Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 44 replies
  • Answers 2 answers
  • Subscribers 33 subscribers
  • Views 21811 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Apple App Store Connection Errors

Jonnie

Hi There,

I have some weird problems with the Apple App Store on our Macbooks. Some colleagues can use the store without any problems, others can not open it at all.
There are they same firewall rules that apply to all users, regardless of whether they are WiFi or LAN.
I have already set exceptions in the web policy, and put all the URLs from the Apple article into a firewall rule where the IPS is disabled.https://support.apple.com/de-de/HT201999

Please have a look at my screenshots. The Problem is also, that I can't see any errors at the log viewer or with paket capture whan a colleague try's to download something at the store.

Any ideas?

 

WiFi Clients are in the same zone like LAN.



This thread was automatically locked due to age.
Parents
  • 0

    Same issues,  and more related to Apple App Store, iTines and Apple TV app connectivity.

    I’m running 17.5.5 MR5, but this has been an issue for a while on previous versions.

    I have multiple devices that work consistently connecting to Apple App Store,  and several that consistently have issues.

    One potential piece of the puzzle is that the devices that work consistently connect to networks at other locations regularly, while those that do not work are more likely only on the XG network.

  • 0 in reply to Scott Klauminzer

    Scott Klauminzer said:

     I have multiple devices that work consistently connecting to Apple App Store,  and several that consistently have issues.

    One potential piece of the puzzle is that the devices that work consistently connect to networks at other locations regularly, while those that do not work are more likely only on the XG network.

     

     
    THIS!
    Absolutely same behaviour at my site. 
     
    @ some ideas? 
  • 0 in reply to LuCar Toni

    Hi Toni,

    I don't have any failed connection attempts that I can find. The iPad just did not connect to the App store. I have taken out of my LAN because I needed an APP for my new headphones/hearing aids to set them up.

    As a result the APPs down load and connect. I can search for historical connections and see what I can capture.

    Ian

  • 0 in reply to Scott Klauminzer

    Still an issue with SFOS 17.5.6 MR-6 and AP firmware 11.0.008 (the latter applied today)

  • 0 in reply to Jonnie

    It appears that if a client connects from an outside network, something is set for a period of time, because the connection continues to function on back on the Sophos network for a while.

     

    After some time it will stop working. This sounds like a trusted certificate check / re-check interval or something like that.

     

    I'm not sure this helps, but it is a little more information to help Sophos figure this out. 

     

    Scott K.

  • 0 in reply to BLS

    After turning off Web Caching, the end result is still no ability to download updates, but the App Store can now at least populate with available updates... just fails with "Could not connect to the server" when clicking Update.

  • 0 in reply to Scott Klauminzer

    Hi Scott,

    I think I have found the possible cause while looking for something else in log viewer. I see a lot of block unknown https protocols going to some Apple sites and some AWS sites. As an experiment, try unticking block unknown https protocols in web -> general settings and see if you can connect. At the moment I don't have any blocked applications to try this on.

    Ian

  • 0 in reply to rfcat_vk

    Thanks for the suggestion Ian. Unfortunately, this was already unticked.

     

    I did untick the block invalid certificates for a time to test, with no luck.

     

    Scott.

  • 0 in reply to Scott Klauminzer

    The following worked for me.

    Create a new User/Network rule at the top:

    Rule Name Apple Services

    Source Zone: LAN

    Source Networks and Devices (either add selected devices or choose any)

    Destination zones: WAN

    Destination Networks

    Choose Apple Services (should be inbuilt)

    Create Apple .aaplimg Services as FQDN host: *.aaplimg.com

    You may need to create another FQDN Host for Akamai: *.akamaitechnologies.com

    Don't check any web malware and content scanning

    Don't turn on any advanced settings leave them all as None (IPS, Web, App)

     

    This resolved my problem... UP UNTIL SFVH (SFOS 17.5.7 MR-7)  - Will be rolling back to MR-6 later.

  • 0 in reply to Daniel Bingham

    Adding akamaitechnologies.com to bypass IPS, Web filtering and App is dangerous, given that they are a CDN and not just apple...

     

    I still don't understand why the OP is having issues, we have several Apple devices (Apple TV's, iPhones, iPads, MacBook's) and they all work well with the AppleStore, and go through a HTTP and HTTPS rule (I have them both separated), and I have no connectivity issues to the Apple Store.

     

    IPS on both rules is enabled, as is pharming protection...although for the HTTPS rule, I don't have scan HTTPS traffic enabled.

     

    HTTP rule...

     

    HTTPS rule...

  • 0 in reply to BLS

    BLS said:
    Adding akamaitechnologies.com to bypass IPS, Web filtering and App is dangerous, given that they are a CDN and not just apple...

    Yes, I agree. I should clarify, in my particular rule, I am defining one particular device which is an iPad as the host, so I am not too concerned.

     

    BLS said:
    I still don't understand why the OP is having issues

    It is funny, I am running 2X XG330's 2X XG210's 1X XG125 and 1X XG Home and the only XG that I have problems with Apple is the XG Home, all other XG's work fine as per similar rules to what you posted.

Reply
  • 0 in reply to BLS

    BLS said:
    Adding akamaitechnologies.com to bypass IPS, Web filtering and App is dangerous, given that they are a CDN and not just apple...

    Yes, I agree. I should clarify, in my particular rule, I am defining one particular device which is an iPad as the host, so I am not too concerned.

     

    BLS said:
    I still don't understand why the OP is having issues

    It is funny, I am running 2X XG330's 2X XG210's 1X XG125 and 1X XG Home and the only XG that I have problems with Apple is the XG Home, all other XG's work fine as per similar rules to what you posted.

Children
  • 0 in reply to Daniel Bingham

    Daniel Bingham said:

     

    It is funny, I am running 2X XG330's 2X XG210's 1X XG125 and 1X XG Home and the only XG that I have problems with Apple is the XG Home, all other XG's work fine as per similar rules to what you posted.

     

     

    I'm having a similar issue with SkyNews on an Apple TV, it refuses to start - but happens only on one Sophos XG device, the home version...the ones I have installed for a client at the London dn Birmingham offices, with Apple TV's all running the same tvOS work - the one at home doesn't.

    And all use the same ISP - Virgin Media Business (I work from home so need the business level of support and static IP's)...

    Makes no sense, and this level of inconsistency makes me very nervous. -The only difference is that the home is installed on a Dell Optiplex 3010, while the other devices are XG devices.

    Which makes me think, is this a home license issue - but I don't see why it would be.

    With the SkyNews issue, if I paste the URL into the Mac, I can then kickstart and stream over AirPlay and it will work - same URL...makes no sense...and no Any/Any, bypass rule, no filtering, IPS off changes to the rule make any difference...

  • 0 in reply to BLS

    BLS said:
    but happens only on one Sophos XG device, the home version

    BLS said:
    Makes no sense, and this level of inconsistency makes me very nervous. -The only difference is that the home is installed on a Dell Optiplex 3010, while the other devices are XG devices.

    You and I are in a similar boat. I am only seeing it on XG Home and I am running mine on a Shuttle PC - i5, 8GB, 120GB SSD, 2 NIC's.

     

    I am speaking with my Sophos Channel Manager now about the price of an XG86 and 106 with the bare minimum licensing as I think that may be a better option (albeit overkill) for home.

  • 0 in reply to BLS

    It appears that the Home version may be the culprit.

    Sophos, are you aware of this? What are the plans to resolve this issue?

    It does not bode well for product recommendation or adoption to have unknown differences between products that are identified as identical.

     

    Scott