cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7829
Views
10
Helpful
5
Replies

Blocking Itunes

itccv0822
Level 1
Level 1

Hi,

I would like to block people in my office from downloading music off of Itunes. I followed the instructions in Document ID 98684. I tested, and Itunes is still able to download from the store. I have heard that it uses port 80. Is there any way known to block this without disrupting internet activity? Any help would be much appreciated.

5 Replies 5

Danilo Dy
VIP Alumni
VIP Alumni

iTunes uses port 80, blocking port 80 will block user access to all websites.

If you use a router to block access to iTunes, block outgoing connection to the following;

pri.kts-af.net

tunes.apple.com.akadns.net

17.254.2.170

17.254.4.130

If you use a firewall, block the following ports;

TCP 3689

UDP 5353

Alternatively, if budget permits, you should get a device that can block it using application intelligence. i.e. Packetshaper, Checkpoint SmartDefense. If you have Packetshaper, don't block it, put a very low bandwidth :) so the user can still connect but waiting in vain :)

Hey, I feel so helpless. I blocked the domains listed using DNS from my domain controller. That blocked streaming from Itunes. I have an ASA 5505 version 7.2. Can someone tell me what CLI commands I would give it to block the 2 IP addresses listed and the ports? Sorry but I get nervous messing with this thing without some expert oversite. I was about to do it but got cold feet when it seemed to delete the implicit rule to "permit all traffic to less secure networks". My outside interface is called "outside". My inside is "inside". Tell me if you need anything else. Again, help is very appreciated.

I just made these changes to block this for a client. I found a third IP address associated with Itunes that you may also want to block. Here's the access list I wrote for their ASA:

access-list inside_access_out extended deny tcp any any eq 3689

access-list inside_access_out extended deny udp any any eq 5353

access-list inside_access_out extended deny ip any host 17.254.2.170

access-list inside_access_out extended deny ip any host 17.254.4.130

access-list inside_access_out extended deny ip any host 17.112.152.61

access-list inside_access_out extended permit ip any any

access-group inside_access_out in interface inside

excellent

Does this method still work in 2016? :-D

Review Cisco Networking for a $25 gift card