Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

RCS with iOS18

Hi All, Anyone else having issues with iOS18 devices connect to Sophos FW with Web Filtering set to 'Default Policy' and unable to send RCS messages to Android devices?

As soon as i turn off Wifi and force cell service, RCS works

As soon as i disable Web Policy, RCS works.

I am unable to see anything being blocked in LogViewer 'Web Filter'

Any suggestions?

Thanks

Mike



Edited TAGs
[edited by: Erick Jan at 3:31 AM (GMT -7) on 3 Oct 2024]
Parents
  • I do not have the equipment to test this myself so I am asking those who have this problem to attempt and reply back.


    RCS uses both port :443 and :5223.

    This problem is only observed when using the web proxy.  One possible cause is pharming protection, which can change the destination ip address.  In the sample log that I have seen the :443 and :5223 connections ended up going to different servers due to pharming protection.



    Solution 1) NOT CONFIRMED
    Go to Webadmin > Web > General Settings > Advanced Settings
    Turn off Pharming Protection.
    Make sure the phone is fully closed all connections.  For example turn off cell data plan, disconnect from the wifi, exit the messaging application, turn on wifi.
    Then try RCS messaging again.  Please report findings here.
    If it does not help please return the setting before Solution 2.


    Solution 2)
    Go to Webadmin > Hosts and services > FQDN host.
    Add a FQDN wildcard host for *.telephony.goog
    Note that FQDN wildcards watch for DNS requests to fill up the list of IPs.  This can take 5-15 minutes depending on the clients dns caching.  In order to give maximum time, disconnect and reconnect the phone now.

    Make sure the phone is fully closed all connections.  For example turn off cell data plan, disconnect from the wifi, exit the messaging application, turn on wifi.

    Create a high level firewall rule. Source LAN Destination WAN with that *.telephony.goog network.
    Don't set anything in Web. It should go to DPI mode.

    Try again.

    Verify that the connection is now going through the new firewall rule and that it works.

    Note:  You may be able to go to Log Viewer > Web Filter. Find the the log for telephony.goog. Look at what fwid is to see if it used the new firewall rule.  If the IP is not caught by the *.telephony.goog FQDN Host you can try waiting, or you could add an additional FQDN host for the specific phone carrier FQDN.

    If it is using the correct rule and is going through DPI mode without working, and you have HTTPS decryption, add telephony.goog to your local TLS exclusion list.

Reply
  • I do not have the equipment to test this myself so I am asking those who have this problem to attempt and reply back.


    RCS uses both port :443 and :5223.

    This problem is only observed when using the web proxy.  One possible cause is pharming protection, which can change the destination ip address.  In the sample log that I have seen the :443 and :5223 connections ended up going to different servers due to pharming protection.



    Solution 1) NOT CONFIRMED
    Go to Webadmin > Web > General Settings > Advanced Settings
    Turn off Pharming Protection.
    Make sure the phone is fully closed all connections.  For example turn off cell data plan, disconnect from the wifi, exit the messaging application, turn on wifi.
    Then try RCS messaging again.  Please report findings here.
    If it does not help please return the setting before Solution 2.


    Solution 2)
    Go to Webadmin > Hosts and services > FQDN host.
    Add a FQDN wildcard host for *.telephony.goog
    Note that FQDN wildcards watch for DNS requests to fill up the list of IPs.  This can take 5-15 minutes depending on the clients dns caching.  In order to give maximum time, disconnect and reconnect the phone now.

    Make sure the phone is fully closed all connections.  For example turn off cell data plan, disconnect from the wifi, exit the messaging application, turn on wifi.

    Create a high level firewall rule. Source LAN Destination WAN with that *.telephony.goog network.
    Don't set anything in Web. It should go to DPI mode.

    Try again.

    Verify that the connection is now going through the new firewall rule and that it works.

    Note:  You may be able to go to Log Viewer > Web Filter. Find the the log for telephony.goog. Look at what fwid is to see if it used the new firewall rule.  If the IP is not caught by the *.telephony.goog FQDN Host you can try waiting, or you could add an additional FQDN host for the specific phone carrier FQDN.

    If it is using the correct rule and is going through DPI mode without working, and you have HTTPS decryption, add telephony.goog to your local TLS exclusion list.

Children