search cancel

SEP MacOS is not connecting to Cloud SWG when HTTP/2 is enabled

book

Article ID: 255408

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

SEP Web and Cloud Access Protection running on Windows and MacOS hosts.

Web and Cloud Access Protection integration policy pushed out to SEP clients using PAC file mode (not tunnel mode).

MacOS users are unable to access internet - opening web browser to pod.threatpulse.com reports "You are not protected".

Windows clients appear to be working fine.

Problem started

Cause

Recent Cloud SWG upgrade enabled support for HTTP/2 which has all lower case HTTP headers.
MacOS Cloud and Access Protection clients had case sensitive string comparison that failed.
Windows code is doing case-insensitive header matching of the header name.

 

Resolution

Changed Cloud SWG to return HTTP headers expected by MacOS (November 10 2022).

MacOS Cloud and Access Protection clients have been updated end of November to do case-insensitive header matching of the header name, and be consistent with Windows counterpart.

Additional Information

PCAPs indicate that the authentication exchange (CIA) is failing.

The connection to client-id.symantec.com is fine but the auth server is not sending back the expected "X-WSS-Client-Info-SSO-Response" with the session id. The SSO response from the server is all lower case (with HTTP/2 changes) while the agent is expecting it to be "X-WSS-Client-Info-SSO-Response".

Since the agent doesn't have the session id, it cannot create the crypto keys.

These crypto keys are used to generate the assertions and without assertion, the server will continuously request authentication (we see the repeated 407 errors in PCAP).