Users reporting that common applications on mobile devices with SEP mobile fail after upgrade
search cancel

Users reporting that common applications on mobile devices with SEP mobile fail after upgrade

book

Article ID: 271527

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

SEP Mobile users integrating with Cloud SWG for IOS devices.

After upgrading to SEP mobile 6.14, users have started to complain about connectivity issues - users cannot send images over Whatsapp on their work iphones (text is ok though), or getting 'not able to check for update' error when searching for iOS updates.

When the SEP mobile VPN is disabled, the images send without issue and update checks complete.

The iPhones are on the latest iOS version, 16.6 and Whatsapp and SEP are also showing the latest versions. 

Environment

SEP Mobile 6.14.

Cause

Cloud SWG SSL inspection bypass rules failing, and any application using certificate pinning breaks.

Resolution

Updated Cloud SWG service to handle the new SEP mobile device types.

SEP mobile update changes the device type from eMobile_device to eClient_connector for mobile devices. The default SSL interception bypasses needed for mobile devices check for eMobile_device device type and fail to find a match.

Additional Information

Policy trace confirms that the device type is not eMobile_device.

2023-08-10 16:42:57 "DP4-GGBLO12_proxysg2" 46 14.13.12.11 "[email protected]" "h8rqRE3sWD3AtDfj+Mv0+zcvMicRAaqw2i9cge9D1pE=" h8rqRE3sWDtDfj+Mv0+zcvdEAaqw2i9cge9D1pE= "Group1" - OBSERVED "Chat (IM)/SMS" - 0 - unknown - ssl media-lhr8-1.cdn.whatsapp.net 443 / - - - 192.168.4.85 0 0 - - - - - - - - 0 "client" client_connector "WhatsApp" "Chat/Instant Messaging" 10.240.221.60 "United Kingdom" CERT_VALID none - - TLSv1.3 TLS_AES_128_GCM_SHA256 128 *.whatsapp.net "Chat (IM)/SMS" TLSv1.3 TLS_AES_128_GCM_SHA256 128 - ICAP_NOT_SCANNED - - ICAP_NOT_SCANNED - - - - - - 0 - "United Kingdom" %2210.240.221.60|United%20Kingdom|timeout%22 "United Kingdom" 2 2 wss-agent architecture=arm64%20name=iOS%20version=16.6.0 10.0.51.19802 11.12.13.205 0d55b698-01ca-45a6-b45f-3690d09b5d1a iPhone - - - - SSL_Intercept_1 - - - - 2001:0DB8:03f6:28e5:6ced:fbc8:5e37:8840 9a1565189c0b4aeb-00000000479dc415-0000000064d51391 - - - - - - - client

Policy trace confirms that the SSL inspection bypass rule fails to MATCH and the proxy inspects the traffic ..

        <ssl-intercept@ssl-int> [layer 54] [tenant:119]
          [Rule]
  miss:     condition=BC_SSL_Rule_325352_destination_SSL-Intercept_ssl_interception_CategoryList
  miss:     client.location.access_type=mobile_device
  miss:     condition=BC_MobileAppBypass_UrlList
  miss:     client.location.access_type=mobile_device
  miss:     client.location.access_type=mobile_device
  miss:     condition=BC_SSL_Custom_SSL-Intercept_ssl_interception_UrlList_13961355_OS_CLI_Tool_SSLExceptions
  miss:     condition=BC_SSL_Rule_312140_destination_SSL-Intercept
  miss:     condition=BC_SSL_Custom_SSL-Intercept_ssl_interception_UrlList_13905767_OS_SSL_AzureBypass
 MATCH:         variable.BC_SSL_Intercept_exempt(false) variable.BC_SSL_Intercept_exempt.rationale(SSL-G3)

Powered by Wolken Software