cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
asabban
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 11 of 18

Re: How to use itunes over McAfee Webgateway V7.0

Hello,

Iains suggestion is very helpful, since it eliminates the requirement of maintaining a list of URLs. The downside of using the "User-Agent" header is, that a clever user who is granted at least a minimum of permissions on his desktop PC is able to rewrite the User-Agent header. Basically if you know iTunes as a User-Agent will allow you to bypass authentication, someone could configure his browser to always identify as iTunes, and access the internet without authentication.

Therefore I usually only prepare rules which are as strict as possible. Usually I won´t expect that a normal user would be able to slip through this hole because

- he needs to know that MWG is in place and how the rules look

- he needs to know that authentication is skipped for this User-Agent

- he needs to know how to modify the User-Agent in an appropriate way

- he needs to have permission to run browser plugins or a browser which allows to change the header

For the "normal" user this is pretty unlikely to happen, but basically someone may be clever enough to find the hole. Actually you can report on the access.logs later to see if someone abuses this and report him, as this is most likely against a companies policy for using the computer and internet.

I just thought I should mention these points as well. If I were administrating an MWG I would probably go Iains approach as well 🙂

Thanks for sharing!

Andre

sthe
Level 9
Report Inappropriate Content
Message 12 of 18

Re: How to use itunes over McAfee Webgateway V7.0

Hello

iTunes is really a mess I spent days getting it work. I had to use Netmon to inspect the traffic. What was really interesting is that iTunes can authenticate with NTLM at MWG but just for some requests (the smaller part). Most of the time the authentication fails it looks like proxy authentication is faulty implemented in iTunes.

This is my solution:

I tried to find the right balance (for our environment) between security and manageability.

NOTE: You have to input username and password ONCE - Ping and Match do NOT work with this solution, if you try you will be asked again for username and password

To limit the unauthenticated allowed traffic to a minimum I used a combination of "User-Agent" and "URL Hosts Whitelist".

User-Agents for iTunes:

iTunes*AppleWebKit*     ; Access to the iTunes Store

GCSL GCSP *                  ; Gracenote Media Recognition Services

InetURL/1.0                      ; Used for iPhone Update / Restore Backup

URL Hosts:

itunes.apple.com

albert.apple.com

gs.apple.com

ax.phobos.apple.com.edgesuite.net

*.mzstatic.com

metrics.apple.com

ax.init.itunes.apple.com.          ;          The "dot" at the end is important!

*.itunes.apple.com

*.verisign.com

*.phobos.apple.com

*.gcsp.cddbp.net

At the first start iTunes tries to display a welcomescreen. Because of the User-Agent - Mozilla/5.0 * AppleWebKit/ * - which is used similarly by other WebKit Browsers ex. Maxthon I limited the access to URLs:

User-Agent:

Mozilla/*AppleWebKit/*)

URLs:

http://www.apple.com/welcomescreen/itunes*

http://images.apple.com/*

It would work without the above rule but then iTunes generates about 20'000 requests in 1 minute till it stops (just at the first startup).

iTunes_Rule.png

I hope this helps

Stefan

on 27.03.12 11:06:04 CDT
kent.dyer
Level 9
Report Inappropriate Content
Message 13 of 18

Re: How to use itunes over McAfee Webgateway V7.0

Stefan, could you export this rule to a .XML file for import?

Thanks,

Kent

kent.dyer
Level 9
Report Inappropriate Content
Message 14 of 18

Re: How to use itunes over McAfee Webgateway V7.0

I'd like to see this rule set.  We haven't rolled MWG to all of our users yet, and the ones that will complain the loudest are coming up next, and I'd like to nip this in the bud before we cut them from ISA servers to MWG.

Thanks,

Kent

sthe
Level 9
Report Inappropriate Content
Message 15 of 18

Re: How to use itunes over McAfee Webgateway V7.0

I attached the Rule Set and a HTML Report from the Policy Viewer tool.

I had to add this Host to the Whitelist:

securemetrics.apple.com

Just put this Rule in "Direct Proxy Authentication and Authorization" like this:

iTunes_Rule_Set.png

Stefan

edited by sthe
spell corrections on 29.03.12 03:13:48 CDT
feeeds
Level 9
Report Inappropriate Content
Message 16 of 18

Re: How to use itunes over McAfee Webgateway V7.0

Can you post how you configured this in version 6 ? 

Thanks,

Re: How to use itunes over McAfee Webgateway V7.0

Hi in V6.

  1. Create 2 new mapping rules at the top of your rules, one for user agent and the other for user-defined header
    Mapping_process.bmp
  2. User-Agent rule
    User_Agent_rule.bmp
  3. User-defined rule
    User_defined_rule.bmp

And that should be it.

Troja
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 18 of 18

Re: How to use itunes over McAfee Webgateway V7.0

Hi Moros,

do you have SSL Scan enabled?? iTunes does not like when you break the SSL traffic.

Cheers,

Thorsten

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community