cancel
Showing results for 
Search instead for 
Did you mean: 
0range
Level 7

Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

We're setting up a new McAfee Web Gateway appliance running 7.2.  What do I need to do to get Flash video working thru there?  In particular, with RTMPT encapsulating traffic on port 80?

I'm testing video on the MLB and ESPN sites, since they're really high quality -- and they're great test cases for sites our business users will want to use.

The ads before the videos sometimes load, but the videos themselves never start or just buffer a few seconds and get stuck.

http://mlb.com/video

http://espn.go.com/video/

Videos on many sites seem fine - youtube, ustream.tv, many news sites with their own embedded players, etc.

I disabled ALL policies - I'm aware of the anti-malware "ignore streaming" options.  All I have setup right now is just the basic http(s) proxy config.

I also played with the chunking settings but that didn't change anything.

I can get the videos to work perfectly when my browser goes directly thru the firewall.

I can also get them to work fine when going thru McAfee's SaaS (cloud) web filter.

whatismyip.com shows the cloud service as

IP 208.65.149.248

McAfee Web Gateway 7.1.6.1.0.12742

I have TCP and UDP ports 1935 allowed in my firewall as well, but the issue seems to be RTMPT not working on port 80

I also tried enabling the Helix service on my appliance, but that didn't change anything either (RTMPT is different from RTSP....)

I've also spent way too much time learing all the options of Flash Player.  I'm quite aware of its lack of a proxy setting.  Or any way to change how RTMPT is handled.

I've tried these videos on XP and Win7; IE 7 / IE 9 / Chrome / FF -- the issue is the MWG not allowing this traffic to pass.

So what does the McAfee cloud service do differently that I haven't done to my appliance, so I can get these test video sites to work?

This port test site shows the issue:

http://www.therealtimeweb.com/index.cfm/2004/10/2/fms-port-tester

-----------

mwg:

WIN 11,3,31,222

RTMP         DEFAULT    Success

RTMP         80             Success

RTMP         443            Success

RTMP         1935           Success

RTMPT        DEFAULT    Success

RTMPT        80             Success

RTMPT        443            Success

RTMPT        1935           TimeOut

-----------

fw direct:

WIN 11,3,31,222

RTMP         DEFAULT    Success

RTMP         80             Success

RTMP         443            Success

RTMP         1935           Success

RTMPT        DEFAULT    Success

RTMPT        80             Success

RTMPT        443            Success

RTMPT        1935           Success

-----------

McAfee SaaS (cloud)

WIN 11,3,31,222

RTMP         DEFAULT    Success

RTMP         80             Success

RTMP         443            Success

RTMP         1935           Success

RTMPT        DEFAULT    Success

RTMPT        80             Success

RTMPT        443            Success

RTMPT        1935           Success

-----------

Thanks in advance for any suggestions!

0 Kudos
13 Replies
eelsasser
Level 15

Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

As a test, I have setup a workstation that has is blocked from direct internet traffic by the firewall and all access must go through explicit proxy on the browser.

When I go to mlb.com or espn, the videos play perfectly in their entirety.

In this mode that works through the proxy, the test indicates for me:

WIN 11,3,300,270

RMTP Default Success 1.4s
RMTP Port 1935 Failed 0.1s
RMTP Port 80 Failed 0.1s
RMTP Port 443 Failed 0.1s
RMTPT (Tunneling) Default Success 1.3s
RMTPT (Tunneling) Port 80 Success 1.4s
RMTPT (Tunneling) Port 443 Success 1.3s
RMTPT (Tunneling) Port 1935 Success 1.3s

My guess is you are trying to use MWG in some sort of transparent mode (WCCP, Transparent bridge) that attempts to go out directly first instead of tunneling.

The Flash player is opportunistic in that it attempts to go directly first.Only if it fails by going directly, will it resort to a tunneled HTTP connection.

Because a port 80 TCP connection is established directly, it thinks that is a valid route to take for the rest of the video, but it's not. Once the connection is made, it switches to RTMP protocol, which is not HTTP and blocks the video.

Try this.

Block all traffic at the firewall from the client.

Explicitly proxy the browser to MWG.

See what happens. Does the video play?

0 Kudos
alexott
Level 11

Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

Currently, Streaming Detector not always able to detect RTMP over HTTP - in this case, you can add rule to whitelist it, with something like:

IF Cycle.Name equals "Response" AND Header.Response.Get("Content-Type") equals "application/x-fcs" and Header.Request.Get("Content-Type") equals "application/x-fcs" THEN Stop Cycle

We're working on fixing this problem...

on 08/08/12 08:04:40 CEST
0 Kudos
cnewman
Level 10

Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

I think I would be more explicit and only allow proper rtmpt and only pass for the post /open requests.

