SSL Inspection Issues with applications

Use this forum to post questions relating to WinGate, feature requests, technical or configuration problems

Moderator: Qbik Staff

SSL Inspection Issues with applications

Postby nasrzg » Jan 28 17 11:52 pm

I have bought wingate v.9.0.3 Enterprise license
and i'm facing lots of problems with phone applications when enabling ssl inspection.

facebook, skype, messenger,Viber,whatsapp... applications don't work.

Even though it's not your clients job to whitelist the servers these application access
i have tried to whitelist them but with no luck.

if you are sure that this issue can be solved by a policy, then please upload it, for your clients to download it

This is a serious problem that needs your immediate attention.

Thank you
nasrzg
 
Posts: 7
Joined: Dec 20 16 1:05 am

Re: SSL Inspection Issues with applications

Postby adrien » Jan 29 17 9:59 am

Hi

even though apps use HTTPS, in contrast to the web-based version, more apps are choosing to prevent https inspection, and they can do this because the site owner controls the app and so can bake their site certs (or thumbprints) into it.

It's also common for the apps to actually access the sites via different URLs than a browser website would use, e.g. a mobile API endpoint.

I can (and will) upload a policy for this, but you've basically already done it.

Are you seeing the policy getting hit by the client requests? Refresh the policy and it should show hits counts on each item and colour in the path the requests take through the policy.

After the policy the main thing is how and what to match.

Definitely match on Request.Server. With HTTPS there's no full URL until after inspection is set up. That event (ConnectRequest) relates to the CONNECT request that the browser (or app) uses to set up a
tunnel to a server, and so there's no real URL anyway, just the server:port requested.

Then it's just a matter of finding which servers you need in the list.

Regards

Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland

Re: SSL Inspection Issues with applications

Postby adrien » Jan 29 17 10:24 am

Here's the policy we use.

http://www.wingate.com/downloads/sample_policies/Web%20SSL%20connect%20handler.wgpolicy

Here are some screens of the values we use in th epolicy and data lists. We use a global data list to store the sites that won't be inspected.

SSL_policy.png
policy
SSL_policy.png (48.56 KiB) Viewed 2162 times


check_site.png
no_inspect_site
check_site.png (4.08 KiB) Viewed 2162 times


SSL_whitelist.png
SSL_whitelist
SSL_whitelist.png (14.9 KiB) Viewed 2162 times


Adrien
adrien
Qbik Staff
 
Posts: 5441
Joined: Sep 03 03 2:54 pm
Location: Auckland


Return to WinGate

Who is online

Users browsing this forum: Google [Bot] and 35 guests

cron