1 2 Previous Next 13 Replies Latest reply on Aug 14, 2012 12:34 AM by alexott

    Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

    0range

      We're setting up a new McAfee Web Gateway appliance running 7.2.  What do I need to do to get Flash video working thru there?  In particular, with RTMPT encapsulating traffic on port 80?

       

      I'm testing video on the MLB and ESPN sites, since they're really high quality -- and they're great test cases for sites our business users will want to use.

       

      The ads before the videos sometimes load, but the videos themselves never start or just buffer a few seconds and get stuck.

       

      http://mlb.com/video

      http://espn.go.com/video/

       

      Videos on many sites seem fine - youtube, ustream.tv, many news sites with their own embedded players, etc.

       

       

      I disabled ALL policies - I'm aware of the anti-malware "ignore streaming" options.  All I have setup right now is just the basic http(s) proxy config.

       

      I also played with the chunking settings but that didn't change anything.

       

       

       

      I can get the videos to work perfectly when my browser goes directly thru the firewall.

       

      I can also get them to work fine when going thru McAfee's SaaS (cloud) web filter.

       

      whatismyip.com shows the cloud service as

      IP 208.65.149.248

      McAfee Web Gateway 7.1.6.1.0.12742

       

      I have TCP and UDP ports 1935 allowed in my firewall as well, but the issue seems to be RTMPT not working on port 80

       

      I also tried enabling the Helix service on my appliance, but that didn't change anything either (RTMPT is different from RTSP....)

       

      I've also spent way too much time learing all the options of Flash Player.  I'm quite aware of its lack of a proxy setting.  Or any way to change how RTMPT is handled.

       

      I've tried these videos on XP and Win7; IE 7 / IE 9 / Chrome / FF -- the issue is the MWG not allowing this traffic to pass.

       

       

      So what does the McAfee cloud service do differently that I haven't done to my appliance, so I can get these test video sites to work?

       

       

      This port test site shows the issue:

       

      http://www.therealtimeweb.com/index.cfm/2004/10/2/fms-port-tester

       

       

      -----------

       

      mwg:

       

      WIN 11,3,31,222

       

       

      RTMP         DEFAULT    Success

      RTMP         80             Success

      RTMP         443            Success

      RTMP         1935           Success

      RTMPT        DEFAULT    Success

      RTMPT        80             Success

      RTMPT        443            Success

      RTMPT        1935           TimeOut

       

      -----------

       

      fw direct:

       

      WIN 11,3,31,222

       

      RTMP         DEFAULT    Success

      RTMP         80             Success

      RTMP         443            Success

      RTMP         1935           Success

      RTMPT        DEFAULT    Success

      RTMPT        80             Success

      RTMPT        443            Success

      RTMPT        1935           Success

       

      -----------

       

      McAfee SaaS (cloud)

       

      WIN 11,3,31,222

       

      RTMP         DEFAULT    Success

      RTMP         80             Success

      RTMP         443            Success

      RTMP         1935           Success

      RTMPT        DEFAULT    Success

      RTMPT        80             Success

      RTMPT        443            Success

      RTMPT        1935           Success

       

      -----------

       

      Thanks in advance for any suggestions!

        • 1. Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

          As a test, I have setup a workstation that has is blocked from direct internet traffic by the firewall and all access must go through explicit proxy on the browser.

          When I go to mlb.com or espn, the videos play perfectly in their entirety.

           

          In this mode that works through the proxy, the test indicates for me:

           

          WIN 11,3,300,270

          RMTP Default Success 1.4s
          RMTP Port 1935 Failed 0.1s
          RMTP Port 80 Failed 0.1s
          RMTP Port 443 Failed 0.1s
          RMTPT (Tunneling) Default Success 1.3s
          RMTPT (Tunneling) Port 80 Success 1.4s
          RMTPT (Tunneling) Port 443 Success 1.3s
          RMTPT (Tunneling) Port 1935 Success 1.3s

           

          My guess is you are trying to use MWG in some sort of transparent mode (WCCP, Transparent bridge) that attempts to go out directly first instead of tunneling.

           

          The Flash player is opportunistic in that it attempts to go directly first.Only if it fails by going directly, will it resort to a tunneled HTTP connection.

          Because a port 80 TCP connection is established directly, it thinks that is a valid route to take for the rest of the video, but it's not. Once the connection is made, it switches to RTMP protocol, which is not HTTP and blocks the video.

           

          Try this.

          Block all traffic at the firewall from the client.

          Explicitly proxy the browser to MWG.

          See what happens. Does the video play?

          • 2. Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?
            alexott

            Currently, Streaming Detector not always able to detect RTMP over HTTP - in this case, you can add rule to whitelist it, with something like:

             

            IF Cycle.Name equals "Response" AND Header.Response.Get("Content-Type") equals "application/x-fcs" and Header.Request.Get("Content-Type") equals "application/x-fcs" THEN Stop Cycle

             

            We're working on fixing this problem...

             

            on 08/08/12 08:04:40 CEST
            • 3. Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?
              alexott

              I have an idea, why it works for Cloud service, why not working on appliance - as I remember, Cloud service doesn't implement media type detection, while in standard configuration, MWG Appliance is doing it, and if we're not able to detect stream, then it can stuck in media type filter, trying to get data from server before detection of mime type.

              • 4. Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

                I think I would be more explicit and only allow proper rtmpt and only pass for the post /open requests.

