Blocking spotify with ironport?

aolivaresh17 · ‎11-24-2015

Hello

Does anyone know how can i block spotify with an ironport wsa s170?

Thanks

Atazazuddin Shaikh · ‎11-24-2015

Hi

Thanks for reaching out, Enclosing details around "spotify",

Spotify uses port 4070 outbound for connectivity which does not tunnel via the WSA. You must block this port on your firewall with a deny rule. once Spotify blocked, will then attempt to go out port 80 and 443 for access.

WSA access Policy you can add the following to your filter for Domains/URLS and Network IP ranges.

78.31.8.0/22 - Spotify Servers
193.182.8.0/21 - Mobile & Desktop Clients
193.235.232.0/24 - Mobile & Desktop clients
ap.spotify.com - URL requests

Thanks

Zack

aolivaresh17 · ‎11-24-2015

Thanks for your reply! just one more question about the deny rule it has be a a deny for the outside access or the inside?

aolivaresh17 · ‎11-24-2015

I added this deny rule can you tell me if its ok please?

access-list outbound extended deny tcp 10.10.0.0 255.255.248.0 any eq 4070

Atazazuddin Shaikh · ‎11-25-2015

This will work as well, to get the desired results I would test with something like below:

!
access-list Block_Spotify line 1 extended deny tcp any any eq 4074
access-list Block_Spotify line 2 extended deny udp any any eq 4074
!

or you can test with A host, etc.. here are the sample examples:
http://www.cisco.com/c/en/us/support/docs/security/ios-firewall/23602-confaccesslists.html#extacls

Thanks
Zack

Atazazuddin Shaikh · ‎11-25-2015

And to further test, block both in/out bound, Unless you have an internal appliacation communicate on this port.

Regards,
Zack

aolivaresh17 · ‎11-25-2015

Thanks for your help I added the next acls on my asa:

access-list outbound extended deny tcp any any eq 4070

access-list outbound extended deny udp any any eq 4070

access-list Block_Spotify extended deny tcp any any eq 4070

access-list Block_Spotify extended deny udp any any eq 4070

access-list inbound extended deny tcp any any eq 4070

access-list inbound extended deny udp any any eq 4070

also on my firewall on my default access and decrypt police i block social networking and streaming audio categories, If I have the spotify wihout logged in, i cant access but if an user had logged in before the access they still can use spotify, iam testing with the mac client

Also I added the next sites or ip`s on the custom url cateogries for blocking spotify:

194.0.0.0/8, .spotify.com, apresolve.spotify.com, .apresolve.spotify.com, cloudfront.net, .cloudfront.net, 54.230.0.0/15, 54.230.140.235, .edgesuite.net, .spotify-desktop.com, .scdn.co, .tunnelbear.com, 78.31.8.0/22, 193.182.8.0/21, 193.235.232.0/24, ap.spotify.com

Atazazuddin Shaikh · ‎11-25-2015

*Correction

!
access-list Block_Spotify line 1 extended deny tcp any any eq 4070
access-list Block_Spotify line 2 extended deny udp any any eq 4070
!

spotifiology · ‎06-23-2024

To block Spotify using an IronPort WSA S170, you can typically achieve this through web access policies on your IronPort appliance. Here are general steps to consider:

Access IronPort WSA Interface: Log in to the IronPort Web Security Appliance (WSA) interface.
Create or Modify Access Policies: Navigate to the web access policies section where you can create or modify policies.
URL Filtering: Utilize URL filtering capabilities to block access to Spotify. You may add Spotify's domains or URLs to the blacklist or create a custom category for music streaming services that includes Spotify.
Content Filtering Rules: Configure content filtering rules based on categories or specific URLs related to Spotify to enforce the block.
Testing and Verification: After applying the policy, test to ensure that access to Spotify is effectively blocked.

If you need specific guidance on configuring these policies on your IronPort WSA S170, refer to the product documentation or contact Cisco support for detailed instructions tailored to your setup.

Hope this helps!