When you choose the Application selector in the DNS, Network, or HTTP policy builder, the Value drop-down menu will show all supported applications and their respective app types. Alternatively, you can use the Gateway API to fetch a list of applications, app types, and ID numbers.
Applications that are incompatible with the TLS man-in the middle certificate that is required for Cloudflare Gateway’s proxy to function. These applications either use certificate pinning or send non-web traffic such as Session Initiation Protocol (SIP) or Extensible Messaging and Presence Protocol (XMPP) over TLS.
Some applications are incompatible with TLS decryption for a variety of reasons, one of which is certificate pinning. This is a process used by applications to verify that the TLS certificate presented from the origin server matches a known, specified list of certificates hardcoded in the application.
This is a countermeasure to man-in-the-middle attacks where an attacker presents a trusted, but false, certificate on behalf of the origin in order to decrypt the traffic. This is exactly what TLS interception in a Secure Web Gateway does, although for the purposes of securing a user’s web traffic.
Gateway automatically groups applications incompatible with TLS decryption into the Do Not Inspect app type. To ensure that traffic gets through to these applications, you can create an HTTP policy for all Do Not Inspect applications.
Gateway periodically updates the Do Not Inspect app type to include new applications. By creating this Do Not Inspect HTTP policy and selecting all applications within the Do Not Inspect app type, you will ensure that your Do Not Inspect policy will apply to any new applications added to the app type.
Cloudflare Zero Trust allows you to perform one-click actions to accelerate Office 365 traffic. The following actions are available in the Zero Trust dashboardOpen external link under Settings > Network > Integrated Experiences: