KB Article | Forcepoint Support

Problem Description

Cloud Web users experience connectivity issues in MacOS environments when using the Apple App store.


The Apple App Store application closes the connection when our cloud proxy presents its own SSL Decryption certificate.  In order to prevent this interaction, there are certain domains critical to the App Store that should be added to the Decryption Bypass list.  This will prevent the proxy from decrypting the traffic, restoring proper functionality to the App Store.

The domains that will be added to the SSL Decryption Bypass are:
  • *.apple.com
  •  mzstatic.com
For Cloud Web, log into the Cloud Portal, do the following:
  1. Click Web at the top of the page and then click Policies.
  2. Click the name of the Policy you would like to amend.  Important If you have multiple policies that this change should affect, you will need to repeat this procedure for each policy.
  3. Click the Web Categories tab.
  4. Below the box containing the list of categories, click SSL Decryption Bypass 
  5. A text field will appear below the button.  Add the domains to that field, one domain per line.
  6. Click Save at the bottom of the page.
  7. Wait approximately 15 minutes before testing.  

On rare occasions, the change will take longer than that to go live, but typically it will be live after around 15 minutes.

For Web Hybrid, SSL Decryption Bypass is synced from the settings in Forcepoint Security Manager.
  1. Open Forcepoint Security Manager.
  2. Switch to the policy server that houses the Content Gateway (if WCG is a policy server).
  3. Navigate to Settings > General > Scanning > SSL Decryption Bypass (Bypasses in version 8.5+).
  4. Click Add beneath Destination.
  5. Type the two domains. Only type one entry per line.
  6. (Optional) Give a description of all the entries tied to what is entered above, such as "Apple App Store"
  7. Click OK.
  8. Click OK.
  9. Click Save and Deploy.
  10. Navigate to Settings > Hybrid Configuration > Scheduling.
  11. Click Send Policy Data Now
  12. Wait for the Sync to complete. This may take 15-20 minutes.
  13. (Proxy Connect Endpoints) Go to any website on the Mac machine to call a new PAC file.
  14. Test the Apple App Store. 

appstore; hybrid; cloud; ssl decryption; bypass; apple.com; mzstatic.com; sync; pac; pcep; proxy connect endpoint; application

Article Feedback

Thank you for the feedback and comments.