Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Subscribers 28 subscribers
  • Views 24245 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

osx iMessage

MichaelKatz

Anyone have success letting iMessage traffic pass?  I belive it is secure IMAP and or HTTPS.  Problem is that all taht trafic is scanned and hence failing on my iMessage clients.  I have the SSL cert installed in my osx keychain, but that does not appear to fix the problem.



This thread was automatically locked due to age.
Parents
  • 0

    iMessage uses three ports - 80, 443 and 5223, all TCP.

    If you happen to be using application control, make sure Apple Push Notification is not being blocked.

    Otherwise, I'd recommend putting in an exception for *.apple.com and *.icloud.com to exempt them from HTTPS decrypt and scan....

    Best way to do that - Protection > Web Protection > Web Categories - Create a category. I call mine "Known Good Websites."

    Add your domains and keywords.  Note - filter does NOT accept *.  Putting in "icloud.com" should be the same as *.icloud.com when it comes to the exception.

    Protection > Web Protection > Web Content Filter
    Find HTTPS Scanning Exceptions

    Add a new entry. Find your newly created category. Add & save.

    This SHOULD let you keep https decrypt and scan running.

    Good luck!

    Chavous

  • 0 in reply to JiadElkadri

    Try it without the *

    so icloud.com

    apple.com

  • 0 in reply to ChavousCamp

    that's how i have it now, but IMessage still doesn't work. were you able to put *. ahead of the domain names?

    thanks

  • 0 in reply to JiadElkadri

    Well somehow my apple and icloud exception had gotten removed, so I just had to re-add it.

    The category listing does not allow for asterisks, and so my initial post is incorrect.  I shall edit it accordingly.

    apple.com

    icloud.com

    That should do it.


    Best way to verify - browse to https://www.apple.com/

    Check the certificate - if it is your XG's certificate - go back through the steps for adding an exception and double check everything.  If it is a "green bar" extended validation certificate, then the exception is working properly.  I'd be willing to bet the exception is just not setup properly and not working.

    I can't validate my settings right this moment as I'm not at my office and thus not subject to the XG's whims, but I will later today or tomorrow when I'm back.

  • 0 in reply to ChavousCamp

    Thanks for the suggestions. i did what you said and when browsing to https://www.apple.com i see my XG's certificate. i verified that i'm doing things the correct way. i have other exceptions and they are working properly. I'm going to chalk this up to another one of the many bugs we've experienced with the XG. On a sider note, i did get imessage working but it's not the most ideal solution for us. I had to filter on destination address 17.0.0.0/8 and turn off decrypt and scan on the rule. i also had to allow icloud and a few other apple services in the application filter.

  • 0 in reply to JiadElkadri

    I used the keyword list and have the folowing

    icloud

    push-apple

    apple

    no .com.  Also these are in a No_Scan Web category that I use with a no_scan filter police which is then in my web content filter exceptions list.  So to recap.


    need a list of wildcard domain keywords in a web category.  That category needs to be in a web filter police that is then listed in the content filter

  • 0 in reply to MichaelKatz

    It's still not working when i try what you've suggested. I'm going to try upgrading the firmware and see if that fixes some of the bugs we've been seeing.

  • 0 in reply to JiadElkadri

    Unknown said:

    Thanks for the suggestions. i did what you said and when browsing to https://www.apple.com i see my XG's certificate. i verified that i'm doing things the correct way. i have other exceptions and they are working properly.

    Jiad, then I promise you you have something misconfigured regarding the apple one - because if you have the exception setup properly - either as keywords described by MichaelKatz or using the domain names as I described, it _WILL_ bypass the https decrypt-and-scan functionality and you'll see the real apple cert.  Once that happens, imessage should be good to go.

    Could it be that you have selected a category to block that would include the apple messaging?  If so, perhaps try what MichaelKatz suggested and add it to your policy under web action as http & https allowed.... then also have it in the bypass. 

    Just to recap:

    Protection > Web Protection > Web Categories

    You have a category created in which you have put your exceptions.

    You then went to 

    Protection > Web Protection > Web Content Filter

    And at the very bottom, under HTTPS Scanning Exceptions added that category

    That should do it every single time.

    You can also add the category to your main web filter policy under Protection > Web Protection > Web Filter Policies and mark it "allowed" under HTTP and HTTPS, but that is not STRICTLY required in my experience (YMMV).  Mine is not there.... but I am also not explicitly blocking the category into which any of the *.apple.com or *.icloud.com domains should fall.

  • 0 in reply to ChavousCamp

    Hi,


    I'm not blocking anything apple specifically. i am however blocking categories that might have apple services included in them. I've created an apple specific application filter which has apple services allowed and they're above the denies i have for any category that might have an apple service included in it. Like i said, the HTTPS exclusions are working for other websites, just not apple.com. I'm going to be upgrading tonight, so we'll see if the upgrade fixes this issue.

  • 0 in reply to JiadElkadri

    After the firmware upgrade i now am seeing apples cert instead of the appliance cert. so the https exclusions are working. In the end, i ended up removing the exclusions as i didn't want to allow access to the whole company, considering our original purpose was to only allow imessage. Also, I noticed that the appstore wouldn't work either unless I turned off decrypt and scan for https. To get both imessage and the appstore running i had to create a rule that allowed icloud and had Decrypt and Scan HTTPS off for users on our WiFi network. I have also opened a ticket to see if there is a better way to do this. i would much rather prefer to be able to get granular and only allow access to imessage and appstore and not have to open up the whole apple ip range.

  • 0 in reply to JiadElkadri

    Hi All,


    A little update on the imessage issue. a couple of weeks after posting this imessage stopped working. i called and opened a ticket. after  a ton of troubleshooting (thanks Andrew Haan!), sophos was able to replicate our issue (NC-7927). As a workaround we disabled Pharming protection and imessage now works flawlessly. no exceptions needed and all scanning turned on. if you're using DNS forwarding through the XG there should be no worries about disabling the Pharming protection.

    Jiad

Reply
  • 0 in reply to JiadElkadri

    Hi All,


    A little update on the imessage issue. a couple of weeks after posting this imessage stopped working. i called and opened a ticket. after  a ton of troubleshooting (thanks Andrew Haan!), sophos was able to replicate our issue (NC-7927). As a workaround we disabled Pharming protection and imessage now works flawlessly. no exceptions needed and all scanning turned on. if you're using DNS forwarding through the XG there should be no worries about disabling the Pharming protection.

    Jiad

Children
No Data