-x/

    1Password X is browser extension that doesn't require a desktop app and, in my experience, things that run in your browser tend to work better in this situation. If you decide to give it a go, let me know how it works for you. And, of course, any questions (whether about 1Password X or whitelisting), just ask. :chuffed:

  • hurdlea
    hurdlea
    Community Member

    Thank you for the Password X suggestion as this seems to give me what I need. The desktop app was so close to working though it was just missing the capability to push changes back to the server.

  • hurdlea
    hurdlea
    Community Member

    I spoke too soon the 1Password X client can't write back to the server either. I get the following error when I try to save a login:
    "We were unable to reach the server. Please check your internet connection and try again." Is the client trying to reach a server interface on any port other than 80 or 443 as these are explicitly blocked by our firewall/proxy rules? It doesn't seem to be a TLS cert issue as that is generally reported as a trust issue rather than a straight connection refused problem. Any ideas?

  • Greg
    Greg
    1Password Alumni

    Hi @hurdlea,

    For 1Password to have full access to 1Password.com servers, you will need to whitelist the access to 1Password.com domains on secure HTTPS port (443). Are you able to do that? Please let us know. Thanks!

    Cheers,
    Greg

  • mgrad92
    mgrad92
    Community Member

    Hi, @Greg. Is *.1password.com:443 all that would need to be added to a corporate proxy/firewall whitelist?

  • ag_ana
    ag_ana
    1Password Alumni

    @mgrad92:

    You can find the full list here.

  • mgrad92
    mgrad92
    Community Member

    Thanks @ag_ana — do you know whether access to *.agilebits.com:443, api.pwnedpasswords.com:443, and in.appcenter.ms:443 are required if I'm just using the 1Password X browser extension without installing the 1Password application?

  • The first two of those are, I believe, needed for Watchtower to work, @mgrad92. The first for the Compromised Passwords list and the second for Vulnerable Passwords powered by Troy Hunt's Pwned Passwords. Theoretically, neither is needed (for 1Password X or 1Password for Windows) if Watchtower is disabled in the apps. App Center is for automated anonymized crash reporting for the Windows app and most likely not needed for 1Password X. If you can't tell, I'm not totally certain about that last one, so I'm gonna tag in @cecelia to confirm for me as I'm almost certain she'll know off-hand if I'm off base. :+1:

This discussion has been closed.