Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6151
Views
6
Helpful
15
Replies

Adobe Creative Cloud application installs fail when going through our Ironport web content filters

Stafford Rau
Level 1
Level 1

‎09-11-2014 05:36 PM

As the title says, when our users try to install Adobe applications via the new (and execrable) Creative Cloud software subscription service, those installs and updates fail when going through our Ironports with a lovely "download appears corrupted" message.

We're using WCCP on our core routers to redirect web traffic through the S370 proxies. When I exempt those users from web redirection (via the access list that controls wccp on those routers), the installs work correctly.

One of the frustrating parts of this problem is that none of the requests appear to be blocked. If I can trust the Creative Cloud app's progress bar, the application is completely downloaded and just starts to be extracted when the error occurs.

I did a packet capture on a client when the installation failed, but I didn't find anything particularly enlightening there.

Any suggestions would be most welcome.

6 people had this problem
Labels:
0 Helpful
15 Replies 15

Handy Putra
Cisco Employee
Cisco Employee

‎04-09-2015 03:48 PM

Hi,

Adobe is using a range request download method for its download and by default this method has been disabled in WSA due to security purpose.

You can enable this option from the CLI of WSA by issuing command rangerequestdownload and enable this.

Please note that this option is a global setting therefore it will effect the appliance globally and also if you enable this setting there might be some security risks where when WSA is getting the files in chunks instead of full size of file (the behaviour of range request download protocol), WSA scanning engine might not be able to perform scanning on them due to small size of files (due to per chunks)

Another way to get around this is to create custom URL category for the whole domains and subdomains of adobe: ".adobe.com" and set it to "Allow" instead of "Monitor".

By setting to "Allow" this will bypass the scanning all together and simply allowing the traffics, therefore WSA will not inspect the range request download protocol/method that adobe is using.

0 Helpful
Customers Also Viewed These Support Documents