With the migration to our new McAfee webgateway solution in place (and the advent of SSL scanning to our traffic now) the crash course of all things McAfee has begun (and well) made my brain go on overload.
One of my more recent issues have come into play when it comes to SSL based traffic, and namely - Apples 'Facetime' application. I dhelved through logs, pulled reports and the lot - even contacted plat support but even they were 'stumped' and had me submit a new 'Product Enhancement Request'.
Here is the transscript of (our) conversation and the disconnect that Apple (aka the Devil) and McAfee seem to be having.
"Unfortunately, Ican't see a way to make this work due to the way Apple has this setup. Theapplepushserviced first does a DNS TXT query for "push.apple.com" [nslookup -query=txt push.apple.com] . This will return "count=50" orsome number XX. The daemon then creates a name using a number between 1..XX andcreates DNS name X-courier.push.apple.com. This DNS name is then handle byAkamai DNS to return an ipaddress in the 17.X netblock that belongs to Apple.The iPad then attempts to make the connection to that IP which is thetransparently re-directed to the Web Gateway in your environment. The problemis that the CLIENT HELLO includes SNI (server name indication) which lists thehost as simply 'courier.push.apple.com'. This causes the Web Gateway to do aDNS lookup for 'courier.push.apple.com', which will not resolve to an IPaddress but instead will only return a CNAME record:courier-push-apple.com.akadns.net. Without an IP address to connect to the WebGateway sends back the '502 not resolvable' error page. The only workaroundthat I can think of that includes the Web Gateway would be an option to havethe proxy ignore the SNI and connect directly to the IP address as requested bythe client. Unfortunately, we do not currently have an option to do so."
Am I missing something here, or is there a ruleset/change that can be made/modified to help alleviate this issue?
Or should we start looking for another solution to (PunchMeInThe)Facetime for iPads?