Users accessing internet using WSS Agent v6 via SEP NTR tunnel mode
All applications seem to work fine, yet the installations of Adobe Creative Cloud desktop Application are failing to update.
"Installation failed" message reported back to users as shown below
WSS HTTP logs for the user indicate policy_denied and connect_method_denied verdicts for some domains
Little to no documentation online about how Adobe CC works with a proxy (bypasses required, SSL inspection exclusions required, etc)
WSS agent
Adobe Creative Cloud desktop App
Need to allow users access a large number of undocumented domains for the Adobe Creative Cloud desktop App to get updated - if any of these are blocked, the upgrade will fail.
Using a combination of the following resources (https://helpx.adobe.com/enterprise/kb/network-endpoints.html and https://helgeklein.com/blog/adobe-acrobat-photoshop-network-connection-target-hosts/) and Fiddler / WSS HTTP logs, the following list of domains should be accessible for users when trying to update any Application from the Adobe Creative Cloud desktop Application suite. Adding this addressed all update issues.
scss.adobesc.com
adobelogin.com
ftcdn.net
a5.behance.net
connect.ffc.adobeoobe.com
download.macromedia.com
adobeccstatic.com
aws.adobess.com
adobeid-na1.services.adobe.com
agsupdate.adobe.com
ans.oobesaas.adobe.com
ars.oobesaas.adobe.com
auth.services.adobe.com
cc-cdn.adobe.com
cclibraries-defaults-cdn.adobe.com
ccmdls.adobe.com
cdn-ffc.oobesaas.adobe.com
client.messaging.adobe.com
crlog-crcn.adobe.com
crs.cr.adobe.com
cvs.adobe.com
genuine.adobe.com
geo2.adobe.com
hbrcv.adobe.com
helpx.adobe.com
na1e-acc.services.adobe.com
odin.adobe.com
prod-rel-ffc-ccm.oobesaas.adobe.com
server.messaging.adobe.com
ui.messaging.adobe.com
utut-service.adobe.com
acp-ss-ew1.adobe.io
adobesearch.adobe.io
byof.adobe.io
cc-api-behance.adobe.io
cc-api-data.adobe.io
cc-api-storage.adobe.io
cc-collab.adobe.io
ccext-public.adobe.io
ccext.adobe.io
cchome.adobe.io
cctypekit.adobe.io
lcs-cops.adobe.io
lcs-ulecs.adobe.io
libraries.adobe.io
notify.adobe.io
p13n.adobe.io
platform-cs.adobe.io
senseimds.adobe.io
stock.adobe.io
data.typekit.net
faster.typekit.net
state.typekit.net
use.typekit.net
polka.typekit.com
symcb.com
symcd.com
ccext.adobe.io
ccext-public.adobe.io
ccext-cdn.adobecces.com
cc-collab.adobe.io
platform-cs.adobe.io
acp-ss-ew1.adobe.io
cc-api-storage.adobe.io
helpx.adobe.com
use.typekit.net
polka.typekit.com
adobeid-na1.services.adobe.com
a5.behance.net
as1.ftcdn.net
as2.ftcdn.net
lcs-cops.adobe.io
genuine.adobe.com
ims-prod06.adobelogin.com
ims-prod07.adobelogin.com
na1e-acc.services.adobe.com
auth.services.adobe.com
ccmdls.adobe.com
ccmdl.adobe.com
ans.oobesaas.adobe.com
ars.oobesaas.adobe.com
cdn-ffc.oobesaas.adobe.com
prod-rel-ffc-ccm.oobesaas.adobe.com"
cdn-ffc.oobesaas.adobe.com
agsupdate.adobe.com
data.typekit.net
state.typekit.net
polka.typekit.net
dnzuu5synxxfk.cloudfront.net
d32a1iuc7x840y.cloudfront.net
d3vn77t26123l6.cloudfront.net
adobeid-na1.services.adobe.com
auth.services.adobe.com
na1e-acc.services.adobe.com
lcs-ulecs.adobe.io