How can Smoothwall handle traffic from the Facebook mobile app on BYOD devices?

Article #:

Product:

Version:

KB-7

Guardian

All

Summary:

This article explains the capabilities of the Smoothwall with regards to using the Facebook app on bring your own devices (BYOD).

Problem:

Many apps are starting to take advantage of certificate pinning. This prevents traffic from being intercepted by a man-in-the-middle attack, but also stops Smoothwall from performing Decrypt & Inspect on this traffic, as the returned traffic is signed by Smoothwall and not Facebook. This will cause issues with the apps and prevent them from working properly.

Note: The following assumptions are made:

A wireless network exists, specifically set up for users to use their own devices on
Users are not allowed to download the Facebook mobile app onto your organization-owned devices

For the Facebook app to work on user’s devices, the following URLs must be exempt from any decrypt and inspect policies on the Smoothwall:

graph.facebook.com
api.facebook.com
xx.fbcdn.net
portal.fb.com

Whilst disabling Decrypt & Inspect for these domains will fix the apps, it will prevent the Smoothwall from inspecting the content when Facebook is opened in a browser. This may cause issues if rolled out across the entire network.

As such, if your BYOD network is set as a location policy object in Guardian, then we would advise to disable Decrypt & Inspect for these URLs only on your BYOD network.

Solution:

1. Create a custom category in Guardian > Policy objects > Categories containing the above URLs.
2. Create a location object in Guardian > Policy objects > Locations for the BYOD network
3. Go to Guardian > HTTPS inspection > Policy wizard and create a new policy where:
What — The custom Facebook category you created
Where — Your BYOD network location
Action — Do not inspect.

Attribution:

Last updated:

Author:

Contributions by:

27th January 2017

Will Laycock-Smith

 

 

Copyright © 2000-2016 Smoothwall All rights reserved.