2 Replies Latest reply on Aug 9, 2017 12:36 PM by tribunal

    Allowing only specific users access to sync devices with iTunes

    tribunal

      We have 2 MWGs in a cluster.  Version 7.6.2.7.0.  We use them as our proxies to authenticate users and then filter their traffic based on AD groups.

       

      We have a user who couldn't sync with iTunes.  After troubleshooting, the fix is to bypass the proxy authentication for *.itunes.apple.com.

       

      While this fixes the issue, we don't want everyone in the company to have access to do this.  We also don't want everyone from any of the AD groups to be able to do this.  We want to be able to assign specific users.  I don't like to make changes on these appliances without knowing that I'm at least following the right logic to fix the issue.

       

      I created a rule that is basically a copy of the Don't Authenticate rule but I added another line of criteria.

       

      Rule Criteria:

      URL.Host > matches in list > iTunes Sync (list has *.itunes.apple.com)

      AND

      Authentication.UserName > matches in list > iTunes User List (list has the user's AD username)

       

      Action:

      Stop Rule Set

       

      The first criteria works for sure but am I using the right expression to tie it to a specific user?  The most important thing here is that I don't do anything that impacts the Internet for everyone else...that would be bad.  So just wanting confirmation if I am going about this the right way or advice of a better way to do it if anyone has any?  Thank you.

        • 1. Re: Allowing only specific users access to sync devices with iTunes
          aloksard

          Hi Tribunal,

           

          Hope you are doing well.

           

          As mentioned above the fix is to bypass the proxy authentication for *.itunes.apple.com.

           

          Any rule created using Authentication parameters like Authentication user name or groups will work if Authentication rule is triggered and then only we will get desired values of user name or groups.

           

          So any rule created using Authentication parameters like Authentication user name or groups will not work if they are placed before Authentication rule.

           

          As first Authentication rule should get triggered and then only we get  desired value of these parameters like Authentication username or groups.

           

          So here you can create a rule using Client.IP property and URL.host *.itunes.apple.com) if possible or use some other property.

           

          Regards

          Alok Sarda

          • 2. Re: Allowing only specific users access to sync devices with iTunes
            tribunal

            Ah, that makes perfect sense.  I guess it has to know the user's ID before it can use it as criteria for something.  I should have seen that so thank you for the answer.

             

            I can't use Client.IP because of DHCP and I don't want to have to change it every time someone gets a new lease.  I'll play around and see if I can get it to work with the username once I place it below the Authentication rule.  Thank you.