Palo Alto Networks Knowledgebase: How to Bypass Decryption to Access the iTunes and App Store from iOS Devices

How to Bypass Decryption to Access the iTunes and App Store from iOS Devices

8009
Created On 02/08/19 00:01 AM - Last Updated 02/08/19 00:01 AM
Policy
Resolution

Issue

When the Palo Alto Networks device is configured to decrypt outbound traffic, iOS devices are unable to connect to the iTunes and App Store directly from their applications, even if the certificate used for decryption has been imported into the device and works for regular browsing.

 

The error returned on the iPhone or iPad is "Cannot connect to the iTunes Store."

 

Cause

The App Store and iTunes application expect the server certificate to be signed by Apple and close the connection if signed by a different CA.

 

Resolution

  1. Configure a custom URL Category that contains all known FQDNs related to the iTunes and App Store (wildcards can be used).

    Custom_URL_Category.JPG
    Note: For iOS 8 and later, also add "*.mzstatic.com" to the above list.

     

  2. Add a Decryption policy to bypass decryption based on the customer URL category just created.

    Custom_URL_Category_No_Decrypt.JPG

Note: While "itunes.apple.com" and "*.itunes.apple.com" should be enough to catch all iTunes and App Store related sites others have been reported.  The list might be incomplete and/or change over time.

 

owner: sberti



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbuCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language