We have a problem when another solution uses a transparent proxy or an app proxy provider. (Network Extension OTHER).
When this solution is installed (Network Extension OTHER) we will exclusively receive in our network extension (Network Extension AAA) all the connections from the mentioned network extension (no flow received from browsers or other applications; this is a normal behaviour if the mentioned solution received the connections first).
In our network extension we redirect all the connections for all monitored apps. If we monitor the mentioned solution we will intercept all connections from the VPN (from Network Extension OTHER), but these connections will be redirected to our local proxy. In our local proxy we will analyze the traffic and one connection will be created from our local proxy to the server, intercepted again by the mentioned third party solution (infinite loop).
If the vpn solution uses NETransparentProxyProvider, they can ignore our local proxy process to not monitor again the flow and all good.
If the vpn solution uses NEAppProxyProvider, they will intercept all the connections (also from our local proxy) and we will get into an infinite loop.
Our questions:
Is it possible to identify the original process (not network extension OTHER process)?
Can we force our network extensions to receive the connection firstly?
Can we do something regarding this situation to avoid an infinite loop when another network extension is installed (in our environment)?
Do we have a solution to resolve this problem with 2 network extensions without involving the developers from the mentioned VPN solutions (network network extension OTHER )? (We control only the Network extension AAA and local proxy).
Is it possible to identify the original process (not network extension OTHER process)?
There was some questions regarding this awhile back and I am tracking a bug report on it, (r. 78787101), however I have not seen any progress as of yet.
Regarding:
Can we force our network extensions to receive the connection firstly?
This can be done only if you Network System Extension was installed first.
Regarding:
Can we do something regarding this situation to avoid an infinite loop when another network extension is installed (in our environment)?
In general I recommend to limit the amount of traffic that you are concerned about to the traffic that fits your business case. For example, a NETransparentProxyProvider is often used as a mechanism to redirect business level traffic for specific apps or address ranges. Thus, hopefully avoiding some of these situations. If this is not an option, you may want to discuss install options and and what types of scenarios work best for your users in their environment. To make sure that your users are getting the most out of your application co-existing with others.
Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com