Iains suggestion is very helpful, since it eliminates the requirement of maintaining a list of URLs. The downside of using the "User-Agent" header is, that a clever user who is granted at least a minimum of permissions on his desktop PC is able to rewrite the User-Agent header. Basically if you know iTunes as a User-Agent will allow you to bypass authentication, someone could configure his browser to always identify as iTunes, and access the internet without authentication.
Therefore I usually only prepare rules which are as strict as possible. Usually I won´t expect that a normal user would be able to slip through this hole because
- he needs to know that MWG is in place and how the rules look
- he needs to know that authentication is skipped for this User-Agent
- he needs to know how to modify the User-Agent in an appropriate way
- he needs to have permission to run browser plugins or a browser which allows to change the header
For the "normal" user this is pretty unlikely to happen, but basically someone may be clever enough to find the hole. Actually you can report on the access.logs later to see if someone abuses this and report him, as this is most likely against a companies policy for using the computer and internet.
I just thought I should mention these points as well. If I were administrating an MWG I would probably go Iains approach as well 🙂
Thanks for sharing!
iTunes is really a mess I spent days getting it work. I had to use Netmon to inspect the traffic. What was really interesting is that iTunes can authenticate with NTLM at MWG but just for some requests (the smaller part). Most of the time the authentication fails it looks like proxy authentication isimplemented in iTunes.
This is my solution:
I tried to find the right balance (for our environment) between security and manageability.
NOTE: You have to input username and password ONCE - Ping and Match do NOT work with this solution, if you try you will be asked again for username and password
To limit the unauthenticated allowed traffic to a minimum I used a combination of "User-Agent" and "URL Hosts Whitelist".
User-Agents for iTunes:
iTunes*AppleWebKit* ; Access to the iTunes Store
GCSL GCSP * ; Gracenote Media Recognition Services
InetURL/1.0 ; Used for iPhone Update / Restore Backup
ax.init.itunes.apple.com. ; The "dot" at the end is important!
At the first start iTunes tries to display a welcomescreen. Because of the User-Agent - Mozilla/5.0 * AppleWebKit/ * - which is used similarly by other WebKit Browsers ex. Maxthon I limited the access to URLs:
It would work without the above rule but then iTunes generates about 20'000 requests in 1 minute till it stops (just at the first startup).
I hope this helps
Stefanon 27.03.12 11:06:04 CDT
I'd like to see this rule set. We haven't rolled MWG to all of our users yet, and the ones that will complain the loudest are coming up next, and I'd like to nip this in the bud before we cut them from ISA servers to MWG.
I attached the Rule Set and a HTML Report from the Policy Viewer tool.
I had to add this Host to the Whitelist:
Just put this Rule in "Direct Proxy Authentication and Authorization" like this:
Stefanedited by sthe
Hi in V6.
And that should be it.