What is a one sentence summary of your feature request?
Adjust DPI Allowlist for macOS endpoints to have possibility exclude traffic from scanning by Network Extension
Please describe your idea in detail. What is your problem, why do you feel this idea is the best solution, etc.
Hi everyone!
We want to share the idea that we’ve used in a real-based customer’s case.
The idea is to have the possibility to exclude some resources in the DPI Allowlist not only from the DPI engine but for the macOS Network Extension (when Intercept VPN option is ON in the EPP settings) as well, so the traffic from specified resources will not be interrupted, and in result, scanned at all.
This feature should help in cases when required resource cannot be reached due to network configuration if macOS Network Extension interrupts the traffic.
We already have experience when the test EPP build with helped with such an issue, and that is why we want it to be implemented in the official release.
At this point, we wanted to add that it would be perfect if this function will work not only with the IP range, but with the domain names as well.
Regarding the domain names, in this case we would suggest taking a look at adjusting the macOS EPP client to add the script what will do DNS resolve and then pass the resolved IP to the network extension level.
How do you currently solve the challenges you have by not having this feature?
As I’ve already mentioned, the test EPP client build with this option already helped with the issue of resource accessibility.