This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Marking CDN / Streaming Media as Trusted

Good Morning Everyone --

I was just wondering if there was a way to mark ALL streaming sites / CDNs as a trusted site (and/or without SSL inspection).  We currently have SSL inspection turned on but notice that there are some issues with streaming (Netflix, Spotify, etc) with inspection turned on.  If we manually mark each site it connects to as "trusted", we no longer have issues.

Is there a way we can just mark the category as trusted?  Any help/ideas would be much appreciated.

Thanks in advance!  



This thread was automatically locked due to age.
  • Hi Edward,

    Could you please brief me on the streaming issue you are facing? What kind of issues? slow streaming, no streaming, etc? I tried streaming on Netflix with the HTTPS scanning enable and saw no errors. 

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • We have no streaming from CDN sources.  We noticed it at first with Spotify and as soon as we exempted the CDN source from HTTPS scanning, it worked.  

  • I think the issue is related to Certificate Validation, turn it off and verify if the issue still persists. Let us know if that helps.

    The other thing I would suggest you to do is, please import the certificate authority in the Trusted Root Certificates directory using Microsoft Management Console and clear the browser history/cache complete.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • We never had certificate validation turned on. As we have issues with hospital secure webmail systems.  

    We also have the certificate authority deployed as a trusted root on all our computers via Group Policy.

  • Which deployment mode is configured on Sophos Web Appliance?

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Hi Edward,

    The weird part is that Netflix works well at my end with the same configuration which makes me think that it could be related to region-specific servers or ISP caching server. Alongside, I was able to find a relative bug but, that occurs with a transparent proxy configuration. I would still request you to upgrade to v4.3.4 and check if that resolves it.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • In this case you should export the sophos_log file to a syslog server, then make your requests.. You will probably find that the server you are connecting to is pulling data from a cdn.  Chances are you will need to either exclude it from certificate validation (most likely uses a self signed cert) you could also set it to trusted as a last ditch effort (disabling scanning) 

    your netflix probably works because the content you are looking at is on a caching server and not been fetched.

     

    see: http://swa.sophos.com/webhelp/swa/concepts/InterpretingLogFiles.html for help with the log file..

    simply log into the workstation.. note the ip address .. conduct your tests and within a few mins the log will arrive on your server. look for the back end get requests and either add them as trusted in the lsl, or to https scanning exemptions and certificate validation.   In the case the site is using byte range requests to deliver the content you will have to set it as trusted as byte range requests are automatically rejected. 

  • Netflix also behaves different and connects to services differently depending on whether it is a TV, android phone, iPhone, laptop, etc.  Often iPhone are the most problematic.

    As the SWA is typically only deployed in corporate environments where personal use of Netflix violates company policy, blocking Netflix is a much more common request then allowing it.

     

    The best thing to do is look at the log via syslog, especially for rsn=1408 or s=416 .  Then for the given url (likely an IP) create a local site list entry and set to Trusted.