DPI-SSL exceptions not honoured?
DPI-SSL is giving me a head-ache. Excluding domains doesn't seem to work, since those domains still show up under the button Show Connection Failures. One of the things blocked is the Sonos app. We have a couple of Sonos appliances for ambient music in the office. They are controlled with an app Sonos Controller for PC. As soon as I switch on DPI-SSL, the music stops playing. When I look at the failed connections, it lists several domains, for example mnfts.ws.sonos.com and legato.radiotime.com. When I add those domains to the exclusions, they still pop up under failed connections? So either I'm doing something wrong, or it doesn't work the way I think it works....
@Simon_Weel , try also excluding
and also the IPs
Also make sure the SonicWall DNS is pointing to the same DNS as your Clients or DNS Server forwarders
add the wildcard domain name.
Are these legitimate devices to have on the corporate network or should they be isolated to their own network where you can disable DPISSL (should be isolated...)? You have to also consider what security services you are using WITH DPISSL (GAV/GAS, IPS, etc.) and add exceptions to those.
The devices themselves are not the problem - it's the app to control them giving problems. But you are right; it would be best to put those things in their own network. In which case they cannot be controlled with the app from within the LAN. Not necessarily a bad thing. We're going to plug them into the Wifi-network, which is NOT connected to the LAN, and control them with a smartphone app.
This aside, what bothers me is the fact that DPI-SSL exclusions still fail to connect? I mean, if you add an exception for a domain, you would NOT expect that domain to be blocked anyway. And yes, I did change the domain name to use a wildcard.
As Preston hinted at many services use CDNs to distribute traffic, rather than just a handful of IPs/FQDNs. What is likely happening is the CDNs are getting caught up in your security services.