Network Requirements for Streaming Responses

Leena AI streams chat responses to the browser in real time. On most networks this works out of the box. However, if your organization routes traffic through an SSL inspection proxy — such as Netskope, Zscaler, Palo Alto Networks, Forcepoint, or a similar secure web gateway — a small configuration change may be required for responses to display correctly.

This page is written for IT, network, and security teams. It explains what Leena AI's streaming connection is, why SSL inspection can interfere with it, and the two configuration options to resolve it.

📘

Who should read this?

If your users see responses that never finish loading — a persistent loading animation, a "Response interrupted" message, or replies that only appear after a long delay — and the same users have no issues off the corporate network (e.g., on home Wi-Fi or mobile data), this page describes the fix.


How Leena AI streams responses

Leena AI delivers chat responses using Server-Sent Events (SSE) — a standard, long-lived HTTPS connection with the content type text/event-stream. Instead of waiting for the full response to be generated and sending it all at once, the server sends the response to the browser incrementally, as it is produced.

This is the same delivery mechanism used by most modern AI products, including Microsoft Copilot and ChatGPT.

Key characteristics of the connection:

PropertyValue
ProtocolHTTPS (TLS)
Content typetext/event-stream
Connection lifetimeLong-lived; remains open while a response streams
Keep-aliveServer sends a heartbeat comment every 15 seconds
DirectionServer → browser (response streaming only)

Why SSL inspection breaks streaming

SSL inspection proxies decrypt HTTPS traffic, scan the content, and re-encrypt it before forwarding it to the user. To scan a response, most proxies buffer the entire response body until it is complete.

This buffering model conflicts with streaming connections by design:

  • The Leena AI server keeps the connection open, sending data incrementally.
  • The proxy waits for the response to "finish" before releasing anything to the browser.
  • The response never "finishes" in the way the proxy expects — so the browser receives nothing, or receives everything at once only after the connection times out.

From the user's perspective, the chat appears stuck: the loading animation runs indefinitely, or the response is marked as interrupted.

⚠️

This is not a Leena AI defect and not a decryption problem.

The connection is established successfully and TLS inspection itself succeeds. The issue is specifically the proxy's response buffering behavior applied to a streaming content type. Any product that streams responses over SSE is affected the same way — Microsoft and OpenAI both publish equivalent configuration guidance for their streaming endpoints.

How to confirm this is your issue

  1. Have an affected user open the browser's developer tools (Network tab) and send a message in Leena AI.
  2. Look for a request with content type text/event-stream.
  3. On an affected network, this request stays in a (pending) state indefinitely, even though the same request completes with a clean 200 OK off the corporate network.

If you see this pattern, proceed to the configuration options below.


Configuration options

There are two ways to resolve this, in order of preference. Both preserve your security controls — see the comparison table for exactly what each option retains.

Option 1 — Streaming exemption (recommended)

Configure your proxy to exempt text/event-stream responses from response buffering for the Leena AI domains listed below.

With this option, traffic is still decrypted and still inspected. Everything users submit continues to pass through your DLP and content controls as normal. Only the response buffering behavior changes — the proxy passes streamed data through as it arrives instead of holding it.

Vendor terminology varies. Look for settings named:

  • Streaming exemption or streaming media bypass
  • Response buffering bypass
  • Content-type exception (for text/event-stream)

Option 2 — SSL inspection bypass

If your proxy does not support a streaming exemption, add the Leena AI domains listed below to your SSL inspection bypass (do-not-decrypt) list.

With this option, the bypassed traffic is not decrypted, but you retain URL filtering, allow/block controls, and connection logging on it.

What each option preserves

Security controlOption 1 — Streaming exemptionOption 2 — SSL bypass
TLS decryption & content inspection✅ Retained❌ Bypassed for listed domains
DLP on user-submitted content✅ Retained❌ Bypassed for listed domains
URL filtering & allow/block controls✅ Retained✅ Retained
Connection logging✅ Retained✅ Retained

Domains to configure

Apply the chosen option to the domain(s) matching your Leena AI environment:

EnvironmentDomain
Sandboxsandbox-chat.leena.ai
ProductionContact your Leena AI representative for the streaming domain(s) for your production region.
📘

Scope note

Only the streaming (chat) domains require this configuration. Other Leena AI domains — dashboards, APIs, and static assets — use standard request/response patterns and are fully compatible with SSL inspection without any changes.


Vendor-specific pointers

The exact location of these settings varies by product and version. The following are starting points — consult your vendor's documentation for authoritative steps.

VendorWhere to look
NetskopeSteering configuration → exceptions; or Real-time Protection policy with a "Do Not Decrypt" action for the listed domains.
ZscalerSSL Inspection policy → "Do Not Inspect" rule; or streaming/bandwidth-class exemptions for text/event-stream.
Palo Alto NetworksDecryption policy → "No Decrypt" rule for the listed domains; review Content-ID response buffering settings.
ForcepointSSL decryption bypass (category or destination-based) for the listed domains.
👍

Precedent

Both Microsoft (for Copilot) and OpenAI (for ChatGPT) officially recommend excluding their streaming endpoints from SSL inspection or response buffering. If your organization already uses those products, you likely have an equivalent configuration in place that can serve as a template.


Verifying the fix

After applying either option:

  1. Have an affected user (on the corporate network) refresh Leena AI and send a message.
  2. The response should begin appearing within a few seconds and render word by word.
  3. In the browser's Network tab, the text/event-stream request should show data arriving continuously rather than sitting in (pending).

If issues persist after configuration, capture a HAR file from the affected browser session and share it with your Leena AI support contact.


FAQ

Does this weaken our security posture?
Option 1 does not — traffic remains decrypted and inspected; only response buffering changes. Option 2 bypasses decryption for the specific listed domains only, while URL filtering and logging remain in place.

Why can't Leena AI just turn off streaming for our tenant?
Streaming is core to the product experience — it delivers responses as they are generated rather than after a long wait. Disabling it would trade this issue for significantly higher perceived latency for every user, on every message.

Is WebSocket traffic affected too?
Leena AI also uses WebSocket connections for real-time updates. Most SSL inspection products handle WebSockets separately from response buffering, but if you observe connection issues after fixing streaming, include WebSocket traffic for the same domains in your exemption.

Who do I contact with questions?
Reach out to your Leena AI Customer Success Manager or Solutions Engineer, or raise a ticket with Leena AI support. Include your proxy vendor and the environment (sandbox/production) you're configuring.