Also please note that when

cwhite008 · ‎07-27-2015

Hi All

I have a S370 web security appliance. I have user that are trying to connect to the windows store to download apps. I have read about a couple of ways to get around this, but what is the correct way to allow this as I do not want to just bypass the device for all the sites.

Thanks

babiojd01 · ‎08-03-2015

What mode is your WSA running in? Full or Cloud connector?

Certain applications do not like man in the middle decryption. If you are using transparent proxy then you need to bypass many microsoft subnets. I use Microsoft network monitor 3.4 to see what IP addresses an app or process is trying to connect to. I then take these IP addresses and review them in http://bgp.he.net to see what subnets they are a part of and bypass them. Majority of the time it will use random IP's from that subnet so I add the entire thing. If you are using cloud connector mode you can create a policy to not decrypt the Microsoft IP addresses or you can bypass them with a deny statement on your WCCP redirection ACL. If you create a policy in the cloud they still have to get routed to the cloud so there is potential for breaking along the way there. If you are using full WSA proxy mode then I believe there is a way to not decrypt those IP addresses inside its config. Or again you can add them to the deny list in your WCCP traffic acl.

Handy Putra · ‎08-03-2015

Also please note that when downloading apps from Windows Store, Windows is using a rangerequestdownload method that will send the downloaded file in multiple chunks instead of 1 full download file.

By default this method is disabled in WSA due to security, since when this function is enabled, the appliabnce only getting a small piece of the file at a time, it is unlikely that a scan will catch any embedded viruses/malware.

Also this function is a global setting therefore it will effect all download actions.

The command is in CLI/SSH of the appliance, and type 'rangerequestdownload'

The other way to allow rangerequestdownload in the appliance only for specific destination is creating custom URL category for that destination servers such as .microsoft.com for example and include this to the policy and set it to "ALLOW" instead of 'monitor' therefore it will bypass the scanning only for Microsoft traffics and it will honour the range request download method.

Ken Stieers · ‎08-03-2015

To follow up on Handy's comment, DON'T chase the WCCP stuff... Way too much work, AND the next guy that looks at it will say WHY IS THIS MESS HERE....

Do 2 things:

1. Turn on RangeRequestDownload

2. Create a custom URL category

Add the following sites: .apps.microsoft.com, .office365.com, .ws.microsoft.com, apps.microsoft.com, aq.v4.a.dl.ws.microsoft.com, crl.microsoft.com, watson.telemetry.microsoft.com, www.download.windowsupdate.com

Set this category to PASS THROUGH in the Decryption Policies.

Depending on how your auth stuff is set up, you may want to create an Identity Profile that is exempt from Authentication and add this custom category. (the store application doesn't handle web authentication).

babiojd01 · ‎08-04-2015

The "add the following sites" will work for standard http but what about SSL? If its transparent proxy it doesn't see the host names

Ken Stieers · ‎08-04-2015

That will work for SSL, the URL request insn't encrypted in the initial conversation setup, the WSA tracks which connections are which URL...

Windows store S370