SSL inspection - icloud App not syncing correctly

Hi guys,

I'm slowly implementing SSL inspection on my network, starting with small group of PCs (Win10 all). I'm on SFOS 17.5.11 MR-11.HF062020.1

I've found out that iCloud sync is not working correctly, OneDrive for example is just fine. I don't care that much about iCloud app, but I would like to take this opportunity to learn more about SSL inspection in general and how to troubleshoot this.


iCloud app will not download the file to local drive when a new file is created in the cloud (from iPhone/iPad). It know it's there but will not succeed with download and I get error that network is unreachable. The folder is set to "Always keep offline" so it should be downloaded immediately.

XG setup

I know it's HTTPS service and it's inspection, when I remove https from the test FW rule, the iCloud app works just fine and the files are downloaded. So I've tried these and nothing helps ...

Created exceptions (WEB/Exceptions) with policy checks and https decryption disabled for

  • ^([A-Za-z0-9.-]*\.)?apple\.com\.?/
  • ^([A-Za-z0-9.-]*\.)?icloud\.com\.?/
  • ^([A-Za-z0-9.-]*\.)?cdn-apple\.com\.?/
  • ^([A-Za-z0-9.-]*\.)?mzstatic\.com\.?/

Created FW Rule before the test rule and disabled the inspection and destination set as WAN / which is Apple network. All services on * and * are here.

So far I cannot make iCloud work with HTTPS inspection. If anyone can help or point me to right direction, it would be great!

Thanks for any help on this

  • Would recommend to move to V18, as V18 works with DPI Engine. Maybe this will help in general. 

  • In reply to LuCar Toni:

    Thanks, but that's not the issue here ;-) Also it's way to soon for v18, I won't push v18 into any of my boxes until MR3 at least :-D

    But that's offtopic ... let's focus on the OP problem

  • In reply to Martin Hampl:

    You should inspect the HTTPs Log and find the used Domain.

    As far as i know, there are more domains used by Apple, which are not covered by the Exception. This will likely kill your connection. 

  • In reply to LuCar Toni:

    Ok, fixed! Digged deep into logs and found out by some timestamps that service needed for actual download is ...

    "" ... I should think of this before as most of Apple services run on AWS :-)

    I Hope this helps someone else in the future...