Hi all,
has anyone got the OneDrive client working on W10. It's fine via a browser but I'd like it to work using the W10 client so users can sync etc. This works fine if we revert back to our Fortinet proxy.
Regards
Will
bit more info, should have mentioned we're using SSL inspection. If I disable SSL inspection it all works OK.
I've added the following HTTSP scanning exemptions and can now upload to onedrive but not download.
gateway.messenger.live.com
device.ra.live.com
live.com
live.net
login.live.com
loginnet.passport.com
microsoft.com
msn.com
onedrive.com
onedrive.live.com
outlook.live.com
Just as a note, normally only web browser traffic should be sent through the appliance. Applications can not be supported because there is no way to guarantee they conform with rfc compliance.
there are a couple of things you could try and a few known issues when dealing with applications.
#1 generally you can not push out the applaince certificate to an application, so if the application does not accept that certificate it will not work.
#2 some applications (mainly banking atm) use HSTS (can google it) but in short.. the application is built around a certificate.. It understands that when it makes a request to call home it "expects" a specific certificate. If it fails to get it, or gets another certificate in it's place it halts the application as it assumes its a mintm attack.
#3 applications may do authentication on different ports, by default the swa only understands 2 ports, 80 and 443 .. If you are able to wireshark the application and see it connecting on port 1234 to site xyz.com .. you could "make" the applaince understand that port by adding a local site liste entry .. abc.com:1234
#4 depending on the application you could make a connection profile based on its useragent string, then allow it to specific sites and bypass authentication.
#5 loosen your local site list entries.. IE: abc.com refers to the entire domain where as abc.com/123 is only that one address. So applications that pull content from an unspecified cdn may be blocked.
#5 chances are your missing a cdn or other back end server from https scanning exemptions.. wireshark the application and add them systematically to the https exclusions. I recommend using the abc.com format until you can narrow down the exact url.
If you are not able to use wireshark, I recommend setting up a syslog server and configuring the appliance to log the sophos_log to it.. then you can test and see every request.. granted if the application makes an illegal request or another request to another port this may not help.
refer here for the log break down: wsa.sophos.com/.../index.html
Ideally the best solution is to bypass the traffic from your redirection policy, but some of the above may "force" the application to work through the applaince. Ultimately the applaince enforces user web traffic and there is no need to police traffic from a workstation application.
Just as a note, normally only web browser traffic should be sent through the appliance. Applications can not be supported because there is no way to guarantee they conform with rfc compliance.
there are a couple of things you could try and a few known issues when dealing with applications.
#1 generally you can not push out the applaince certificate to an application, so if the application does not accept that certificate it will not work.
#2 some applications (mainly banking atm) use HSTS (can google it) but in short.. the application is built around a certificate.. It understands that when it makes a request to call home it "expects" a specific certificate. If it fails to get it, or gets another certificate in it's place it halts the application as it assumes its a mintm attack.
#3 applications may do authentication on different ports, by default the swa only understands 2 ports, 80 and 443 .. If you are able to wireshark the application and see it connecting on port 1234 to site xyz.com .. you could "make" the applaince understand that port by adding a local site liste entry .. abc.com:1234
#4 depending on the application you could make a connection profile based on its useragent string, then allow it to specific sites and bypass authentication.
#5 loosen your local site list entries.. IE: abc.com refers to the entire domain where as abc.com/123 is only that one address. So applications that pull content from an unspecified cdn may be blocked.
#5 chances are your missing a cdn or other back end server from https scanning exemptions.. wireshark the application and add them systematically to the https exclusions. I recommend using the abc.com format until you can narrow down the exact url.
If you are not able to use wireshark, I recommend setting up a syslog server and configuring the appliance to log the sophos_log to it.. then you can test and see every request.. granted if the application makes an illegal request or another request to another port this may not help.
refer here for the log break down: wsa.sophos.com/.../index.html
Ideally the best solution is to bypass the traffic from your redirection policy, but some of the above may "force" the application to work through the applaince. Ultimately the applaince enforces user web traffic and there is no need to police traffic from a workstation application.
thanks for replying.
this is now resolved, I transferred the logs to a syslog server and it showed errors against some additional hosts. These were 1drv.com and livefilestore.com, once excluded from HTTPS scanning OneDrive started working.
I'm not really sure how you would restrict proxy traffic to browsers, there are numerous apps which use the proxy config from the system settings, especially in W10. We use a pac file to redirect some traffic but don't allow clients direct access to the internet.
Many thanks again
Will
