As the title says, when our users try to install Adobe applications via the new (and execrable) Creative Cloud software subscription service, those installs and updates fail when going through our Ironports with a lovely "download appears corrupted" message.
We're using WCCP on our core routers to redirect web traffic through the S370 proxies. When I exempt those users from web redirection (via the access list that controls wccp on those routers), the installs work correctly.
One of the frustrating parts of this problem is that none of the requests appear to be blocked. If I can trust the Creative Cloud app's progress bar, the application is completely downloaded and just starts to be extracted when the error occurs.
I did a packet capture on a client when the installation failed, but I didn't find anything particularly enlightening there.
Any suggestions would be most welcome.
Could you please share the access logs:
2. Enter the number of the log you wish to grep: 1 (for accesslogs)
3. Enter the regular expression to grep: <client IP>
4. Do you want this search to be case insensitive?: Y
5. Do you want to search for non-matching lines? N
6. Do you want to tail this log?: Y
7. Do you want to paginate the output?: N
The access logs show all communication as being open, no blocks or failures. The Creative Cloud manager connects and starts the updates but fails in the middle of a file download. Adobe states it is a proxy issue but there is nothing in the logs to reflect that assumption. The Creative Cloud logs state a communication failure has occurred. A network trace does not show any failures, the issue is within the manager software from what we have been able to figure out. The software updates work when they are completed manually without the Creative Cloud Manager using the same proxy appliances.
We had the same issue. This is what I did as a work around for the Identities that needed Adobe Creative Cloud:
Create a Custom URL Category
Add .adobe.com to it Sites section
Assign the Custom URL Category to your Access Policy and Decryption Policy
(we have it set to monitor)
Submit, Commit, Commit
I hope this helps,
I have multiple users with the same issue, we are not decrypting the traffic and do not require user based authentication for any of the domains that are required. This has been confirmed by Adobe. Their tech support is totally clueless as to what the issue is and has been unable to assist. Has anyone found a workaround for the updates/ downloads?
Adobe download is using range request download method that by default is disabled in WSA globally due to security reason.
If you need to enable this (CLI -> rangerequestdownload) however when you enable this there could be security disadvantage since the scanning engine might not be able to scan correctly due to small sizes per chunks that been downloaded (this will apply globally).
The other workaround is to create custom url category for adobe (.adobe.com) and set it to "Allow"
By setting to "Allow" this will bypass the scanning all together and simply allowing the traffics, therefore WSA will not inspect the range request download protocol/method that adobe is using (this will only apply to adobe not globally).
what scanning are we bypassing? The only scanning that I do on the WSA is WBRS, there is no malware or AV scanning on the WSA.
What security concerns would enabling rangerequestdownload expose?
With range requests enabled the WSA never has the whole file all at once so AV/malware scanning may miss things. If you're not using that you don't lose anything.
Ken, I may have found the answer to this issue I am waiting for Adobe to verify. It seems that the software attempts to make an inbound connection(s) to validate downloads and licensing. Adobe expects you to have a rule that allows inbound TCP port 80 & 443 from the internet for this to work be completed. We I requested a list of their ip's or subnets that may do this I was given a listing of 38 domestic subnets including full class 'B' networks. This would explain why the updates work when not behind the WSA and firewall on a home network.
I totally agree, 2 different support personnel at Adobe have given me a similar response. So I requested my ticket be escalated for the issue. That was 2 days ago. We took a sniffer trace between the workstation and the WSA and the WSA and the internet and find nothing wrong. We may need to do another trace at the firewall to see if we find an inbound attempt being dropped.
Adobe confirmed that they require inbound access over port 80/443 for validation and verification during upgrades as stated in the below in the response:
"Our Applications require inbound connection if your Proxy network allows it without any issues and blockage for ports 80&443"
The only suggestion they made it to create an update server and let your user connect to the update server, but this server would also require the same connectivity.
Just wanted to let you know.
Adobe is using a range request download method for its download and by default this method has been disabled in WSA due to security purpose.
You can enable this option from the CLI of WSA by issuing command rangerequestdownload and enable this.
Please note that this option is a global setting therefore it will effect the appliance globally and also if you enable this setting there might be some security risks where when WSA is getting the files in chunks instead of full size of file (the behaviour of range request download protocol), WSA scanning engine might not be able to perform scanning on them due to small size of files (due to per chunks)
Another way to get around this is to create custom URL category for the whole domains and subdomains of adobe: ".adobe.com" and set it to "Allow" instead of "Monitor".
By setting to "Allow" this will bypass the scanning all together and simply allowing the traffics, therefore WSA will not inspect the range request download protocol/method that adobe is using.