Domains you’ve had to add to “Local TLS exclusion list”

I‘m glad to see Sophos has a “Managed TLS exclusion list” for exclusion from SSL/TLS inspection. There’s obviously still websites/apps we will find that have issues but I’m not sure what the formal way is to submit those domains. I figure maybe this thread would be a good way for folks to share. This assumes:


1. You’re using the “Managed TLS exclusion list” in the default “Exclusions by website or category” SSL/TLS inspection rule.
2. You’re using the “Maximum Compatibility” Decryption profile in your SSL/TLS inspection rule.
3. You’ve verified TLS 1.3 decryption isn’t the issue (i.e. tried with “Downgrade to TLS 1.2 and decrypt” setting).

 

Domain - App Type (e.g. mobile app, website, etc.)

instagram.com - Instagram iOS app
facebook.com - Facebook iOS app
fbcdn.net - Loading of media in Facebook iOS app
nest.com - Nest iOS app
ecobee.com - Ecobee iOS app
ring.com - Ring iOS app
cujo.io - Cujo iOS app

Parents
  • Hi Shred,

    I found facebook was being blocked by my application filter not by DPI. For the moment I have allow all in the application filter setting.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I've added quite a few over time. Even if it gives some insights about some apps and IoT devices I'm using and other informations - I post the list here (without bigger explanation...) - hope it helps some others to get some stuff working

    www.apple.com
    www.youtube.com
    www.netflix.com
    whatsapp.net
    androidwearcloudsync-pa.googleapis.com
    google.com
    android.clients.google.com
    play.googleapis.com
    groupemutuel.ch
    apple.com
    olmprodpowerlift-cdn.azureedge.net
    samsungosp.com
    api.smartthings.com
    one.viseca.ch
    dqa.samsung.com
    windows.net
    mobile.pipe.aria.microsoft.com
    samsungapps.com
    api.worxlandroid.com
    api.io.mi.com
    account.xiaomi.com
    api.xiaomi.com
    dls.di.atlas.samsung.com
    iot.eu-west-1.amazonaws.com
    apis.samsungiotcloud.com
    client.smartthings.com
    launchdarkly.com
    samsungiotcloud.com
    office.com
    office365.com
    sophos.net
    acompli.net
    outlookmobile.com
    microsoftonline.com
    outlookmobile-office365-tas.msedge.net
    spotify.com
    spotify-com.akamaized.net
    microsoft.com
    msedge.net
    duosecurity.com
    dyson.com
    msg-easytax.ch
    msftauth.net
    force.com
    salesforce.com
    whatfix.com
    darkbytes.io
    eum-appdynamics.com
    zoom.us
    nexusrules.officeapps.live.com
    live.com
    connectivitycheck.gstatic.com
    googleusercontent.com
    gvt1.com
    android.googleapis.com
    cdn.jsdelivr.net
    youtubei.googleapis.com
    elastic-payments.com
    firebaseio.com
    revolut.com
    firebaseremoteconfig.googleapis.com
    shazam.com
    haustechnikdialog.de
    xbox.com
    duckduckgo.com
    console.aws.amazon.com
    grc.com
    emirates.com
    api.snapcraft.io
    scsstatic.ch
    odrs.gnome.org
    blinkist.com
    blinkist.io
    h-hotels.com

  • You added all these to the TLS exclusion list? Might as well turn decryption off, lol.

    What's wrong with google.com, emirates, and all those Microsoft domains? Works just fine with SSL/TLS DPI Decryption on.

  • Bjoern Freiherr said:

    You added all these to the TLS exclusion list? Might as well turn decryption off, lol.

    What's wrong with google.com, emirates, and all those Microsoft domains? Works just fine with SSL/TLS DPI Decryption on.

     
    Have you taken a look at the “Managed TLS exclusion list”? There’s quite a few domains on there, to include some Microsoft domains.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • Yep, but they are specific subdomains with issues and the list is updated automatically, so no reason to add them again manually or list a bunch of first level domains. Just wondering if the huge list that was posted was really meant for this. I haven't encountered many issues with TLS decryption yet.

Reply Children