Guide

Bypass list

Suggest Edits

​Akamai​​ maintains a list of domains that bypass ​SIA​ Proxy for compliance and performance reasons. This list also includes domains for application traffic that is not compatible with the proxy certificate and should bypass the proxy.

This traffic is not supported with the proxy certificate:

  • Non-web traffic such as traffic that uses Session Initiation Protocol (SIP) or Extensible Messaging and Presence Protocol (XMPP) over TLS.
  • Traffic to applications that use certificate pinning. Some applications may use certificate pinning to prevent man-in-the-middle attacks. With this method, web servers must present a certificate that matches the certificate “pinned” to the application for that domain. Even if the certificate presented by the web server is a trusted one, the connection may be terminated because the certificate does not match the one that’s pinned to the application for that domain. This issue can occur with the proxy certificate.

​Akamai​ also maintains a list that contains a combination of domains and TLS signatures. TLS signatures are calculated from TLS messages between the client and the origin. The TLS signatures are used to identify traffic and determine whether certificate pinning is used. The list of TLS signatures is dynamic and changes based on ​Akamai​'s analysis.

You can define how you want to handle traffic that’s incompatible and should bypass SSL inspection. In a policy configuration, the Block Incompatible Domains policy setting lets you block this traffic. If the setting is disabled, this traffic bypasses SSL inspection. By default, the Block Incompatible Domains setting is disabled and this traffic is not scanned by the proxy.

📘

If you enable the Block Incompatible Domains setting, the​ domains in this table are blocked.

Policy conflicts may occur if multiple lists are assigned to a policy and they contain domains from the bypass list. To learn more, see Policy conflicts.

To allow or block these domains or any incompatible TLS signatures, see Allow or block domains incompatible with TLS MITM certificate.

Domains

​Akamai​ frequently evaluates this list and may add more domains. The bypass list currently contains these domains.

Service or ApplicationDomain
​Akamai​
  • akamai.com
  • akamaihd.net
  • akamaietp.net
  • akanev.net
  • akaetp.net
  • akamaized.net
  • akamai-access.com
  • aktrials.com
  • akamaitechnologies.com
  • akadns.net
  • akamaiapis.net
  • akamai-access.com
  • akasecure.net
  • etp-research.info
  • akamaietpmitmbypasstest.com

Apple
  • apple.com
  • mzstatic.com
  • setup.icloud.com
  • gateway.icloud.com
  • contacts.icloud.com
  • caldav.icloud.com
  • swcdn.apple.com
  • updates.cdn-apple.com

Cisco
  • webex.com
  • wbx2.com
  • ciscospark.com
  • webexcontent.com


These IP subnets for Webex media services also bypass the proxy:

  • 20.50.235.0/24
  • 66.114.160.0/20
  • 20.53.87.0/24
  • 66.163.32.0/19
  • 20.57.87.0/24
  • 69.26.160.0/19
  • 20.68.154.0/24
  • 114.29.192.0/19
  • 20.76.127.0/24
  • 150.253.128.0/17
  • 20.108.99.0/24
  • 170.72.0.0/16
  • 20.120.238.0/23
  • 170.133.128.0/18
  • 23.89.0.0/16
  • 173.39.224.0/19
  • 40.119.234.0/24
  • 173.243.0.0/20
  • 44.234.52.192/26
  • 207.182.160.0/19
  • 52.232.210.0/24
  • 209.197.192.0/19
  • 62.109.192.0/18
  • 210.4.192.0/20
  • 64.68.96.0/19
  • 216.151.128.0/19

    • CrowdStrikecloudsink.net
    Dropbox
    • client.dropbox.com
    • d.dropbox.com
    • dropboxstatic.com
    • telemetry.dropbox.com
    • dl-debug.dropbox.com
    • client-web.dropbox.com
    • bolt.dropbox.com
    • dropboxapi.com

    Facebook Messenger
    • web.facebook.com
    • edge-mqtt.facebook.com
    • graph.facebook.com

    Google
    • accounts.google.com
    • accounts.youtube.com
    • ssl.gstatic.com
    • mail-attachment.googleusercontent.com
    • apidata.googleusercontent.com
    • mtalk.google.com
    • googleapis.com
    • googlehosted.l.googleusercontent.com

    Lastlinelastline.com
    McAfeemcafee.com
    Microsoft
    • msftncsi.com
    • msftconnecttest.com
    • crl.microsoft.com
    • activity.windows.com
    • teams.events.data.microsoft.com

    Morgan Stanleymorganstanleyclientserv.com
    Online Certificate Status Protocol
    • ocsp.digicert.com
    • ocsp.identrust.com
    • ocsp.affirmtrust.com
    • ocsp.comodoca.com
    • ocsp.comodoca2.com
    • ocsp.comodoca3.com
    • ocsp.comodoca4.com
    • ocsp.entrust.net
    • ocsp.geotrust.com
    • ocsp.globalsign.com
    • ocsp.godaddy.com
    • ocsp.netsolssl.com
    • ocsp.omniroot.com
    • ocsp.quovadisglobal.com
    • ocsp.root-x1.letsencrypt.org
    • ocsp.starfieldtech.com
    • ocsp.startssl.com
    • ocsp.swisssign.net
    • ocsp.thawte.com
    • ocsp.trust-provider.com
    • ocsp.trustwave.com
    • ocsp.usertrust.com
    • ocsp.verisign.com
    • ocsp.wosign.com
    • ocsp.ws.symantec.com
    • ocsp1.wosign.com
    • ocsp2.wosign.cn

    Palo Alto Networkspaloaltonetworks.com
    SentinelOneusea1-edi.sentinelone.net
    Speedtestooklaserver.net
    Symantec LiveUpdateliveupdate.symantecliveupdate.com
    Trend Microtrendmicro.com
    VMwarehostupdate.vmware.com
    X (formerly Twitter)
    • api.twitter.com
    • api-stream.twitter.com

    Zoomzoom.us
    Other

    • aa.online-metrix.net
    • nai.com

    Domains for Microsoft 365 Traffic

    These domains also bypass ​SIA​ Proxy if you enable the Bypass Microsoft 365 Traffic setting in a policy. The Bypass Microsoft 365 Traffic setting retrieves the latest domains associated with Microsoft apps and services. As a result, these domains may change.

    Domains
    • substrate.office.com
    • outlook.ha.office365.com
    • outlook.ms-acdc.office.com
    • ms-acdc.office.com
    • acdc-direct.office.com
    • outlook.live.com
    • edge.microsoft.com
    • yammer.com
    • azureedge.net
    • bing.com
    • onmicrosoft.com
    • outlook.com
    • cloudapp.net
    • sharepoint.com
    • microsoft.com
    • platform.linkedin.com

    Updated over 1 year ago