Network Requirements for Streaming Responses
Leena AI streams chat responses to the browser in real time. On most networks this works out of the box. However, if your organization routes traffic through an SSL inspection proxy — such as Netskope, Zscaler, Palo Alto Networks, Forcepoint, or a similar secure web gateway — a small configuration change may be required for responses to display correctly.
This page is written for IT, network, and security teams. It explains what Leena AI's streaming connection is, why SSL inspection can interfere with it, and the two configuration options to resolve it.
Who should read this?If your users see responses that never finish loading — a persistent loading animation, a "Response interrupted" message, or replies that only appear after a long delay — and the same users have no issues off the corporate network (e.g., on home Wi-Fi or mobile data), this page describes the fix.
How Leena AI streams responses
Leena AI delivers chat responses using Server-Sent Events (SSE) — a standard, long-lived HTTPS connection with the content type text/event-stream. Instead of waiting for the full response to be generated and sending it all at once, the server sends the response to the browser incrementally, as it is produced.
This is the same delivery mechanism used by most modern AI products, including Microsoft Copilot and ChatGPT.
Key characteristics of the connection:
| Property | Value |
|---|---|
| Protocol | HTTPS (TLS) |
| Content type | text/event-stream |
| Connection lifetime | Long-lived; remains open while a response streams |
| Keep-alive | Server sends a heartbeat comment every 15 seconds |
| Direction | Server → browser (response streaming only) |
Why SSL inspection breaks streaming
SSL inspection proxies decrypt HTTPS traffic, scan the content, and re-encrypt it before forwarding it to the user. To scan a response, most proxies buffer the entire response body until it is complete.
This buffering model conflicts with streaming connections by design:
- The Leena AI server keeps the connection open, sending data incrementally.
- The proxy waits for the response to "finish" before releasing anything to the browser.
- The response never "finishes" in the way the proxy expects — so the browser receives nothing, or receives everything at once only after the connection times out.
From the user's perspective, the chat appears stuck: the loading animation runs indefinitely, or the response is marked as interrupted.
This is not a Leena AI defect and not a decryption problem.The connection is established successfully and TLS inspection itself succeeds. The issue is specifically the proxy's response buffering behavior applied to a streaming content type. Any product that streams responses over SSE is affected the same way — Microsoft and OpenAI both publish equivalent configuration guidance for their streaming endpoints.
How to confirm this is your issue
- Have an affected user open the browser's developer tools (Network tab) and send a message in Leena AI.
- Look for a request with content type
text/event-stream. - On an affected network, this request stays in a
(pending)state indefinitely, even though the same request completes with a clean200 OKoff the corporate network.
If you see this pattern, proceed to the configuration options below.
Configuration options
There are two ways to resolve this, in order of preference. Both preserve your security controls — see the comparison table for exactly what each option retains.
Option 1 — Streaming exemption (recommended)
Configure your proxy to exempt text/event-stream responses from response buffering for the Leena AI domains listed below.
With this option, traffic is still decrypted and still inspected. Everything users submit continues to pass through your DLP and content controls as normal. Only the response buffering behavior changes — the proxy passes streamed data through as it arrives instead of holding it.
Vendor terminology varies. Look for settings named:
- Streaming exemption or streaming media bypass
- Response buffering bypass
- Content-type exception (for
text/event-stream)
Option 2 — SSL inspection bypass
If your proxy does not support a streaming exemption, add the Leena AI domains listed below to your SSL inspection bypass (do-not-decrypt) list.
With this option, the bypassed traffic is not decrypted, but you retain URL filtering, allow/block controls, and connection logging on it.
What each option preserves
| Security control | Option 1 — Streaming exemption | Option 2 — SSL bypass |
|---|---|---|
| TLS decryption & content inspection | ✅ Retained | ❌ Bypassed for listed domains |
| DLP on user-submitted content | ✅ Retained | ❌ Bypassed for listed domains |
| URL filtering & allow/block controls | ✅ Retained | ✅ Retained |
| Connection logging | ✅ Retained | ✅ Retained |
Domains to configure
Apply the chosen option to the domain(s) matching your Leena AI environment:
| Environment | Domain |
|---|---|
| Sandbox | sandbox-chat.leena.ai |
| Production | Contact your Leena AI representative for the streaming domain(s) for your production region. |
Scope noteOnly the streaming (chat) domains require this configuration. Other Leena AI domains — dashboards, APIs, and static assets — use standard request/response patterns and are fully compatible with SSL inspection without any changes.
Vendor-specific pointers
The exact location of these settings varies by product and version. The following are starting points — consult your vendor's documentation for authoritative steps.
| Vendor | Where to look |
|---|---|
| Netskope | Steering configuration → exceptions; or Real-time Protection policy with a "Do Not Decrypt" action for the listed domains. |
| Zscaler | SSL Inspection policy → "Do Not Inspect" rule; or streaming/bandwidth-class exemptions for text/event-stream. |
| Palo Alto Networks | Decryption policy → "No Decrypt" rule for the listed domains; review Content-ID response buffering settings. |
| Forcepoint | SSL decryption bypass (category or destination-based) for the listed domains. |
PrecedentBoth Microsoft (for Copilot) and OpenAI (for ChatGPT) officially recommend excluding their streaming endpoints from SSL inspection or response buffering. If your organization already uses those products, you likely have an equivalent configuration in place that can serve as a template.
Verifying the fix
After applying either option:
- Have an affected user (on the corporate network) refresh Leena AI and send a message.
- The response should begin appearing within a few seconds and render word by word.
- In the browser's Network tab, the
text/event-streamrequest should show data arriving continuously rather than sitting in(pending).
If issues persist after configuration, capture a HAR file from the affected browser session and share it with your Leena AI support contact.
FAQ
Does this weaken our security posture?
Option 1 does not — traffic remains decrypted and inspected; only response buffering changes. Option 2 bypasses decryption for the specific listed domains only, while URL filtering and logging remain in place.
Why can't Leena AI just turn off streaming for our tenant?
Streaming is core to the product experience — it delivers responses as they are generated rather than after a long wait. Disabling it would trade this issue for significantly higher perceived latency for every user, on every message.
Is WebSocket traffic affected too?
Leena AI also uses WebSocket connections for real-time updates. Most SSL inspection products handle WebSockets separately from response buffering, but if you observe connection issues after fixing streaming, include WebSocket traffic for the same domains in your exemption.
Who do I contact with questions?
Reach out to your Leena AI Customer Success Manager or Solutions Engineer, or raise a ticket with Leena AI support. Include your proxy vendor and the environment (sandbox/production) you're configuring.
