Addressing Cycle 2 Authentication Issues Caused by Network Configuration

Addressing Cycle 2 Authentication Issues Caused by Network Configuration

Problem

The Cycle login process uses the Cycle Labs Azure B2C instance to complete the authentication process and grant an access token for using Cycle.
 
If the machine Cycle is installed on is behind a firewall or proxy, Cycle may not be able to reach the Cycle Labs Azure B2C authentication instance. 

Certain firewall or proxy configurations may possibly prevent the authentication process from working properly and you may experience issues using the Cycle application.

Cycle may fail to redirect you to the login page and stay in a "Loading..." state as pictured below:


Or, you may see an error message similar to the picture below after entering your username and password.


Solution


The sections below describe several different network configurations that might need to be modified or addressed in order to complete the authentication process and secure an access token.

Authentication Workflow

The diagram below provides details for each step that runs in the background during the authentication process. This is not meant to be an exhaustive diagram but simply show the general flow of what happens from the moment you launch the Cycle application up until successful authentication.


URL Whitelisting


Web traffic to the URLs listed below needs to be allowed to complete the authentication process and secure an access token. If your firewall is preventing communication with any of the URLs listed below, the authentication process may not be able to properly complete.

For all the endpoints listed below, Cycle will use your client network interface’s primary DNS server for name resolution. It is coded to use hostnames in lieu of IP addresses and many of our endpoints resolve to a pool of IP addresses. For this reason, building your exception policies using IP addresses is strongly discouraged.

Please work with your organization's IT team to whitelist the following URLs:
  1. https://cyclelabsproduction.b2clogin.com/
  2. https://app.cyclelabs.io/
  3. https://userflow.cyclelabs.io
  4. https://events.cyclelabs.io
  5. https://content.product.cyclelabs.io
  6. https://data.product.cyclelabs.io
  7. https://graph.windows.net
  8. https://graph.microsoft.com
  9. https://login.microsoftonline.com/
Please Note: Attempting to navigate to the URLs listed above is not sufficient in determining if your network firewall is preventing or allowing the necessary communication. Your organization's network team will need to examine the web traffic to the URLs during Cycle authentication and whitelist the URLs if they are being blocked.

Additional information on URLs

We understand your network team may require some additional information on the specific URLs that need to be whitelisted. In some instances, you may need to know the IP address associated with the URL. Some of the URLs have static IP assignments whereas others have dynamic IP assignments and are subject to change. Please find additional IP information for the URLs below. If you need any additional information about any of these URLs, please reach out to help@cyclelabs.io, and we will provide you the additional information.

  1. https://cyclelabsproduction.b2clogin.com/ - CNAME record pointing to prda.aadg.msidentity.com which points to a pool of A records with various IP addresses that are dynamic and subject to change.
  2. https://app.cyclelabs.io/ - CNAME record pointing to cyclecloud.azurewebsites.net. This sits on a static public IP of 20.119.16.35.
  3. https://userflow.cyclelabs.io - CNAME record pointing to cycleuserflow.azurewebsites.net. This sits on a static public IP of 20.119.0.44.
  4. https://events.cyclelabs.io -  CNAME record pointing to cycleeventproxy.azurewebsites.net. This sits on a static public IP of 20.119.8.29.
  5. https://content.product.cyclelabs.io - CNAME record pointing to our Pendo site which points to a pool of A records with various IP addresses that are dynamic and subject to change.
  6. https://data.product.cyclelabs.io - CNAME record pointing to our Pendo site which points to a single IP that is dynamic and subject to change.
  7. https://graph.windows.net - Microsoft-controlled IP address that is dynamic and subject to change.
  8. https://graph.microsoft.com/ - Microsoft-controlled IP address that is dynamic and subject to change.

SSL Packet Inspection Considerations

If you are behind a firewall or network security platform (such as Zscaler) that enforces packet inspection on SSL traffic, you will need to make exclusions for the above endpoints to avoid authentication errors. SSL inspection can interfere with the secure communication Cycle requires to obtain an access token from Azure B2C. Ensure your network security platform is configured to allow SSL traffic to pass through unimpeded for these specific endpoints.


Your organization's network team should be able to inspect the traffic that is passing through your firewall or network security platform at the time of authentication and allow any blocked traffic.

Make Cycle Proxy-Aware


If the device you are running Cycle on is behind a web proxy, you will need to make Cycle proxy aware so that the authentication process can complete and an access token can be retrieved from the Azure B2C server.

Please refer to the article "Cycle 2.17 Proxy Aware Authentication" for details on completing this setup in Cycle versions starting with 2.17 and newer.

Please refer to the article "How to Make Cycle Proxy Aware" for details on completing this setup in Cycle versions older than 2.17.

    • Related Articles

    • How to Make Cycle Proxy Aware

      Certain firewall or proxy configurations may possibly prevent the Cycle authentication process from working properly, and Cycle will not be able to secure an access token. The purpose of this article is to describe the process for making Cycle proxy ...

    • Cycle 2 Install Guide

      This article covers the process of installing the Cycle Client on your device and the steps required to authenticate using your Cycle Cloud credentials. The release of Cycle 2.9 kicked off our incremental move toward the cloud, leveraging more modern ...

    • Cycle 2.17 Proxy Aware Authentication

      Beginning with Cycle 2.17, there is additional functionality within Cycle to handle authentication issues when using Cycle behind a web proxy. Certain network configurations exist that prevent Cycle from being able to successfully communicate with ...

    • Cycle 2 Install FAQ

      The Cycle install process and post-install authentication process has changed as of the release of Cycle 2.9.2. This process applies to Cycle 2.9.2 and all future versions of the Cycle 2 Application. This article contains frequently asked questions ...

    • How to resolve "Windows Protected Your PC" message when installing Cycle

      Occasionally, when first running the Cycle installer, the following error message may be encountered. To resolve this issue, simply click on the "More info" link. That will display more information about the app that is being prevented from starting. ...