This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 10 Mail build in client and Google Music Manager ( windows 10 ) Solved....?!

Hello to who might concern the following.

The issue : build in windows 10 mail client not synchronizing when HTTPS Scan And Decrypt is active ( certificates are installed on the endpoints ).

And Google Music Manager ( windows 10 ) not connecting to account , also verification and therfore uploading not possible.

 

This happens with both outlook , office365 (microsoft ) and Gmail accounts.

After a long time reading and analyzing the log viewer i have come to this solution for both issues. I am just wondering if this is the right approach.....

 

                

Solution / workaround : added a exception in policies as follows > all these are excluded from checks

 

 

 

I am just wondering if this is the right approach.....

 

Well , so far it works.....but still had issues with Google Music Manager ( windows10 ) and what i did was the following.

Kept the Office365 / Outlook exception it works for the build in Mail Client in Windows 10.

What didn't work was the Music Manager , i'd like to use HTTPS decrypt and scan on certain devices within my network.

It's not a very neat solution but for now it works and maybe i'll sort it out later what to use for a tidy firewall rule. But it is almost impossible to analyze the intwined Google services and infinite IP's they're using.

So created a Google FQDN Host......and added a firewall rule on top with this FQDN and turned HTTPS Scan and Decrypt off for this rule only.

At least Google Music Manager is working properly now and later have to sort out how to make a neat firewall rule for the Music Manager only.....

 

 

 

Suggestions are most welcome!!.

 

attachement : Google FQDN list and firewall rule

6204.Google FQDN.wps



This thread was automatically locked due to age.
  • Hey  

    Thanks for sharing your exception list!

    Unfortunately certain apps don't behave properly when their traffic goes through a proxy and is scanned. The solution to this is what you have already configured (proxy exceptions).


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • Still testing.........seems to work but forgot to mention that i added the Appliance certificate to : \AppData\Local\Programs\Google\MusicManager

     

    I thought it wasn't necessary to have it placed there ( i placed the certificate there last morning , in between one million thoughts in search for a solution , but when i remove the Sophos Appliance Certificate the Music Manager App refuses to login on my Google account........so what's the deal here?.

    When i analyze the Music Manager log file i can clearly see dozen's of added root lines, just like this one : 2018-06-19 01:04:53,507 +0200 INFO TId 0x00001df8 Added Root C=, O=GlobalSign, OU=GlobalSign Root CA - R2, CN=GlobalSign - Expires wo 15. dec 08:00:00 2021 [AppMain.cpp:257 ::__cdecl main()]

     

    When placed back in the folder : C:\Users\user\AppData\Local\Programs\Google\MusicManager it all works fine again.

    Tested start-up Music Manager > succes

    Upload music album > succes

    Seems very comprehensive to me , to get just a Google app properly working.......well , maybe because it is Google......

     

    **After some more testing the above doesn't seem to make any difference. Sometimes it works , most of the time it doesn't..... ( 20-06-2018 )

    For now i'll stick with the Google FQDN firewall rule regarding the Google MusicManager application.

    I will keep trying to sort out all the connections the application is astablishing and create a firewall rule for it.

    More updates to come.....

     

    Atachements : Google Music Manager log files with and without Sophos Appliance Certificate

    0535.music_manager with CA.txt

    2671.musicmanager_log without CA.txt

  • Hi PaulThijs ,

    Even though the applicatiion are capable of connecting through proxy there is a possiblity that the connection to the server will only accept the certificate predefined on the application itself. Google Apps have their own certificate to communicate with the server and if HTTPS scanning is involved the XG will act as a MAN-IN-THE-MIDDLE and connection could be dropped.

    It is best to add these connections to exceptions ,the same can be observed with Banking Applications as they would trust their own CA.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

  • Hi PaulThijs ,

    Even though the applicatiion are capable of connecting through proxy there is a possiblity that the connection to the server will only accept the certificate predefined on the application itself. Google Apps have their own certificate to communicate with the server and if HTTPS scanning is involved the XG will act as a MAN-IN-THE-MIDDLE and connection could be dropped.

    It is best to add these connections to exceptions ,the same can be observed with Banking Applications as they would trust their own CA.

     

     

    Hello ,

    its been a while since i had time to sort things out but i have managed it i think. I do not know why this approach didnt work before , i have gone through all possible ways i have tried earlier. But now it seems to work ( until now ).

    Started with a clean slate , on SFOS 17.5.0 GA

    Added once again an exception under Protect for Google Music Manager with the following URL's and disabled ( SKIP ) HTTPS scanning :

     

    accounts.google.com
    android.clients.google.com
    apps.googleusercontent.com
    ssl.gstatic.com
    www.googleapis.com
     
     
     
     
     
     
     

    I dont understand why this approach didn't work before with Decrypt & scan HTTPS activated , but i am happy it works now!.