01-14-2009 04:38 PM
Has anyone had issues with Itunes going through an S650 in transparent mode using NTLM?? If we use the IE proxy settings we can get the Itunes Store but I still see lots of deny statements in the access logs..also registering new devices via Itunes doesnt seem to work? Just curious
Thanks
01-15-2009 04:18 PM
We've seen the following problem with iTunes:
iTunes supports both basic and NTLM authentication, but it does not send additional cookies that have been set. For this reason, iTunes will hang when using cookies as the authentication credential caching method.
iTunes does send a cookie with each GET, but it will not send the credential cookie that the WSA sets, causing an authentication loop.
To work around this issue, one of the following must be done:
------------------------------------------
1. Use IP credential caching instead of cookie.
2. Add the following domains to the authentication destination exemptions list:
.phobos.apple.com
phobos.apple.com
ax.phobos.apple.com.edgesuite.net
metrics.apple.com
3. Bypass authentication for the "iTunes" User-agent string (AsyncOS 5.6+)
Example: User-Agent: iTunes/7.6.2 (Windows; U; Microsoft Windows XP Professional Service Pack 2 (Build 2600)) DPI/96
------------------------------------------
NOTE: This information is valid for iTunes version 7.6.2.9. This may change in future versions.
01-29-2009 03:59 PM
I have this coming across our access logs....
iTunes/7.6.2 (Windows; N) ...how can I allow this agent for just 1 access policy..or do I have to allow it globally??
01-30-2009 04:42 PM
Spoonman,
In your new Access policy, under 'Advanced', there is a User-Agent section. You can modify this to force the policy to only apply to the specific user-agent.
03-30-2009 07:50 PM
OK..i've had no luck with this..is there a way to allow that application ...I don't want to add it as a user agent as it will then block every thing else. Is there somewhere to add it to allow??
03-31-2009 03:43 PM
Spoonman,
I'm not sure what you mean by:
...it will then block every thing else
05-13-2009 03:27 PM
We updated our ironport to version 6.0.0-530 and since then, we can't seem to get the Apples App store to work through Itunes.. we have many users with the Iphone and they are really freaking out :)
Since we have some generic users we are using session cookies instead of IP for authentication, and I just can't seem to get it to work.
I tried follwoignt he directions above, I did put those URLs listed above into the destinationAuthExempt list, as well as a custom URL category, hopoing that would work, but no luck.
We are using Itunes 8.1.0, is there any other info I can give that maybe someone can walk a n00b through getting this to allow my boss to purchase apps for his iPhone?
Many thanks!
05-14-2009 04:15 PM
The only known problems I'm aware with iTunes is that authentication won't work (needs to be exempted as you've stated) and HTTPS needs to be passthrough (iTunes checks the apple cert and knows when it's being spoofed).
I recommend pulling the access logs to see what is really being requested. Maybe they added a content server that we don't know about, that also needs auth exempting.
Figure out what the IP of the iphone is and then grep the logs. Let's see what it's requesting.
To grep the access logs for this entry, run the following from the CLI:
------------------------------------------
1. Grep
2. Enter the number of the log you wish to grep: 1 (for accesslogs)
3. Enter the regular expression to grep:
4. Do you want this search to be case insensitive?: Y
5. Do you want to paginate the output?: N
------------------------------------------
You can also do the 'tail' command and add a grep line to it in order to see real time logs.
05-14-2009 06:13 PM
Maybe I am doing something wrong... I did notice that when I used credential cache "session cookie" that is when it blocks.. This is what I get in the log files
1242321020.770 0 172.31.60.15 TCP_DENIED/401 404 GET http://iron/B0000D0000N0001/http://ax.init.itunes.apple.com/WebObjects/MZInit.woa/wa/initiateSession?ix=2&dsid=166765880 - NONE/- - OTHER-NONE-NONE-NONE-NONE-NONE <-,-,-,-,-,-,-,-,-,-,-,-,-,-,-> - "-" "-"
I really appreciate all your help :)
05-15-2009 03:21 PM
TCP_DENIED/401 isn't specifically a block, it's a request for authentication.
Make sure that in your auth exemption category / rule, you specify ax.init.itunes.apple.com, or .apple.com if you want all hosts on apple.com to be exempt.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide