Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 1 subscriber
  • Views 21277 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SophosUTM9 Blocking Apple desktop iMessage

smgastaroID
I am running SophosUTM9 Home Edition (Firmware version:9.309-3). I am unable to get Apple iMessage working on desktop Macs. iMessage works fine on iOS devices. It is definitely Web Filtering. When I disable Web Filtering iMessage works fine. I checked the Live Log but unable to get it working. Has anyone experienced this issue? I searched other post but unable to find a solution. Thanks![:S]


This thread was automatically locked due to age.
Parents
  • 0
    William, can you tell me what IP address courier.push.apple.com resolves to, and why you believe this is a dns performance issue?
  • 0 in reply to Michael Dunn
    William, can you tell me what IP address courier.push.apple.com resolves to, and why you believe this is a dns performance issue?


    I cannot go into anymore detail in public sorry.  Using ip addys will not help as cdn usage is high.  If you have httos decrypt and scan in tey turning that off.  If not goiglr quickregex and have it build a regex exception for app kk e.com and all subdomains.  put that into webfilter excepti ok ns and check every box.  Let us know if that helps.

    Owner:  Emmanuel Technology Consulting

    http://etc-md.com

    Former Sophos SG(Astaro) advocate/researcher/Silver Partner

    PfSense w/Suricata, ntopng, 

    Other addons to follow

  • 0 in reply to William Warren
    The issue appears to be that the UTM is unable to resolve courier.push.apple.com in DNS, through no fault of its own:

    Request URL: http://courier.push.apple.com/
    Request Time: 16 Jul, 14:08 (EDT)
    Result: Blocked
    Reason: Host not found
    Policy name: Base Policy
    Exceptions: Apple Update, Apple HTTPS



    Our UTM is configured to forward DNS requests to our internal DNS servers, which also cannot resolve the name:

    C:\>nslookup courier.push.apple.com
    Server:  pghpitspwdmc001.-.com
    Address:  172.16.-.-

    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Request to pghpitspwdmc001.-.com timed-out



    Our internal DNS servers are configured to forward requests to Google's public DNS servers, which result in a circular DNS reference:

    C:\>nslookup courier.push.apple.com 8.8.8.8
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8

    Non-authoritative answer:
    Name:    courier.push.apple.com



    Because the UTM is unable to resolve the URI to an IP, it blocks the traffic, even though I added an exception for the URL.

    The traffic is permitted if I enable TCP 5223 traffic outbound, but that would permit all XMPP clients, which is something we don't want to do.

    With TCP 5223 disabled outbound, iMessage continued to function, until we enabled URL filtering last week.  The iMessage log shows it failing back to HTTPS when TCP 5223 fails.

    Is there a way to permit traffic through the URL filter (and respect configured exceptions) even if it can't resolve DNS for the destination?
Reply
  • 0 in reply to William Warren
    The issue appears to be that the UTM is unable to resolve courier.push.apple.com in DNS, through no fault of its own:

    Request URL: http://courier.push.apple.com/
    Request Time: 16 Jul, 14:08 (EDT)
    Result: Blocked
    Reason: Host not found
    Policy name: Base Policy
    Exceptions: Apple Update, Apple HTTPS



    Our UTM is configured to forward DNS requests to our internal DNS servers, which also cannot resolve the name:

    C:\>nslookup courier.push.apple.com
    Server:  pghpitspwdmc001.-.com
    Address:  172.16.-.-

    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Request to pghpitspwdmc001.-.com timed-out



    Our internal DNS servers are configured to forward requests to Google's public DNS servers, which result in a circular DNS reference:

    C:\>nslookup courier.push.apple.com 8.8.8.8
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8

    Non-authoritative answer:
    Name:    courier.push.apple.com



    Because the UTM is unable to resolve the URI to an IP, it blocks the traffic, even though I added an exception for the URL.

    The traffic is permitted if I enable TCP 5223 traffic outbound, but that would permit all XMPP clients, which is something we don't want to do.

    With TCP 5223 disabled outbound, iMessage continued to function, until we enabled URL filtering last week.  The iMessage log shows it failing back to HTTPS when TCP 5223 fails.

    Is there a way to permit traffic through the URL filter (and respect configured exceptions) even if it can't resolve DNS for the destination?
Children
No Data
Unfiltered HTML