Akamai maintains a list of domains that bypass SIA Proxy for compliance and performance reasons. This list also includes domains for application traffic that is not compatible with the proxy certificate and should bypass the proxy.
This traffic is not supported with the proxy certificate:
- Non-web traffic such as traffic that uses Session Initiation Protocol (SIP) or Extensible Messaging and Presence Protocol (XMPP) over TLS.
- Traffic to applications that use certificate pinning. Some applications may use certificate pinning to prevent man-in-the-middle attacks. With this method, web servers must present a certificate that matches the certificate “pinned” to the application for that domain. Even if the certificate presented by the web server is a trusted one, the connection may be terminated because the certificate does not match the one that’s pinned to the application for that domain. This issue can occur with the proxy certificate.
Akamai also maintains a list that contains a combination of domains and TLS signatures. TLS signatures are calculated from TLS messages between the client and the origin. The TLS signatures are used to identify traffic and determine whether certificate pinning is used. The list of TLS signatures is dynamic and changes based on Akamai's analysis.
You can define how you want to handle traffic that’s incompatible and should bypass SSL inspection. In a policy configuration, the Block Incompatible Domains policy setting lets you block this traffic. If the setting is disabled, this traffic bypasses SSL inspection. By default, the Block Incompatible Domains setting is disabled and this traffic is not scanned by the proxy.
If you enable the Block Incompatible Domains setting, the domains in this table are blocked.
Policy conflicts may occur if multiple lists are assigned to a policy and they contain domains from the bypass list. To learn more, see Policy conflicts.
To allow or block these domains or any incompatible TLS signatures, see Allow or block domains incompatible with TLS MITM certificate.
Akamai frequently evaluates this list and may add more domains. The bypass list currently contains these domains.
|Service or Application||Domain|
These IP subnets for Webex media services also bypass the proxy:
|Online Certificate Status Protocol|
|Palo Alto Networks||paloaltonetworks.com|
|X (formerly Twitter)|
These domains also bypass SIA Proxy if you enable the Bypass Microsoft 365 Traffic setting in a policy. The Bypass Microsoft 365 Traffic setting retrieves the latest domains associated with Microsoft apps and services. As a result, these domains may change.
Updated about 1 month ago