POST /fcs/ident2 HTTP/1.1

Content-Type: application/x-fcs\r\n

HTTP/1.0 404 Not Found

POST /open/1 HTTP/1.1

Content-Type: application/x-fcs\r\n

HTTP/1.1 200 OK

Content-Type: application/x-fcs\r\n

    <random number>

So the rule becomes:

IF Cycle.Name equals "Response" AND Header.Response.Get("Content-Type") equals "application/x-fcs" and Header.Request.Get("Content-Type") equals "application/x-fcs" AND url.path = /open/* THEN Stop Cycle

0 Kudos
cnewman
Level 10

Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

Just added a rule underneath the streaming detector, and without being explicit on the path, a lot of /idle/ traffic appears to have data and appears to be missed by the streaming detection.

I guess I would just add alexott's rule underneath the stream detector rule for the time being.

0 Kudos
alexott
Level 11

Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

I have an idea, why it works for Cloud service, why not working on appliance - as I remember, Cloud service doesn't implement media type detection, while in standard configuration, MWG Appliance is doing it, and if we're not able to detect stream, then it can stuck in media type filter, trying to get data from server before detection of mime type.

0 Kudos
0range
Level 7

Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

Thanks for the suggestions.  I tried them all but am still not able to get video to run from http://mlb.com/video

eelsasser -- I took your advice and shut down all FW access from a test PC.  When I do that, I get these results. 

The PC can tunnel RTMP traffic thru the MWG appliance and I've confirmed that in the firewall logs.

http://www.therealtimeweb.com/index.cfm/2004/10/2/fms-port-tester

WIN 11,3,300,268

RTMP         DEFAULT    TimeOut
RTMP         80            Failed
RTMP         443           Failed
RTMP         1935          Failed
RTMPT        DEFAULT    Success
RTMPT        80            Success
RTMPT        443           Success
RTMPT        1935          Success

I'm not able to watch videos though -- you must have some other config setup that I don't yet.  I don't believe I have any transparent proxy options enabled -- but I'm new to this device, so here's what my proxy settings look like:

proxy_settings.PNG

alexott & cnewman -- I tried your suggestions as well.  I didn't have any policy rules enabled at all for this test, so I re-activated the "Global Whitelist" and tried it there first.  The only rule active under there is the new one:

--------------------

Name:

allow_flash_videos

Comment:

Rule Criteria:

Cycle.Name equals "Response" AND

Header.Response.Get ("Content-Type") equals "application/x-fcs" AND

Header.Request.Get ("Content-Type") equals "application/x-fcs"

Action:

Stop Cycle

Events:

--------------------

That didn't work.

I then enabled "Gateway Anti-Malware" and all these tests failed:

1. activated just the builtin "Skip Streaming Media"

2a. activated the builtin "Skip Streaming Media" and also my new custom rule to allow flash video, before the Skip Streaming Media rule --

Cycle.Name equals "Response" AND

Header.Response.Get ("Content-Type") equals "application/x-fcs" AND

Header.Request.Get ("Content-Type") equals "application/x-fcs"

Action:

Stop Cycle

2b. same as 2a, tried "Stop Rule Set" instead of "Stop Cycle"

3a. activated the builtin "Skip Streaming Media" and also my new custom rule to allow flash video, after the Skip Streaming Media rule

3b. same as 3a, tried "Stop Rule Set" instead of "Stop Cycle"

The ads will start after about 20 seconds, which I believe the browser is downloading the ad then playing it, instead of streaming.  Then the video will buffer for about 20-30 seconds, play for about 5, repeat.

Any ideas on what else I have missing?

Thanks for all your ideas so far.

0 Kudos
alexott
Level 11

Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

Thank you for detailed report, we're investigating this issue...

0 Kudos
alexott
Level 11

Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

It's interesting, that I can't get this site to use RTMP all the time - most of times it uses Flash + MP4, and this was detected without any problem :-(

0 Kudos
0range
Level 7

Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

alexott -- thanks for the updates. 

