1 2 Previous Next 10 Replies Latest reply on Nov 12, 2010 9:25 AM by dcaffrey

    Streaming Media types

    dcaffrey

      Hi,

       

      When I access these media types "Video/x-ms-asf" and "Video/x-ms-wmv" in a browser, Windows Media Player is launched or Windows Media Player extension is started in the browser, this causes an authentication prompt to be displayed, if I enter domain credentials it seems to play ok.

       

      I've created a Stop Cycle Rule at the start of my ruleset for Media.EnsuredType containing these types and that gets around the authentication prompt.

       

      Is this the best approach for Streaming Media ?, anyone know of a website with a good selection of sample streaming media I can test ?

       

      Thanks,

       

      Dec

        • 1. Re: Streaming Media types
          Jon Scholten

          Hello!

           

          It is best to do it based on the User-Agent (which is a request header). Whereas Media Type is something determined in the response header/response content.

           

          Authentication takes place in the request phase so if your rule is based based on media type, it would be too late to exempt it from authentication.

           

          ~Jon

          • 2. Re: Streaming Media types
            Jon Scholten

            Oh, here is a good reference for User-Agent strings:

            http://www.useragentstring.com/pages/useragentstring.php

             

            Windows Media Player for example uses something like "nsplayer" or "windows-media-player".

             

            ~Jon

            • 3. Re: Streaming Media types
              michael_schneider

              Hi Dec,

               

              before considering a solution it is important to understand what happens.

              In your case, I assume that you originally wanted to do a transparent authentication vis NTLM (otherwise you wouldn't be annoyed by the popup ). What we found out over the years is that Media Player itsself is not able to do NTLM, thus is will ask you users who they are.

              Having said that and just relying on the useragent is somewhat a very loose authorisation criteria. Once your users notice and download a standalone browser such as Firefox Mobile, they can set whatever user-agent they like:

              FFAgent.jpg

              As some of the modern media player also include browsers, this can get quiete interesting and you are opening up the world for your clever users.

               

              From a security standpoint - I'd say: "Live with the popup" - However, reality is in most cases that your users will start nagging you as they find it inconvenient. What can you do?

               

              As suggested just use the user agent as bypass for security (stop cycle) which has the described side effects or create a very strict internet access policy for these user agents excluding the majority of categories and just allowing business relevant data. The latter one will at least ensure that media players can't be misused as browsers.

               

              Here is a user agent list from a 6 version of MWG:

              mediaplayer.jpg

               

              best,

              Michael

               

               

              Message was edited by: Michael Schneider on 10/11/2010 08:39:03 CET
              • 4. Re: Streaming Media types
                dcaffrey

                Hi Guys,

                 

                Thanks for the feedback, I'll have a look at the User Agent, this is the rule I put in which seems to be working ok, i.e. I don't get an authentication prompt, is there a problem with this approach ?, the rule is in the Global Whitelist before I do authentication

                 

                MWG7_Rule.gif

                 

                Thanks,

                 

                Dec

                • 5. Re: Streaming Media types
                  michael_schneider

                  Hi Dec,

                   

                  genereally this is OK - except the security implications. This means no malware scanning will be applied to the data. You could put this as an option to your authentication rules though.

                  Media.Type doesnot match in list (MediaType exlcudes for Auth) stop rule set or so. This will not skip the complete cycle.

                  If somebody is downloading a video in the broswer (save as or so) he will also not be authenticated, etc.

                   

                  But that is based on your assessment of the security requirements of your org of course. If you think that your rule is meeting your org's reqirements than this is fine. From a technical perspective, the approach is do-able.


                  best,

                  Michael

                  • 6. Re: Streaming Media types
                    dcaffrey

                    Hi Michael,

                     

                    Many thanks for the feedback, that's clarified it very nicely, I think the User-Agent check in combination with the Authentication rule is the most versatile option, it seems to be working fine now with Windows Media Player and I can easily add other agents as required into my agent whitelist, can you see any issues with this rule ?

                     

                    Thanks,

                     

                    Dec

                    MWG7_Agent.gif

                    • 7. Re: Streaming Media types
                      michael_schneider

                      Looks good in my eyes

                      • 8. Re: Streaming Media types
                        dcaffrey

                        Hi Michael,

                         

                        Is Header.Request.Get("User-Agent") the most reliable check ? are there other alternatives ?, had a problem with a live webcast yesterday which seemed to be the same type of stream as working ones but wouldn't play when media player launched.

                         

                        How can I check the User-Agent ?

                         

                        Thanks,


                        Dec

                        • 9. Re: Streaming Media types
                          michael_schneider

                          Hey Dec,

                           

                          was it a live stream for streaming media or flash live stream?

                          What was the nature of the issue?

                           

                          best,

                          Michael

                          1 2 Previous Next