"Facetime unavailable" message appears trying to make call via WSS

book

Article ID: 207182

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

IPSEC tunnel into WSS

Guest users in environment connect to a WiFI access point, and traffic is then tunneled into WSS via IPSEC tunnels

All Web traffic works fine but Facetime and iMessage appears to fail

iMessages are never delivered to the recipient

Facetime calls start but receiver never sees call

"Facetime unavailable" message eventually appears on transmitter side

Cause

Apple uses both TCP 443 (control path) and TCP 5223 (data path) when using either of these two applications

TCP 5223 expects a successful mutual x509 authentication by both parties

When going through WSS, this x509 authentication does not complete successfully

Resolution

1. Need to make sure the following CPL is applied for the tenant

<proxy>
condition=Non_standard_ports detect_protocol(none)

define condition Non_standard_ports
   p
roxy.port=5223
end

2. Need to make sure that the HTTP Port and protocol restrictions do not only apply to Web protocols.

Additional Information

PCAPs on the requests will show that the server cert returned to the IOS device is the WSS certificate and not Apples

PCAPs will also show that the SSL mutual x509 handshake failed to complete successfully

Attachments