Hope you are doing well.
URL https://www.icloud.com is categorized under categories - Personal Network Storage and Interactive Web Applications.
URL https://www.icloud.com/mail is categorized under category Web Mail.
As this is an explicit proxy setup first request MWG will receive is a CONNECT request with URL.host www.icloud.com which will be categorized under category Personal Network Storage and Interactive Web Applications.
If SSL Scanner is enabled on device then only MWG will be able to see the GET request https://www.icloud.com/mail flowing inside SSL channel.
If SSL Scanner is enabled on MWG then you can create a rule as per screenshot attached to achieve your requirement and place the rule below SSL Scanner rule set.
1.When working without SSL scanner you will need to keep the following things in mind;
2. When working with SSL scanner you will need to keep the following things in mind;
Please refer below link for more information on this:-
Was my reply helpful?
If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Thanks for your reply, Alok.
We have SSL scanner enabled and tested your suggested solution on our end, and while we can access https://www.icloud.com/mail, we kept on being prompted with authentication. Also, we need to maintain the categorisation - https://www.icloud.com/mail as web mail and https://www.icloud.com
as Personal Network Storage, this is because we have separate allow group for them.
Thanks for the update here, so after making suggested configuration you are able to achieve your requirement but now seeing authentication issue.
Please refer below for some info on auth issues with iCloud:-
You need to make sure CONNECT and CERTVERIFY request for www.icloud.com is allowed, so that once SSL part is successfully one, MWG can see GET request for both www.icloud.com and www.icloud.com/mail and accordingly take filtering decision.
Tried and tested the solution you provided, and while we can access icloud/mail (which shouldn't be the case - only those with web mail access should have access to the URL), we are now getting the default "Block" message when accessing icloud.com.
Do we need to move the rule below the URL filtering?
Hope you are doing well.
You can give criteria to this rule for a particular authentication group for something for which you want to get this rule applied.
I suggest you can open a service request with support and ping the SR number so we can have a quick remote session if required and get this sorted.