[NC-51941] Netflix error

I have this problem also in EAP3.

Netflix works through app, e.g. ipad or TV, but does not work through PC or MAC browser, e.g. chrome or safari.

I tried MatthieuPares suggestion, but didnt work for me. (Perhaps there were additional tweaks MatthieuPares performed?)

I have this problem also in EAP3.

Netflix works through app, e.g. ipad or TV, but does not work through PC or MAC browser, e.g. chrome or safari.

I tried MatthieuPares suggestion, but didnt work for me. (Perhaps there were additional tweaks MatthieuPares performed?)

For now I use a workaround to ease the issue with Netflix.
For my TV i created a firewall rule using the web proxy rule 'Allow All'. This works for me.

But I hope this issue will officially be resolved with the new firmware version.

Hi everyone, I looking for more information on this. Ideally I'm looking for someone who can open a support tunnel and let me turn on some logging, have them reproduce so I can look at logs.  Please PM me.

Note: Due to conflicting requirements there is a known issue right now where the "use proxy instead of DPI mode" is sometimes not correctly followed when Web Policy is None. For the time being, please use Allow All instead of None to make sure you have consistent behavior.

I am most interested in any scenario where the proxy mode works but DPI mode does not.

If both proxy mode and DPI mode do not work and therefore this did not work in 17.5, then I am not concerned. If neither mode are working please use either of the two workarounds listed in this KB: community.sophos.com/.../125061

There are potentially several different issues:
1) When starting a video, nothing plays at all. This is most likely the known and normal issue resolved with the workaround in KB125061.
2) Videos play but after some point in time they stop working. This is a new issue that I want to know more about.
3) HTTP Pipeline requests. These are not supported, but not much used. It is possible that we logged it although it is not actually a pipelined request, which is why I want to have full logging on.

Thank you all very much for your help, with a special thanks to  TheBalmasque, who was able to produce the detailed logs that we needed.

Netflix is using pipelined requests which are not supported by DPI mode. A pipelined request is where the client opens one connection, sends a request and then sends a second request before the reply to the first response arrives. It is not used very often because of poor support and no performance gain when it is supported, and is disabled by default in browsers.

See here for more information:
stackoverflow.com/.../why-is-pipelining-disabled-in-modern-browsers

HTTP pipelines are supported within the traditional web proxy because it does head-of-line blocking, which de-pipelines and forces the requests in order.   That means the pipeline doesn't get any performance gain, which is why no one uses pipelining.  Except apparently Netflix.

While Sophos is working on a long term solution I have three workarounds. As I don't have an environment that has this error, I would like to ask the EAP community to test them. That also gives us a wide set of environments and devices.

1) Create a firewall rule with destination network "Netflix" that does not have any Web policy or AV scan. ATP globally is off. This is the same has KB125061 (solution 1) but with ATP off.

2) Create a firewall rule with destination network "Netflix" that has Web policy=Allow All, do not scan for malware, use proxy. This is the same has KB125061 (solution 1) but with Web policy Allow All and using the web proxy.

3) Have existing firewall rules, that are Use Proxy. Create AV exceptions as per the KB. This is the same as KB125061 (solution 2) just making sure that it uses the web proxy.

If you have a TV and you don't care about malware scanning any traffic on that device you can use Solution 1 or 2 specifying your TV as the source network instead of the Netflix destination.

Please let me your results.