Info:
I´m using Cloudflare TEAMS and have setup test users with IOS and Windows devices.
All OS and App 100% updates.
Unifi UDM PRO Home/Business Network activated with Cloudflare Gateway and as DNS resolver
Connected to Cloudflare in Denmark “CPH”.
Perfect connect and speed and very fast DNS. (8mS)
Check all connect with Cloudflare test tools = Perfect
Windows WARP = BETA V1.5.762.1
IOS WARP = 6.6
Issues
When I set WARP client to “Gateway with WARP”, I/we can´t:
1)
Update Windows 10 "There were some problems installing updates, but we’ll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x80245006)
2)
Open App store
3)
Open security for login to some app. Banks or other Apps OR issues with functions inside App´s.
There are no blocking log in TEAMS DNS or Security in Cloudflare Teams APP (With relation to the issues). When I check then Gateway Activity Log all action = Allow.
Samme issues when connected to 4G/WiFi or other extern network No problem, when only activate WARP App “Gateway with DoH”
Certain apps use Certificate pinning or non-standard HTTP(s) connections where Cloudflare acting as a TLS proxy can interfere with things such as what you’ve described.
There’s also a link from the home page of Teams (near the bottom) to some quick start guides / rules.
I forget the exact wording (since I already completed the guide and it goes away once you do…) but it suggest setting up Do Not Inspect rules for common applications I believe. If you click the button it will auto-create a rule for you which has all of the common apps we’ve added support for. You can edit it down if you feel the need or create additional rules for apps you might identify in your own organization.
I have added many “Skip” rules for applications, Host and Do Not Decrypt APP.
It´s perfect for all Applications marked/selected and now wo issues in Windows Update, IOS App store etc.
But still problems with some IOS App (Only when "Gateway with WARP = ON):
Can´t login to Home and Business Bank App
Other 3rd parts Applications for 3rd level security / SSO App. (sending accept to IOS App when signing from PC Browser)
Some TV Streaming App, problems with Auto Login
I can´t see any issues in the IOS Teams DNS log or inside my Cloudflare DNS / HTTP or Network logs. And no reg. blocking from IPS / FW from my Unifi Network.
Another thing…:
I found after ISP Speed Test in DK a new Cloudflare with new “Output/Connection”.
Before connected output as “Cloudflare DK…” when testing. But now, connected to new “iCloud Private Relay” service, with relation to Apple DK. But same extern IP4 and 6, DNS feedback as before.
But I can read from Apple, issues with some app before rel. of the IOS15 and until App update after IOS15 etc.
Any impact to my issues and DNS or other settings with “Gateway with WARP = ON”?
Yeah, it’s still the same issue. Typically bank apps have SSL pinning, so they will check whether the certificate is same or not.
So you should manually add the domains name related with the bank app (to Do Not Decrypt). Same with other domains too, which may not be listed in Policy dashboard
If the bank app is in our list of apps it’s probably a bug, if it’s not, you can add your own DNI rule for their URLs and/or use the feedback link in Teams to provide more details (we may add it to our list, but no promises).
It may be those apps expect the IP address to be the same… that would be a hard one. But more detail, a support ticket and a HAR file may help us understand what is going on.
With just using Cloudflare Zero Trust DNS? Um… I guess see if anything is being blocked in the DNS logs?
