This document describes a problem that is encountered with the Cisco Web Security Appliance (WSA) when the Adobe Updater is unable to function properly.
There are no specific requirements for this document.
The information in this document is based on these software and hardware versions:
- Adobe Updater that connects to the download servers on the Akamai cloud
- Cisco WSA
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The Adobe Updater is unable to download updates through the WSA. A packet capture that is taken on the WSA reveals this:
- The Adobe Updater is used in order to attempt a range request download from an Akamai-hosted URL. The range request is an HTTP request that includes headers such as Accept-Ranges: xxx and Range: xxx, which indicates that the request is for specific bytes of data only.
- By default, the WSA converts this range request into a normal HTTP request and fetches all of the data (instead of specific bytes of data) from the Adobe Updater server. This occurs so that the WSA can perform optimal Anti-Malware scanning.
- The WSA then sends a 200 OK message to the Adobe Updater client. This is in accordance with RFC, as the range requests can be requested by clients, but not all servers are required to support this. For this reason, the client must also handle a non-range response for a range request.
The Adobe Updater client does not seem to support non-range responses (such as the 200 OK) and assumes that it will receive a range response (206 Partial Content) from the server, as the Adobe Updater servers support it.
It is stated in RFC 7233 that "Servers are free to ignore Range, many implementations will simply respond with the entire selected representation in a 200 (OK) response." However, both the server and the client are Adobe-owned in this case, so Adobe has the right to not accept the full (200) response.
You can enable range requests on the WSA so that it sends range requests to the servers and range responses to the client. In order to enable range requests, enter the rangerequestdownload command into the CLI and commit all changes.
Here is an example:
Range requests are currently Disabled.
Enabling range requests may allow malware to slip through. Range requests
may not be honored if using Application Visibility and Control.
Are you sure you want to change the setting? [N]> y
Please enter some comments describing your changes:
> range request enabled
Changes committed: Mon Jun 29 22:42:28 2015 EDT
Once the range request download is enabled on the WSA, the Adobe Updater client should work properly.