We are trying to get Spotify to work through our Ironport S370 which is configured for both HTTP and HTTPS proxy.
Spotify allows you to set a HTTPS proxy which we have done but we continually get a 112 error which is a Spotify error meaning no connection (Check firewalls and proxies)
We have created an Identity and decrption policy just for one user and all catagories are set to pass-through but this does not work. Does anyone have any ideas what we need to do to get this working as it is causing major issues to the education music department.
I hope you are doing well. Are you using transparent redirection on the ASA? Or just explicit proxy configuration?
Since Spotify allows you to set an HTTPS proxy (like an explicit redirection to Ironport), and then if the ASA is running WCCP process, the traffic will be redirected to Ironport (again), and maybe you are creating a loop.
The pass-through that you configured on the decryption policy is OK, because the spotify HTTPS requests are matched by the Streaming Audio, and Entertainment categories.
Would you check these details and report back? In the case it did not work, would you share some accesslogs output? Feel free to request assistance in the case you do not know how to get accesslogs.
I am not an expert, but I currently have the opposite issue. I want to block spotify!!!!! Would you share with me, how you get spotify blocked?
Are there any news how this can be solved? I have the same problem. Spotify.com is set as HTTPS pass-through in the Custom URL Category, but does not work.
The Policy Trace shows, that the connection is allowed, but is does not work.
Any idea? Thanks.
And just to add this... I have just HTTP 200 repy codes in my grep (didn´t paste the whole output). The Website is working fine, just when you would like to play music, this istn´t working.
1427450528.769 268 10.22.8.111 TCP_MISS_SSL/200
1427450529.313 82 10.22.8.111 TCP_MISS_SSL/200
1427450529.829 42 10.22.8.111 TCP_MISS_SSL/204
1427450529.833 93 10.22.8.111 TCP_MISS_SSL/200
1427450530.022 328 10.22.8.111 TCP_MISS_SSL/200
1427450530.071 230 10.22.8.111 TCP_MISS_SSL/200
1427450531.919 82 10.22.8.111 TCP_MISS_SSL/200
1427450531.922 41 10.22.8.111 TCP_MISS_SSL/204
1427450532.041 311 10.22.8.111 TCP_MISS_SSL/200
1427450532.103 237 10.22.8.111 TCP_MISS_SSL/200
1427450532.145 96 10.22.8.111 TCP_MISS_SSL/200
1427450532.340 266 10.22.8.111 TCP_MISS_SSL/200
1427450532.609 191 10.22.8.111 TCP_MISS_SSL/302
Spotify traffics are using using port 80 and 443 however it will then switch to port 4070 for their subnets of 220.127.116.11/24, therefore in WSA will need to have the option of "permit tunnelling of non-http requests on http ports to be enabled.
If you have the above setting to be disabled, most likely Spotify would allow the login to occur however nothing would load such as spottily radio, etc.
You can enable this setting from the CLI of WSA by using command of advanceproxyconfig -> miscellaneous -> keep pressing enter till reach section of "Would you like to permit tunneling of non-http requests on http ports?" and set it to allow, also on the section of "Would you like to block tunneling of non-SSL transactions on SSL Ports?", set it to 'N'
Then keep pressing enter till you reach initial prompt and type in 'commit' to save your changes.
Also make sure that port 4070 is not block by your Firewall.