macOS clients cannot authenticate successfully with SAML via IPSEC tunnel
search cancel

macOS clients cannot authenticate successfully with SAML via IPSEC tunnel

book

Article ID: 381126

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

Users accessing internet sites via Cloud SWG using IPSEC access method.

SAML authentication enabled where Microsoft Entra is the Identity Server.

Windows and macOS users exist with SEP running on the host with various policies (firewall, host protection, etc).

macOS users cannot authenticate successfully from any browser - the error appears to be a browser connectivity error to saml.threatpulse.net. HAR files confirm that no status response is seen from saml.threatpulse.net when failing.

Windows users have no issues with SAML authentication.

Environment

IPSEC access method.

SAML authentication.

SEP Cloud.

Cause

SEP firewall policy on macOS blocking TCP 8443.

Resolution

Modify SEP firewall policy to allow TCP 8443 outbound from macOS hosts.

Another option also validated is to enable proxy settings on macOS browsers and send all traffic into the transproxy endpoint at ep.threatpulse.net:80 / 199.19.250.205:80.

Since this uses the standard TCP 80 port, no host firewall blocks will drop the packet.

Additional Information

tcpdump from the macOS host confirmed that SYN requests to saml.threatpulse.net on TCP 8443 never got any response.

Removing firewall policy from one SEP device allowed request through, so simply added an allow rule for TCP 8443.