Itunes - Registering Ipods

Unanswered Question
Jan 14th, 2009

Has anyone had issues with Itunes going through an S650 in transparent mode using NTLM?? If we use the IE proxy settings we can get the Itunes Store but I still see lots of deny statements in the access logs..also registering new devices via Itunes doesnt seem to work? Just curious
Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jowolfer Thu, 01/15/2009 - 16:18

We've seen the following problem with iTunes:

iTunes supports both basic and NTLM authentication, but it does not send additional cookies that have been set. For this reason, iTunes will hang when using cookies as the authentication credential caching method.

iTunes does send a cookie with each GET, but it will not send the credential cookie that the WSA sets, causing an authentication loop.

To work around this issue, one of the following must be done:
------------------------------------------
1. Use IP credential caching instead of cookie.

2. Add the following domains to the authentication destination exemptions list:

.phobos.apple.com
phobos.apple.com
ax.phobos.apple.com.edgesuite.net
metrics.apple.com

3. Bypass authentication for the "iTunes" User-agent string (AsyncOS 5.6+)

Example: User-Agent: iTunes/7.6.2 (Windows; U; Microsoft Windows XP Professional Service Pack 2 (Build 2600)) DPI/96
------------------------------------------
NOTE: This information is valid for iTunes version 7.6.2.9. This may change in future versions.

spoonman_ironport Thu, 01/29/2009 - 15:59

I have this coming across our access logs....
iTunes/7.6.2 (Windows; N) ...how can I allow this agent for just 1 access policy..or do I have to allow it globally??

jowolfer Fri, 01/30/2009 - 16:42

Spoonman,

In your new Access policy, under 'Advanced', there is a User-Agent section. You can modify this to force the policy to only apply to the specific user-agent.

spoonman_ironport Mon, 03/30/2009 - 19:50

OK..i've had no luck with this..is there a way to allow that application ...I don't want to add it as a user agent as it will then block every thing else. Is there somewhere to add it to allow??

jowolfer Tue, 03/31/2009 - 15:43

Spoonman,

I'm not sure what you mean by:

...it will then block every thing else


This depends on your policy. You may need two rules for what you're trying to do.

Rule 1: Match the iTunes agent and do accordingly
Rule 2: All else
Jtruxton_ironport Wed, 05/13/2009 - 15:27

We updated our ironport to version 6.0.0-530 and since then, we can't seem to get the Apples App store to work through Itunes.. we have many users with the Iphone and they are really freaking out :)

Since we have some generic users we are using session cookies instead of IP for authentication, and I just can't seem to get it to work.

I tried follwoignt he directions above, I did put those URLs listed above into the destinationAuthExempt list, as well as a custom URL category, hopoing that would work, but no luck.

We are using Itunes 8.1.0, is there any other info I can give that maybe someone can walk a n00b through getting this to allow my boss to purchase apps for his iPhone?

Many thanks!

jowolfer Thu, 05/14/2009 - 16:15

The only known problems I'm aware with iTunes is that authentication won't work (needs to be exempted as you've stated) and HTTPS needs to be passthrough (iTunes checks the apple cert and knows when it's being spoofed).

I recommend pulling the access logs to see what is really being requested. Maybe they added a content server that we don't know about, that also needs auth exempting.

Figure out what the IP of the iphone is and then grep the logs. Let's see what it's requesting.

To grep the access logs for this entry, run the following from the CLI:
------------------------------------------
1. Grep
2. Enter the number of the log you wish to grep: 1 (for accesslogs)
3. Enter the regular expression to grep: .*
4. Do you want this search to be case insensitive?: Y
5. Do you want to paginate the output?: N
------------------------------------------

You can also do the 'tail' command and add a grep line to it in order to see real time logs.

Jtruxton_ironport Thu, 05/14/2009 - 18:13

Maybe I am doing something wrong... I did notice that when I used credential cache "session cookie" that is when it blocks.. This is what I get in the log files

1242321020.770 0 172.31.60.15 TCP_DENIED/401 404 GET http://iron/B0000D0000N0001/http://ax.init.itunes.apple.com/WebObjects/M... - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE <-,-,-,-,-,-,-,-,-,-,-,-,-,-,-> - "-" "-"


I really appreciate all your help :)

jowolfer Fri, 05/15/2009 - 15:21

TCP_DENIED/401 isn't specifically a block, it's a request for authentication.

Make sure that in your auth exemption category / rule, you specify ax.init.itunes.apple.com, or .apple.com if you want all hosts on apple.com to be exempt.

Actions

This Discussion