Jump to content


Photo

iTunes Proxy Issues or creating mass network objects

Proxy phobos.apple.com

  • Please log in to reply
6 replies to this topic

#1 Manfred Halper

Manfred Halper
  • Barracuda Guru
  • 84 posts

Posted 07 November 2012 - 10:10 AM

Hello,

currently I'm trying to get iTunes working over the proxy but fail. We are using Authentication on our Proxy and iTunes does it wrong, it never authenticates sucessfully.

Checking the proxy logs i see, that it never sends any authentication with the GET or CONNECT Requests. Proxy Authentication is against AD MS_CHAPv2 is set. IExplorer and several other Browsers are working just fine with the proxy.

Step Two:
I tried to allow iTunes directly (without proxy) so far so good but Apple uses for Downloads server names like this a***.phobos.apple.com. The range is from a1.phobos.apple.com to a1999.phobos.apple.com.

Entering the names per hand is just silly so i thought their might be a way to create this objects via a nifty script or something like that. I need to create 1999 dns resolved network objects automatically.

Any suggestions on both issues?

Greetz
Manfred.

#2 Thomas Unterleitner

Thomas Unterleitner
  • Barracuda Team Members
  • 1 posts

Posted 07 November 2012 - 10:51 AM

Hi Manfred,

you could exclude the Apple download servers from authentication by using wildcard/regex based ACLs. This setting is available in the HTTP Proxy configuration. Let me know if you need more information on proxy configuration.

HTH,
Bernhard Patsch

#3 Manuel Huber

Manuel Huber
  • Members
  • 35 posts

Posted 08 November 2012 - 03:46 AM

Hi,
I´m interested in a solution for this as well.
In our customers configuration *.apple.com is already permitted without authentication. Still, a popup appears everytime iTunes is started (and probably afterwards again). It seems to be a problem only of recent iTunes versions according to our customer and e.g. this forum:
http://www.astaro.org/gateway-products/web-protection-web-filtering-application-visibility-control/37555-cannot-access-itunes-over-web-proxy-2.html
Unfortunately, in our tests iTunes always wanted to have access to websites which seem not to be related to *.apple.com, but pretty random sites from maybe partner companies. So no idea how to write a fitting ACL...

#4 Teemu Schaabl

Teemu Schaabl
  • Members
  • 40 posts

Posted 08 November 2012 - 07:21 AM

hi,

check out http://www.useragentstring.com/pages/iTunes/ and Knowledgebase Article 00005329 - it should be possible for you to create an ACL based on iTunes Useragent String.

br,

#5 Manfred Halper

Manfred Halper
  • Barracuda Guru
  • 84 posts

Posted 08 November 2012 - 09:40 AM

Hello Thomas Unterleitner a.k.a. Bernhard Patsch [img]https://community.barracudanetworks.com/forum/public/style_emoticons//smile.png[/img]

I thought if i have activated authentication on the Proxy Server there is no way to circumvent it. As far as i knew you either activate or deactivate authentication.

Am i right that you suppose that i can circumvent the authentication issue by adding all the necessary sites to regex expressions?
So i would make port http and protoco Http and iTunes URL's and a second rule with port https and protocol CONNECT and iTunes URL. Both rules without the User Authentication ACL Entries and it will work?

I tried this with the ax.init.itunes.apple.com.

I Copied the rule i created so that we have a better basis about waht we're talking and were i go wrong.

CONFDEF server/proxy/squid partial 5.2

[actions_iTunes]
GD =
PRIORITY = 4
ACTION = Allow
ENTRY[0] = PortHttp
ENTRY[1] = ProtocolHttp
ENTRY[2] = URLiTunes
MAXFILESIZE = 50
DESCR =


Do you have a working configuration for that?

Greetz and Thanks
Manfred.

#6 Manfred Halper

Manfred Halper
  • Barracuda Guru
  • 84 posts

Posted 12 November 2012 - 05:03 AM

Okay after thorough testing i got it working.

I tried different approaches to the issue:
  • Rule just containing *.apple.com and *.mzstatic.com one time as url und another as url path == UNSUCESSFUL
  • Rule just containing .apple.com and .mzstatic.com one time as Destination Domain == UNSUCESSFUL
  • Adding with the support some configuration details in the generic Squid.conf entries == Proxy NOT WORKING
  • Rule just containing iTunes/10.7.0 as Browser ACL == UNSUCESSFUL
  • 2 Rules Form priority's view this rules where the topmost rules in the configuration: == UNSUCESSFULL
    • Rule containing CONNECT + IPClients(Network from Clients) + Destination Domain (.apple.com und .mzstatic.com)
    • Rule containing Port 80 + http + IPClients(Network from Clients) + Destination Domain (.apple.com und .mzstatic.com)
  • The exact same configuration but i changed the ACL priority to 1 and 2 ==> SUCESS
Honestly i don't get why the last step was necessary neither do i understand why i had to construct a more complex rule so that the proxy recognizes it.

I think you can achieve the same result using the Browser ACL instead of destination domain, but this means every time iTunes gets an update you have to add the new signature. This can be seen as an annoyance or as an improvement since the destination domain solution accepts any iTunes Client.

Hope this helps somebody.

Greetz
Manfred.

#7 Teemu Schaabl

Teemu Schaabl
  • Members
  • 40 posts

Posted 13 November 2012 - 06:56 AM

[...]

I think you can achieve the same result using the Browser ACL instead of destination domain, but this means every time iTunes gets an update you have to add the new signature. This can be seen as an annoyance or as an improvement since the destination domain solution accepts any iTunes Client.

Hope this helps somebody.

Greetz
Manfred.


using the user-agent doesn't involve writing the _exact_ string. the field takes RegExs, as long "itunes" is mentioned in the useragent string you're good to go. downsite: anyone knowing that, could bypass authentication.

br,