Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 39 subscribers
  • Views 5310 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Windows 10 Mail build in client and Google Music Manager ( windows 10 ) Solved....?!

PaulThijs

Hello to who might concern the following.

The issue : build in windows 10 mail client not synchronizing when HTTPS Scan And Decrypt is active ( certificates are installed on the endpoints ).

And Google Music Manager ( windows 10 ) not connecting to account , also verification and therfore uploading not possible.

 

This happens with both outlook , office365 (microsoft ) and Gmail accounts.

After a long time reading and analyzing the log viewer i have come to this solution for both issues. I am just wondering if this is the right approach.....

 

                

Solution / workaround : added a exception in policies as follows > all these are excluded from checks

 

 

 

I am just wondering if this is the right approach.....

 

Well , so far it works.....but still had issues with Google Music Manager ( windows10 ) and what i did was the following.

Kept the Office365 / Outlook exception it works for the build in Mail Client in Windows 10.

What didn't work was the Music Manager , i'd like to use HTTPS decrypt and scan on certain devices within my network.

It's not a very neat solution but for now it works and maybe i'll sort it out later what to use for a tidy firewall rule. But it is almost impossible to analyze the intwined Google services and infinite IP's they're using.

So created a Google FQDN Host......and added a firewall rule on top with this FQDN and turned HTTPS Scan and Decrypt off for this rule only.

At least Google Music Manager is working properly now and later have to sort out how to make a neat firewall rule for the Music Manager only.....

 

 

 

Suggestions are most welcome!!.

 

attachement : Google FQDN list and firewall rule

6204.Google FQDN.wps



This thread was automatically locked due to age.
Parents
  • 0

    Hi PaulThijs ,

    Even though the applicatiion are capable of connecting through proxy there is a possiblity that the connection to the server will only accept the certificate predefined on the application itself. Google Apps have their own certificate to communicate with the server and if HTTPS scanning is involved the XG will act as a MAN-IN-THE-MIDDLE and connection could be dropped.

    It is best to add these connections to exceptions ,the same can be observed with Banking Applications as they would trust their own CA.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Reply
  • 0

    Hi PaulThijs ,

    Even though the applicatiion are capable of connecting through proxy there is a possiblity that the connection to the server will only accept the certificate predefined on the application itself. Google Apps have their own certificate to communicate with the server and if HTTPS scanning is involved the XG will act as a MAN-IN-THE-MIDDLE and connection could be dropped.

    It is best to add these connections to exceptions ,the same can be observed with Banking Applications as they would trust their own CA.

    Regards,

    Aditya Patel
    Global Escalation Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.

Children
  • 0 in reply to Aditya Patel

    Hi PaulThijs ,

    Even though the applicatiion are capable of connecting through proxy there is a possiblity that the connection to the server will only accept the certificate predefined on the application itself. Google Apps have their own certificate to communicate with the server and if HTTPS scanning is involved the XG will act as a MAN-IN-THE-MIDDLE and connection could be dropped.

    It is best to add these connections to exceptions ,the same can be observed with Banking Applications as they would trust their own CA.

     

     

    Hello ,

    its been a while since i had time to sort things out but i have managed it i think. I do not know why this approach didnt work before , i have gone through all possible ways i have tried earlier. But now it seems to work ( until now ).

    Started with a clean slate , on SFOS 17.5.0 GA

    Added once again an exception under Protect for Google Music Manager with the following URL's and disabled ( SKIP ) HTTPS scanning :

     

    accounts.google.com
    android.clients.google.com
    apps.googleusercontent.com
    ssl.gstatic.com
    www.googleapis.com
     
     
     
     
     
     
     

    I dont understand why this approach didn't work before with Decrypt & scan HTTPS activated , but i am happy it works now!.

Unfiltered HTML