Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Subscribers 28 subscribers
  • Views 24244 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

osx iMessage

MichaelKatz

Anyone have success letting iMessage traffic pass?  I belive it is secure IMAP and or HTTPS.  Problem is that all taht trafic is scanned and hence failing on my iMessage clients.  I have the SSL cert installed in my osx keychain, but that does not appear to fix the problem.



This thread was automatically locked due to age.
  • 0
    turning off http/https scanning allows iMessage to work
  • 0

    iMessage uses three ports - 80, 443 and 5223, all TCP.

    If you happen to be using application control, make sure Apple Push Notification is not being blocked.

    Otherwise, I'd recommend putting in an exception for *.apple.com and *.icloud.com to exempt them from HTTPS decrypt and scan....

    Best way to do that - Protection > Web Protection > Web Categories - Create a category. I call mine "Known Good Websites."

    Add your domains and keywords.  Note - filter does NOT accept *.  Putting in "icloud.com" should be the same as *.icloud.com when it comes to the exception.

    Protection > Web Protection > Web Content Filter
    Find HTTPS Scanning Exceptions

    Add a new entry. Find your newly created category. Add & save.

    This SHOULD let you keep https decrypt and scan running.

    Good luck!

    Chavous

  • 0 in reply to MichaelKatz

    Hi,

    We're also trying to get imessage working. when adding *.apple.com or *.icloud.com to the https exclusions. when we try this we get the following error message:"You must enter a valid domain name."


    Can you please tell me what you entered to get it working?

    Thanks

  • 0 in reply to JiadElkadri

    Try it without the *

    so icloud.com

    apple.com

  • 0 in reply to ChavousCamp

    that's how i have it now, but IMessage still doesn't work. were you able to put *. ahead of the domain names?

    thanks

  • 0 in reply to JiadElkadri

    Well somehow my apple and icloud exception had gotten removed, so I just had to re-add it.

    The category listing does not allow for asterisks, and so my initial post is incorrect.  I shall edit it accordingly.

    apple.com

    icloud.com

    That should do it.


    Best way to verify - browse to https://www.apple.com/

    Check the certificate - if it is your XG's certificate - go back through the steps for adding an exception and double check everything.  If it is a "green bar" extended validation certificate, then the exception is working properly.  I'd be willing to bet the exception is just not setup properly and not working.

    I can't validate my settings right this moment as I'm not at my office and thus not subject to the XG's whims, but I will later today or tomorrow when I'm back.

  • 0 in reply to ChavousCamp

    Thanks for the suggestions. i did what you said and when browsing to https://www.apple.com i see my XG's certificate. i verified that i'm doing things the correct way. i have other exceptions and they are working properly. I'm going to chalk this up to another one of the many bugs we've experienced with the XG. On a sider note, i did get imessage working but it's not the most ideal solution for us. I had to filter on destination address 17.0.0.0/8 and turn off decrypt and scan on the rule. i also had to allow icloud and a few other apple services in the application filter.

  • 0 in reply to JiadElkadri

    I used the keyword list and have the folowing

    icloud

    push-apple

    apple

    no .com.  Also these are in a No_Scan Web category that I use with a no_scan filter police which is then in my web content filter exceptions list.  So to recap.


    need a list of wildcard domain keywords in a web category.  That category needs to be in a web filter police that is then listed in the content filter

  • 0 in reply to MichaelKatz

    It's still not working when i try what you've suggested. I'm going to try upgrading the firmware and see if that fixes some of the bugs we've been seeing.