Skyhigh Web Gateway HTTPS Inspection can cause connections to Apple services to fail
Last Modified: 2023-12-12 08:19:25 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Skyhigh Web Gateway HTTPS Inspection can cause connections to Apple services to fail
Technical Articles ID:
KB92316
Last Modified: 2023-12-12 08:19:25 Etc/GMT Environment
Skyhigh Web Gateway (SWG) SWG (Cloud) macOS iOS tvOS Problem
Apple devices routed through SWG or SWG (Cloud) report connection failures or errors in the following situations:
Cause
The HTTPS Inspection (formerly SSL Scanner) rule set used by SWG replaces the original certificate chain. SWG replaces the certificate with one created and signed by its own certificate authority (CA). SWG uses this certificate to inspect HTTPS traffic. Apple services perform strict HTTPS validation when connecting to servers. The server rejects the connection if unexpected changes are detected. The Apple Software Update uses Range headers when performing downloads. Gateway antimalware automatically removes the headers when encountered, so that complete files can be scanned. The removal of the header causes ranged downloads to fail. Solution
Apple recommends that HTTPS Scanning, Content Inspection, and Authentication are bypassed entirely for Apple services, when routed through a proxy server. Apple publishes a list of hosts recommended for bypass in the following article: Apple Support - Use Apple products on enterprise networks We recommend that you add these hosts to a Wildcard Expression list. Then, create a rule with the action Stop Rule Set if the URL property is matched against the list. Deploy the rules in the following top-level rule sets if used: Explicit Proxy Authentication and Authorization Authentication Server Affected ProductsLanguages:This article is available in the following languages: |
|