Summary
On iOS devices (iPhone, iPod, iPad) the Facebook app may not connect. Usually this is when you are performing HTTPS inspection or certificate validation. The app reports no connection with a Tap to retry button.
Problem
Facebook app on iOS does not connect.
The Facebook app makes a HTTPS connection, which is non-standard, implementing its own certificate validation. This conflicts with the standards-based validation which Smoothwall performs.
The app makes connections to plain-IP HTTPS URLs, for example, https://66.220.158.23
, but validates these against the *.facebook.com
HTTPS certificate.
To resolve this issue, you will need to exclude these sites from HTTPS Inspection and/or certificate validation. Doing so will still allow the rest of Facebook to be inspected; this is just an initial connection and authentication stage. Users who are denied access to Facebook in the main web filter policy will still continue to be blocked.
Each of these servers is accessed by the app as a plain IP, which resolves via reverse DNS to an address such as:
edge-z-m-shv-03-ash5.facebook.com
These addresses vary, often based on geolocation, hence the following URL pattern matches all of these:
edge.+?\.facebook\.com
Solution
- Create a new custom category, named Facebook Edge Servers or similar.
- Add
edge.+?\.facebook\.com
to URL patterns. (Click Advanced first to expand the view.) - Go to Guardian > HTTPS Inspection > Policy wizard.
- Create a new rule:
- Who Add the users or groups you wish it to apply to, or select Everyone
- What Facebook Edge Servers (which you have just created)
- Where Add the locations you wish it to apply to, or Everywhere
- When Add the times you wish it to apply at, or Always
- Action Do not inspect
- Ensure that this rule is above any other Decrypt and Inspect or Validate Certificate only rules in the HTTPS inspection policies table.
Tip: If you have changed the order of rules in the table remember to click Save.
Note: The Social Networking category and/or the Facebook category are allowed in this configuration and users can access Facebook through a browser. If Facebook is blocked in the browser then this issue may not be affecting you and you should refer to the relevant Web Filter policy to establish if the filtering policy in place is denying this.