Web Exception - Apple Update and iCloud

We've already added these to Web Exception

^([A-Za-z0-9.-]*\.)?mzstatic\.com\.?/

^([A-Za-z0-9.-]*\.)?apple\.com\.?/

^([A-Za-z0-9.-]*\.)?icloud\.com\.?/

^([A-Za-z0-9.-]*\.)?cdn-apple\.com\.?/

And are these four necessary to allow Apple updates?

And also when you do Web Exception do you always check Https Decryption and Policy Checks?

We've checked the four...

Hi,

You also need to add exceptions from policy checks, HTTPS certificate validation.

I ended up creating a specific rule for all my apple devices that points at apple sites as well using the FQDN list.

Ian

Hi. How do you that FQDN in Firewall. Can you site an example?

rfcat_vk said:

Hi,

You also need to add exceptions from policy checks, HTTPS certificate validation.

I ended up creating a specific rule for all my apple devices that points at apple sites as well using the FQDN list.

Ian

Hi,

a warning this does not work in the IPv6 firewall rules.

the firewall rule screenshot is from V18 EAP3.

Ian

Hi,

a warning this does not work in the IPv6 firewall rules.

the firewall rule screenshot is from V18 EAP3.

Ian

This may sound absurd but why do we need to do this even if it is already added to web exception that has bypass to policy checks? It means this is also the reason why some of Office 365 apps deployed in my Windows devices such as Microsoft Teams app that are not working properly even if it is also added to web exception :'(

Hi,

a warning this does not work in the IPv6 firewall rules.

6013.Screen Shot 2020-02-03 at 10.23.17.png

8360.Screen Shot 2020-02-03 at 10.24.00.png

6177.Screen Shot 2020-02-03 at 10.24.47.png

the firewall rule screenshot is from V18 EAP3.

Ian

Not all of them are in your exception list. Also I found that the access seems to change from week to week. At one stage I had that rule disabled and relied on the exceptions, then there was an update possibly to XG policies that broke access to the Apple sites again so I had to re-enable the firewall rule.

Just going on my Apple device access issues and how I solved them for 2 iPhones, iPad and 2 MBPs, one with MS office.

Ian

Hi sir! I've opened a ticket to Sophos regarding this case. We've tried getting some log and tried packet capture.

To cut the story short, we have RETRANSMISSION issues.

Can you guys explain what does retransmission means?

And they've recommended to reduce the MSS size, how does it help us resolve the issue?

rfcat_vk said:

Not all of them are in your exception list. Also I found that the access seems to change from week to week. At one stage I had that rule disabled and relied on the exceptions, then there was an update possibly to XG policies that broke access to the Apple sites again so I had to re-enable the firewall rule.

Just going on my Apple device access issues and how I solved them for 2 iPhones, iPad and 2 MBPs, one with MS office.

Ian

They have asked us to put the MSS to 1280

Hi S023A 

Your screenshot, as you have stated, is from v18EAP refresh 3.  This is not supported as of yet via support.

You should check in with the correct forum here: https://community.sophos.com/products/xg-firewall/sfos-eap/sfos-v18-early-access-program/f/feedback-and-issues

I am on v17.5MR9 and have no issues updating my apple devices as long as the preconfigured web exception for apple is still enabled.  Below is a screenshot:

If I disable that web exception, nothing for Apple works.

Thanks.