Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 4 replies
  • Answers 1 answer
  • Subscribers 32 subscribers
  • Views 16249 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Https Scanning and iOS App Store

Roger

Hello

I just turned on the https scanning and decrypt. After installing the network agent and importing the certificate internet browsing and the apps I tested worked fine. But what is not working is the connection to the apple App Store. The connection is blocked. Can any one tell me how I can fix that?

Thanks

Roger



This thread was automatically locked due to age.
  • 0
    I'm in the same boat! I switched this weekend from the UTM 9 home and went to xg firewall. I'm also noticing certain things now fail to work, the apple App Store, browsing tumblr blogs, and a few other things. I've tried adding filter exceptions for those domains and even keywords but it's still not working! Hopefully someone can point us in the right direction.
  • 0

    Hi There,

    Things like the appstore and Office 365 just don't seem to work with HTTPS scanning on. It was like that on the UTM as well - we recommended not scanning the productive category on UTM. It's the same on XG

    Go to Protection > Web Protection > Web Content Filter and either create your own bypass category under HTTPS or select the categories you wish to bypass.

    This brings in little risk, the chances of a service like O365 and the Appstore serving up malware or malicious code is highly unlikely.

    Sorry for the briefness and poor grammer - I'm on a phone!

  • 0

    I would hazard a guess that the Appstore is using certificate pinning like any good application will. There is no way to prevent this without making an exception. You cannot override the certificate pinning for build-in IOS apps to prevent malicious actors from doing exactly what you are doing - MITM.

    The same goes for Microsoft/Google Apps and Websites. You are not running into an issue on desktop computers because they only enforce certificate pinning for publicly trusted roots and not privately trusted roots. This is why superfish, etc was such a big deal. Pretty soon most decent browsers and apps will force certificate pinning regardless of trust store used.

  • 0 in reply to BenVerschaeren

    I tried adding the rules that you suggested, but I can't get it to work.

    I checked the logs, and can't see anything that's blocked.  How can I find out what's being blocked to add an exception?