cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4137
Views
6
Helpful
15
Replies
Highlighted
Beginner

Adobe Creative Cloud application installs fail when going through our Ironport web content filters

As the title says, when our users try to install Adobe applications via the new (and execrable) Creative Cloud software subscription service, those installs and updates fail when going through our Ironports with a lovely "download appears corrupted" message.

We're using WCCP on our core routers to redirect web traffic through the S370 proxies. When I exempt those users from web redirection (via the access list that controls wccp on those routers), the installs work correctly.

One of the frustrating parts of this problem is that none of the requests appear to be blocked. If I can trust the Creative Cloud app's progress bar, the application is completely downloaded and just starts to be extracted when the error occurs.

I did a packet capture on a client when the installation failed, but I didn't find anything particularly enlightening there.

Any suggestions would be most welcome.

15 REPLIES 15
Highlighted
Cisco Employee

Hi,

Adobe is using a range request download method for its download and by default this method has been disabled in WSA due to security purpose.

You can enable this option from the CLI of WSA by issuing command rangerequestdownload and enable this.

Please note that this option is a global setting therefore it will effect the appliance globally and also if you enable this setting there might be some security risks where when WSA is getting the files in chunks instead of full size of file (the behaviour of range request download protocol), WSA scanning engine might not be able to perform scanning on them due to small size of files (due to per chunks)

Another way to get around this is to create custom URL category for the whole domains and subdomains of adobe: ".adobe.com" and set it to "Allow" instead of "Monitor".

By setting to "Allow" this will bypass the scanning all together and simply allowing the traffics, therefore WSA will not inspect the range request download protocol/method that adobe is using.

Content for Community-Ad