I’m still learning about Gateway with WARP and have been playing with it quite a bit. When I enable it on my phone, a lot of sites do not work properly. I see there is Certificate Pinning available and have enabled that for sites that do not seem to load correctly to bypass the HTTP filter.
I will give you some examples:
Cafe Rio, Chipolte, Chick-Fil-A apps on Android devices will not connect unless they are exceptioned using a hostname list.
Reddit will not work
Twitter won’t work
Discord won’t connect, Captcha’s won’t load.
Google Calendar won’t sync
Outlook app won’t sync, connect, send email.
There are a lot more sites that have issues as well.
Since I’m attempting to understand this better, my questions are:
Is this normal behavior? I know this can be interpreted by some servers as a MITM attack, so maybe that is why they are not loading.
Is there a sort of set and forget it configuration out of the box, other than the pre-configured (Do Not Inspect) lists?
It seems enabling (Do Not Inspect) lists, also removes the applications from the Shadow IT discovery as well. Is there a way to still manage that without those sites be set to not be inspected? I’m assuming not, but asking because I suppose I need some education.
Are Gateway with DOH and WARP compatible without clobbering each other or should they be run independently?
What are the consensus best practices for Gateway with WARP? For example, only enable WARP on certain sites within a list, etc?
The reasons I’m asking all of this is because my experience hasn’t been this with with a lot of routers that support TLS inspection and haven’t had many issues with sites not loading, etc.
Thank you kindly for any helpful feedback and direction you may give!
That looks like some session issue but I don’t know how this could be related to WARP. Some hello world page would probably be a better thing to test. I would also try to see if it works okay with TLS decryption off, just to be sure it’s not that.
When disabling TLS inspection, almost nothing appears in the logs. So that isn’t really worth that, as it won’t do much. Let me test something with the twitter app, not sure if I can sign out, then back in. When I turn it on, it refuses to work. If I can, it’s a session issue like you said, but that would be horrible for users having to do this to every app if that works…
Ok, so some further testing reveals that while the web versions of different sites work fine through the browser, they will not work through the locally installed apps at all. I’ve tested it with several applications.
My phone I’m testing with is a Pixel 4a with Android 12. I’ve tested with Twitter, Chick-Fil-A, Reddit, Outlook will not receive email notifications and can’t see new email, etc. This is obviously a deal breaker for users. What options do I have?
I answered inline above. In addition, I attempted to test the beta version of the 126.96.36.199 app in the Play Store, but it’s the same version of the live version, 6.16. Gateway with DOH works without issue.
EDIT: Checked the logs in the dashboard and on the HTTP policies (I have nothing enabled), they show BYPASS for Cloudflare entries. In the DOH logs, clouflare entries show allowed. I don’t see anything being blocked…