SSL inspection - icloud App not syncing correctly

Hi guys,

I'm slowly implementing SSL inspection on my network, starting with small group of PCs (Win10 all). I'm on SFOS 17.5.11 MR-11.HF062020.1

I've found out that iCloud sync is not working correctly, OneDrive for example is just fine. I don't care that much about iCloud app, but I would like to take this opportunity to learn more about SSL inspection in general and how to troubleshoot this.

Situation

iCloud app will not download the file to local drive when a new file is created in the cloud (from iPhone/iPad). It know it's there but will not succeed with download and I get error that network is unreachable. The folder is set to "Always keep offline" so it should be downloaded immediately.

XG setup

I know it's HTTPS service and it's inspection, when I remove https from the test FW rule, the iCloud app works just fine and the files are downloaded. So I've tried these and nothing helps ...

Created exceptions (WEB/Exceptions) with policy checks and https decryption disabled for

  • ^([A-Za-z0-9.-]*\.)?apple\.com\.?/
  • ^([A-Za-z0-9.-]*\.)?icloud\.com\.?/
  • ^([A-Za-z0-9.-]*\.)?cdn-apple\.com\.?/
  • ^([A-Za-z0-9.-]*\.)?mzstatic\.com\.?/

Created FW Rule before the test rule and disabled the inspection and destination set as WAN / 17.0.0.0/8 which is Apple network. All services on *apple.com and *icloud.com are here.

So far I cannot make iCloud work with HTTPS inspection. If anyone can help or point me to right direction, it would be great!

Thanks for any help on this

  • Would recommend to move to V18, as V18 works with DPI Engine. Maybe this will help in general. 

  • In reply to LuCar Toni:

    Thanks, but that's not the issue here ;-) Also it's way to soon for v18, I won't push v18 into any of my boxes until MR3 at least :-D

    But that's offtopic ... let's focus on the OP problem

  • In reply to Martin Hampl:

    You should inspect the HTTPs Log and find the used Domain.

    As far as i know, there are more domains used by Apple, which are not covered by the Exception. This will likely kill your connection. 

  • In reply to LuCar Toni:

    Ok, fixed! Digged deep into logs and found out by some timestamps that service needed for actual download is ...

    "amazonaws.com" ... I should think of this before as most of Apple services run on AWS :-)

    I Hope this helps someone else in the future...