09-18-2008 07:55 AM - edited 03-03-2019 11:36 PM
Hi,
I would like to block people in my office from downloading music off of Itunes. I followed the instructions in Document ID 98684. I tested, and Itunes is still able to download from the store. I have heard that it uses port 80. Is there any way known to block this without disrupting internet activity? Any help would be much appreciated.
09-18-2008 08:36 AM
iTunes uses port 80, blocking port 80 will block user access to all websites.
If you use a router to block access to iTunes, block outgoing connection to the following;
pri.kts-af.net
tunes.apple.com.akadns.net
17.254.2.170
17.254.4.130
If you use a firewall, block the following ports;
TCP 3689
UDP 5353
Alternatively, if budget permits, you should get a device that can block it using application intelligence. i.e. Packetshaper, Checkpoint SmartDefense. If you have Packetshaper, don't block it, put a very low bandwidth :) so the user can still connect but waiting in vain :)
09-18-2008 09:44 AM
Hey, I feel so helpless. I blocked the domains listed using DNS from my domain controller. That blocked streaming from Itunes. I have an ASA 5505 version 7.2. Can someone tell me what CLI commands I would give it to block the 2 IP addresses listed and the ports? Sorry but I get nervous messing with this thing without some expert oversite. I was about to do it but got cold feet when it seemed to delete the implicit rule to "permit all traffic to less secure networks". My outside interface is called "outside". My inside is "inside". Tell me if you need anything else. Again, help is very appreciated.
09-19-2008 02:14 PM
I just made these changes to block this for a client. I found a third IP address associated with Itunes that you may also want to block. Here's the access list I wrote for their ASA:
access-list inside_access_out extended deny tcp any any eq 3689
access-list inside_access_out extended deny udp any any eq 5353
access-list inside_access_out extended deny ip any host 17.254.2.170
access-list inside_access_out extended deny ip any host 17.254.4.130
access-list inside_access_out extended deny ip any host 17.112.152.61
access-list inside_access_out extended permit ip any any
access-group inside_access_out in interface inside
11-20-2011 04:27 AM
excellent
10-06-2016 06:59 AM
Does this method still work in 2016? :-D
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide