How can Smoothwall handle traffic from the Facebook mobile app on BYOD devices?

Article #: Product: Version:
KB-7 Guardian All

Summary:

This article explains the capabilities of the Smoothwall with regards to using the Facebook app on bring your own devices (BYOD).

Problem:

Many apps are starting to take advantage of certificate pinning. This prevents traffic from being intercepted by a man-in-the-middle attack, but also stops Smoothwall from performing Decrypt & Inspect on this traffic, as the returned traffic is signed by Smoothwall and not Facebook. This will cause issues with the apps and prevent them from working properly.

Note: The following assumptions are made:

  • A wireless network exists, specifically set up for users to use their own devices on
  • Users are not allowed to download the Facebook mobile app onto your organization-owned devices

For the Facebook app to work on user’s devices, the following URLs must be exempt from any decrypt and inspect policies on the Smoothwall:

  • graph.facebook.com
  • api.facebook.com
  • xx.fbcdn.net
  • portal.fb.com

Whilst disabling Decrypt & Inspect for these domains will fix the apps, it will prevent the Smoothwall from inspecting the content when Facebook is opened in a browser. This may cause issues if rolled out across the entire network.

As such, if your BYOD network is set as a location policy object in Guardian, then we would advise to disable Decrypt & Inspect for these URLs only on your BYOD network.

Solution:

  1. Create a custom category in Guardian > Policy objects > Categories containing the above URLs.
  2. Create a location object in Guardian > Policy objects > Locations for the BYOD network
  3. Go to Guardian > HTTPS inspection > Policy wizard and create a new policy where:
    • What — The custom Facebook category you created
    • Where — Your BYOD network location
    • Action — Do not inspect.

Attribution:

Last updated: Author: Contributions by:
27th January 2017 Will Laycock-Smith