Looking at my httpwatch and firebug logs, I can see the ads actually come from ad.auditude.com, not mlb.com, so there could be a little difference there.

all the videos seem to show up as mp4 files for me on all my test PC's and browsers

For example:

http://mediadownloads.mlb.com/mlbam/2012/08/08/mlbtv_aripit_23753079_1200K.mp4

http://mediadownloads.mlb.com/mlbam/2012/08/08/mlbtv_tortba_23751881_1200K.mp4

http://mediadownloads.mlb.com/mlbam/2012/06/28/mlbtv_22658173_1200K.mp4

So I created this rule and put it in the global whitelist:

allow_mp4_videos

Comment:

Rule Criteria:

Cycle.Name equals "Response" AND

Header.Response.Get ("Content-Type") equals "video/mp4"

Action:

Stop Rule Set

Events:

------

I also tried "stop cycle" -- neither changed the outcomes

------

Here's a test video with my firebug headers info. Overall, I had the same results with that mp4 allow rule : very slow download thru the MWG, good/constant buffering thru cloud service.  These tests were on current FF (14.0.1) on Win7

http://mlb.com/video/play.jsp?content_id=23730997&topic_id=27334974&c_id=mlb

mwg:

Accept-Ranges    bytes

Content-Length    36396046

Content-Type    video/mp4

Date    Thu, 09 Aug 2012 15:33:41 GMT

Etag    "723f68f-22b5c0e-4c6c8dd41c49d"

Last-Modified    Wed, 08 Aug 2012 22:45:14 GMT

Proxy-Connection    Keep-Alive

Server    Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7d

Via    1.1 10.116.20.19 (McAfee Web Gateway 7.2.0.1.0.13253)

Request Headersview source

Accept    text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding    gzip, deflate

Accept-Language    en-us,en;q=0.5

Cookie    stUtil_cookie=1%7C%7C6349750451344000276344; s_vi=[CS]v1|280DE88B0501336C-6000010960038CA8[CE]; SESSION_1=; s_cc=true; s_sq=%5B%5BB%5D%5D

Host    mediadownloads.mlb.com

Proxy-Connection    keep-alive

Referer    http://mlb.com/shared/flash/video/flvplayer_v4.swf?v=6

User-Agent    Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1

cloud 1:

Accept-Ranges    bytes

Content-Length    36396046

Content-Type    video/mp4

Date    Thu, 09 Aug 2012 15:36:46 GMT

Etag    "723f68f-22b5c0e-4c6c8dd41c49d"

Last-Modified    Wed, 08 Aug 2012 22:45:14 GMT

Proxy-Connection    Keep-Alive

Server    Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7d

Via    1.1 10.1.65.74 (McAfee Web Gateway 7.1.6.1.0.12742)

X-MFE-SAFE-SEARCH    enabled

Request Headersview source

Accept    text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding    gzip, deflate

Accept-Language    en-us,en;q=0.5

Cookie    stUtil_cookie=1%7C%7C6349750451344000276344; s_vi=[CS]v1|280DE88B0501336C-6000010960038CA8[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D

Host    mediadownloads.mlb.com

If-Range    "723f68f-22b5c0e-4c6c8dd41c49d"

Proxy-Connection    keep-alive

Range    bytes=994478-

Referer    http://mlb.com/shared/flash/video/flvplayer_v4.swf?v=6

User-Agent    Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1

cloud 2 -- after clearing cache, cookies, etc.

Accept-Ranges    bytes

Content-Length    36396046

Content-Type    video/mp4

Date    Thu, 09 Aug 2012 15:39:18 GMT

Etag    "723f68f-22b5c0e-4c6c8dd41c49d"

Last-Modified    Wed, 08 Aug 2012 22:45:14 GMT

Proxy-Connection    Keep-Alive

Server    Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7d

Via    1.1 10.1.65.72 (McAfee Web Gateway 7.1.6.1.0.12742)

X-MFE-SAFE-SEARCH    enabled

Request Headersview source

Accept    text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding    gzip, deflate

Accept-Language    en-us,en;q=0.5

Cookie    stUtil_cookie=1%7C%7C6349750451344000276344; s_vi=[CS]v1|280DE88B0501336C-6000010960038CA8[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D

Host    mediadownloads.mlb.com

Proxy-Connection    keep-alive

Referer    http://mlb.com/shared/flash/video/flvplayer_v4.swf?v=6

User-Agent    Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1

The key differences are

0. Obviously, the version is slightly different (7.1 for cloud, 7.2 for mwg)

1. mwg test:

Cookie includes:  SESSION_1=;

2. the first cloud test includes these:

If-Range    "723f68f-22b5c0e-4c6c8dd41c49d"

Range    bytes=994478-

3. both cloud sessions have this:

X-MFE-SAFE-SEARCH    enabled

So ultimately the question is what the cloud service is doing differently that allows this to work.

0 Kudos