Monterey - Safari Proxy Bug

Joel_Rohland
New Contributor II

We have a strange proxy-bug on Monterey in Safari. Once a user connects to our corporate network, Safari can' t reach any pages. (Safari Can't Connect to the Server) If the user then opens Chrome, Safari immediately works again. Clearing the cache in Safari also solves the problem. Our proxy is configured correctly, on Big Sur everything works. Does anyone have the same Issue? Or already a solution?

21 REPLIES 21

mm2270
Legendary Contributor III

Can't say I've seen exactly what you describe, but I have had issues with Big Sur and Safari and our corporate proxy, where only sites or IPs that are specifically whitelisted to bypass the proxy will load in Safari, whereas Chrome works fine with all sites. So does Microsoft Edge. It's just Safari, and incidentally the App Store as well, which leads me to think it's an incompatibility with WebKit, since those 2 applications use Webkit and Chrome/Edge use the Chromium engine.

I have yet to test out Monterey with our proxy, and I'm so not looking forward to that! I get the feeling it's going to be more broken than ever.

Does your proxy require user authentication?

Joel_Rohland
New Contributor II

That' s also the case for us... Whitelisted pages still work in Safari. And yes, our proxy requires authentication. Did you find solution for the issue on Big Sur?

MS2020
New Contributor II

I would like to understand this better and if anyone has personal experiences to share please go ahead.

 

you use Kerberos to authenticate to your authenticated proxy. The pages will not load on safari.

if you whitelist the page to go direct - Kerberos will authenticate to the proxy

is the case onprem or via some sort of vpn like zpa (Zscaler)

are you using blue coat proxies? 
does the same setup work for windows and not Mac?

does chrome provide additional prompts for auth that safari does not?

who has this issue how did you resolve it?

Joel_Rohland
New Contributor II

In our case, the whole thing behaves exactly as you describe. (With Kerberos/whitlisted pages) Via VPN (Cisco-Anyconnect) and of course also in the corporate network. (Conifguration as Proxy .pac File.) Chrome browser doesn't provide additional proxy auth pop-ups, doing a search is enough for Safari to run again. We didn't found a solution yet, on Beta 3 (12.1) the Issue persists.

mm2270
Legendary Contributor III

Yeah, I'm seeing some real parallels here. We also use Cisco AnyConnect VPN and also use a Bluecoat proxy (with a .pac file). It seems like the combination of these items really does not work well with Safari in Big Sur/Monterey for whatever reason. Though I should note that even being in an office location and connected to company WiFi, the issue persists, which would indicate it's not a VPN problem. More of a proxy problem.

Although I'm sorry someone else is experiencing this, it's somewhat comforting to know it's not just us. It seems almost certain there is some incompatibility between these items. I just wish we were able to find a solution. But Apple support has been mostly unhelpful on this, so we've been left to our own devices to try to figure this out.

Joel_Rohland
New Contributor II

Yes, I'm glad about that too. There is also a discussion in macAdmins Slack channel.

Screenshot 2021-11-24 at 17.39.25.png

Screenshot 2021-11-24 at 17.37.39.png

Joel_Rohland
New Contributor II

Concerning the combination of these elements, I would think as follows. The Anyconnect client is probably not the reason, I asked several admins with this issue, they use all different VPN clients in their company. I also believe that the proxy configuration is not the main issue. Besides the .pac file we also tried it with the direct web proxy (HTTP) and the secure web proxy (HTTPS). This doesn't make any difference for us, issue still persists. @mm2270 Do you have a guess where the cause could be?

tylerreilly
New Contributor

Also seeing the same behavior in Safari when utilizing authenticated (Kerberos SSO) Automatic Proxy (PAC), Chrome and Edge are not impacted 

JPDyson
Valued Contributor

Just piling on, seeing this with a different VPN, behaving exactly like everyone here is describing. Just put Monterey on this Mac, same config worked fine in Big Sur. Hope everyone is filing bugs.

Edit: Appears to only affect proxy auth; seems to work fine w/the unauthenticated proxy

raymop
New Contributor

I just upgraded my Mac book pro to Monterey and coincidentally JAMF was pushed to my machine from our IT group.  

We have Cisco VPN.

And the problem is Chrome will open any web page, but safari will not open anything.  I repeat, chrome works but safari does not.  So, it's not exactly as Joel_Rohland posted, but similar.  Happens whether I'm logged into the VPN or not.

Apple support had me re-install Monterey from the recovery screen.  That did not fix the problem.

The next apple tech had me create a new user, and the problem still is there.

I may have to send my machine back to corporate and have them wipe the hard drive and re-image with Big Sur.

Really don't want to do that.  But, apple support is stumped.

Kyle-Johnston
New Contributor

Has anyone found a solution ?? 

we use the Payload identifyer for com.apple.systemconfig for our proxy config 

 

One Config file works fine 

 

Same config file with more exeptions for bypass dosnt work as attented. 

 

regards

K

MS2020
New Contributor II

Apple is fully aware of the issue -- now the voice of the people affected -- need to be heard 

How to do that --- easy reach out to your account rep and/or open a ticket with apple through their support panels

The combination seem to be (or might be a combination of:

Authenticated proxies and/or kerberized connections vs ntlm support on proxies-- and safari

Seen more on a vpn connection - but visibility on-prem as well 

Third party browsers seem to complete the authentication vs safari-- or opening both which establish the connection 

 

Get a sysdiagnose and trace with Wireshark- be prepared to work with apple - and not against them by not reporting it 

Lets get apple on top of it together --- cheers

azav68
New Contributor

We have had the same problem since mid-November when upgrading to Monterey, a case was opened in Apple's technical support, but there is no solution to it.
I created a topic on the Apple forum, since Apple technical support does not look at information on third-party forums, please write in the topic, maybe this will push Apple engineers to solve the problem 🙂

 

r10r
New Contributor

I have this problem too, using a proxy (squid) without authentication. Does anyone has a solution yet?

smithjw
New Contributor III

I've been testing 12.2 b2 and this issue seems to have been resolved for us. I would conduct testing with this beta of Monterey and confirm it also resolves the issue.

I just tested it as well and can confirm that the issue no longer exists for us.

MS2020
New Contributor II

Can you please Confirm 12.2 Public version related today still contains the fix-- we are still experiencing the issue :/

Anyone else still see this after update that dropped today

MS2020
New Contributor II

Do the people who had issues have Symantec Endpoint Protection 14.2ru2 or lower  -- Network Filter being disabled seems to fix it on first tests

aduk2021
New Contributor

With Monterey Apple have deprecated support for PAC files hosted on an HTTP server, which caused us the issues that have been described in this JAMF thread. 

macOS Monterey 12.0.1 Release Notes | Apple Developer Documentation

We will be delivering PAC file via HTTPS going forward which we expect will resolve the issues.

duff2481-1
Contributor

Our organization is not likely going to move to HTTPS PAC files.  Any others find workarounds? Still facing issues running 12.6. 

smithjw
New Contributor III

You don't really have a choice here. If you don't upgrade the PAC to be served over https, macOS will simply change the entered PAC File URL to https://. You may then face issues if there's no cert there.