Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spotify and "Decrypt & Scan HTTPS"

Hi.

When I use Decrypt & Scan HTTPS in my firewall, spotify web site (I did not try the app) stops playing.

I cannot find a workarround how to exclude those to allow the play.

I can reach the site, I can logon, but play won't work.

The logs show all "green".

I did install the certificate in the workstation (no alerts when I use https)

Thanks,



This thread was automatically locked due to age.
  • Hi  

    Have you tried creating a web exception for the entries discussed here?

    Regards,


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • I tried.

    I created a rule (top) with those IP not to scan https.

    The app works fine.

    The issue is with the player using the web site.

    Once I remove the https scan from the default outbound rule, it works fine.

    I have a feeling that there are more IP addresses spotify uses.

    And beside, I cannot follow IP adresses all the time and exclude them.

    There should be a ready object for that that will be updated by the "firmware updates"

     

  • Hi Hayim,

    I would advise to raise your object suggestion as a feature request on our Ideas website.

    Regards,


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • HI,

    did you create web exceptions using XG regex configuration which is different to the UTM configuration in the reference thread.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yes I did. It made sure the web site was working, but the player did not. The issue is that the player itself or something on the way to the player is using other IP addresses and other fqdn.

    Beside, those companies keep adding features from other IP and URL, and changing their IP addresses for security reasons and I do not want to "chase" their changes..

  • Hi,

    open log viewer and set it in web mode then start the application to see which URLs it uses. I expect you will find they are different to what you already have the exceptions setup for?

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi ,

    You could try to create a FQDN host for Spotify and use wildcard * > *.spotify.com to resolve all subdomains.

    Tried for two minutes and these are the results after connection established with website and webplayer :

    FQDN IP Address
    pixel-static.spotify.com 104.199.64.136
    gew-dealer-ssl.spotify.com 35.186.224.45
    gew-dealer.spotify.com 35.186.224.45
    apresolve.spotify.com 104.199.64.136
    api.spotify.com 35.186.224.53
    open.spotify.com 104.199.64.136
    global-dealer-ssl.spotify.com 35.186.224.47
    pixel.spotify.com 104.199.64.136
    gew-spclient.spotify.com 35.186.224.53
    weblb-wg.dual-gslb.spotify.com 104.199.64.136
    wg.spotify.com 35.186.224.53
    spclient.wg.spotify.com 35.186.224.53
    dealer.spotify.com 35.186.224.47

    From there you could try to figure out how to get on..........well the answer is : create an web exception ''spotify.com'' and exclude these :

    HTTPS Decryption
    Malware and Content Scanning
    Sandstorm
    Policy Checks
     
    Create a new rule on top for Spotify and use the Spotify FQDN host to connect to ( all subdomains are resolved automatically ) , and of course do not check Scan and Decrypt HTTPS
     
    Then Spotify webplayer works > 
  • I've been struggling to solve this as well and have finally gotten this to work. The only exception necessary was: ^([A-Za-z0-9.-]*\.)?scdn\.co/? for HTTPS decryption.