Always-On-VPN and global proxy not working in iOS 9

klatuu's picture

klatuu

Joined: Mar 1, 2016
No votes yet

We use Always-On VPN with IKE 2 to reach our internal networks. Our internal networks can reach outside web servers only via http/https through our company proxy. This worked perfect until iOS 8.4.1. Some users upgraded their machines to iOS 9 and they told us "The internet is not working". We tested it and couldn't see any traffic to our proxies. iPads/iPhones try to resolve DNS and reach the servers direct. But our internal DNS Servers are not connected to the internet DNS Servers.
Just tested the function with iOS 9.0.2.

Still not working ! Very serious bug for company use of iOS devices.

Top
cape_doctor's picture

cape_doctor

Joined: Jun 9, 2011

perhaps SSL key length?

Your rating: None

perhaps check the SSL key length. There is a stricter requirement in iOS 9. "When negotiating a TLS/SSL connection with Diffie-Hellman key exchange, iOS 9 requires a 1024-bit group or larger" see https://developer.apple.com/library/prerelease/ios/releasenotes/General/...

Top
Dwarak's picture

global proxy not working in iOS 9

Your rating: None

There are two solutions to this problem.

Solution 1: Routing.

Depending on the exact configuration of your network, and of the routing devices that make it up, it maybe possible for the network routers to forward all local traffic internally and the rest directly to the proxy (configured by IP Address of the source and / or destination, for example).

Solution 2: Proxy Auto-Configuration File (PAC File).

This requires the configuration of a PAC File and hosting this file on an internal server. This file can contain the proxy server address, port number and any required exclusions. The iOS device can pull and apply the settings from this.

On the iOS device, in the same place you set the manual proxy, is the option to set an ‘Automatic’ Proxy. Simply change the switch to ‘Auto’ and fill in the details of the server and PAC file and you should be done Android training in chennai

Top
klatuu's picture

klatuu

Joined: Apr 11, 2014

Thanks for your

Your rating: None

Thanks for your help.
Solution 1: Very difficult in our scenario, our internal DNS servers are not connected to the internet. It is very difficult to decide which traffic is internal and which is external, so our proxies had do this. But maybe this could be a temporary help.
Solution 2: We tried this already. Did not work.

There is a big bug in always-on-VPN in combination with global proxy.
We hope, that apple will solve this very soon.

Top
wchestnutt's picture

wchestnutt

Joined: Mar 27, 2014

Hi Guys, We are experiencing

Your rating: None

Hi Guys,

We are experiencing this issue as well, and holding off an iOS 9 upgrade until further notice. The issue being that if we receive more devices then they will ship with iOS 9 and be useless until this is fixed!

We use an autoconfigured proxy pax file with always on vpn. VPN works, but proxy does not.

Top
Uroshnor's picture

Uroshnor

Joined: Nov 5, 2012

Do you really need an explicit proxy ?

Your rating: None

Couple of questions :

1. Have you tested the iOS 9.1 beta ?

2. *points at Apple's long history of not getting proxies or proxy authentication consistently working in any platform they ship* Given you are doing always on VPN, every devices network traffic appearing in a known network range, and you know which user generates that traffic. I've always had much more success using a transparent proxy setup with Apple devices, as I can only assume that California is the land of milk, honey, and infinite internet bandwidth, and its only the junior engineers on H1B visas who know nay different. You need to correlate VPN and proxy logs to give attribution, but in general that seems to be less hassle.

Top
klatuu's picture

klatuu

Joined: Apr 11, 2014

Transparent proxy

Your rating: None

1. Yes ! 9.1 beta 4, still same bug
2. Maybe a possible scenario, but we have no experience with transparent proxy setups. Not easy to implement here and it would be a really complex setup. Will think about it and discuss with my colleagues, but I am not very optimistic.
They will say: "Apple has to fix this, it worked in iOS 8 !"

Top
wchestnutt's picture

wchestnutt

Joined: Mar 27, 2014

I agree I will discuss this

Your rating: None

I agree I will discuss this with the guys here but it is a major change to implement into multiple systems we have deployed. Each time costing a lot of money and risk for the customers.

For new systems it is something we could consider, but ultimately will cost extra time and money compared to a PAC file (in a IaaS environment), and this shoudl work :s

Top
wchestnutt's picture

wchestnutt

Joined: Mar 27, 2014

Fixed?

Your rating: None

So Apparently the latest beta 9.2.3 will have fixed the proxy pac issue!.. we are going ot test this week.

Top
klatuu's picture

klatuu

Joined: Apr 11, 2014

It is fixed !

Your rating: None

Yeah !
Tried it yesterday. Finally a fix !

Top
harish's picture

harish

Joined: Mar 1, 2016
WWW

I have exactly the same issue

Your rating: None

I have exactly the same issue with ios9.1. Did you find any resolution for this issue?
Regards
ios training in chennai

Top
klatuu's picture

klatuu

Joined: Apr 11, 2014

Update to iOS 9.2.x solves

Your rating: None

Update to iOS 9.2.x solves the issue.

Top

Who is online?

There are currently 0 admins, 0 users and 35 guests online. Connected users: .

Recent Activity