                 

                 

                POST /fcs/ident2 HTTP/1.1

                Content-Type: application/x-fcs\r\n

                 

                HTTP/1.0 404 Not Found

                 

                 

                POST /open/1 HTTP/1.1

                Content-Type: application/x-fcs\r\n

                 

                HTTP/1.1 200 OK

                Content-Type: application/x-fcs\r\n

                    <random number>

                 

                So the rule becomes:

                IF Cycle.Name equals "Response" AND Header.Response.Get("Content-Type") equals "application/x-fcs" and Header.Request.Get("Content-Type") equals "application/x-fcs" AND url.path = /open/* THEN Stop Cycle

                • 5. Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?

                  Just added a rule underneath the streaming detector, and without being explicit on the path, a lot of /idle/ traffic appears to have data and appears to be missed by the streaming detection.

                  I guess I would just add alexott's rule underneath the stream detector rule for the time being.

                  • 6. Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?
                    0range

                    Thanks for the suggestions.  I tried them all but am still not able to get video to run from http://mlb.com/video

                     

                    eelsasser -- I took your advice and shut down all FW access from a test PC.  When I do that, I get these results. 

                     

                    The PC can tunnel RTMP traffic thru the MWG appliance and I've confirmed that in the firewall logs.

                     

                    http://www.therealtimeweb.com/index.cfm/2004/10/2/fms-port-tester

                    WIN 11,3,300,268

                    RTMP         DEFAULT    TimeOut
                    RTMP         80            Failed
                    RTMP         443           Failed
                    RTMP         1935          Failed
                    RTMPT        DEFAULT    Success
                    RTMPT        80            Success
                    RTMPT        443           Success
                    RTMPT        1935          Success

                     

                    I'm not able to watch videos though -- you must have some other config setup that I don't yet.  I don't believe I have any transparent proxy options enabled -- but I'm new to this device, so here's what my proxy settings look like:

                     

                    proxy_settings.PNG

                     

                     

                    alexott & cnewman -- I tried your suggestions as well.  I didn't have any policy rules enabled at all for this test, so I re-activated the "Global Whitelist" and tried it there first.  The only rule active under there is the new one:

                     

                     

                    --------------------

                    Name:

                    allow_flash_videos

                     

                    Comment:

                     

                    Rule Criteria:

                    Cycle.Name equals "Response" AND

                    Header.Response.Get ("Content-Type") equals "application/x-fcs" AND

                    Header.Request.Get ("Content-Type") equals "application/x-fcs"

                     

                    Action:

                    Stop Cycle

                     

                    Events:

                    --------------------

                     

                    That didn't work.

                     

                    I then enabled "Gateway Anti-Malware" and all these tests failed:

                     

                    1. activated just the builtin "Skip Streaming Media"

                     

                    2a. activated the builtin "Skip Streaming Media" and also my new custom rule to allow flash video, before the Skip Streaming Media rule --

                    Cycle.Name equals "Response" AND

                    Header.Response.Get ("Content-Type") equals "application/x-fcs" AND

                    Header.Request.Get ("Content-Type") equals "application/x-fcs"

                    Action:

                    Stop Cycle

                     

                    2b. same as 2a, tried "Stop Rule Set" instead of "Stop Cycle"

                     

                    3a. activated the builtin "Skip Streaming Media" and also my new custom rule to allow flash video, after the Skip Streaming Media rule

                    3b. same as 3a, tried "Stop Rule Set" instead of "Stop Cycle"

                     

                     

                    The ads will start after about 20 seconds, which I believe the browser is downloading the ad then playing it, instead of streaming.  Then the video will buffer for about 20-30 seconds, play for about 5, repeat.

                     

                    Any ideas on what else I have missing?

                     

                    Thanks for all your ideas so far.

                    • 7. Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?
                      alexott

                      Thank you for detailed report, we're investigating this issue...

                      • 8. Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?
                        alexott

                        It's interesting, that I can't get this site to use RTMP all the time - most of times it uses Flash + MP4, and this was detected without any problem :-(

                        • 9. Re: Flash video streams failing with MWG 7.2 -- how do you allow RTMPT traffic?
                          0range

                          alexott -- thanks for the updates. 

                           

                          Looking at my httpwatch and firebug logs, I can see the ads actually come from ad.auditude.com, not mlb.com, so there could be a little difference there.

                           

                          all the videos seem to show up as mp4 files for me on all my test PC's and browsers

                           

                          For example:

                           

                          http://mediadownloads.mlb.com/mlbam/2012/08/08/mlbtv_aripit_23753079_1200K.mp4

                          http://mediadownloads.mlb.com/mlbam/2012/08/08/mlbtv_tortba_23751881_1200K.mp4

                          http://mediadownloads.mlb.com/mlbam/2012/06/28/mlbtv_22658173_1200K.mp4

                           

                           

                          So I created this rule and put it in the global whitelist:

                           

                          allow_mp4_videos

                           

                          Comment:

                           

                          Rule Criteria:

                          Cycle.Name equals "Response" AND

                          Header.Response.Get ("Content-Type") equals "video/mp4"

                           

                          Action:

                          Stop Rule Set

                           

                          Events:

                          ------

                           

                          I also tried "stop cycle" -- neither changed the outcomes

                           

                          ------

                           

                          Here's a test video with my firebug headers info. Overall, I had the same results with that mp4 allow rule : very slow download thru the MWG, good/constant buffering thru cloud service.  These tests were on current FF (14.0.1) on Win7

                           

                           

                          http://mlb.com/video/play.jsp?content_id=23730997&topic_id=27334974&c_id=mlb

                           

                          mwg:

                           

                          Accept-Ranges    bytes

                          Content-Length    36396046

                          Content-Type    video/mp4

                          Date    Thu, 09 Aug 2012 15:33:41 GMT

                          Etag    "723f68f-22b5c0e-4c6c8dd41c49d"

                          Last-Modified    Wed, 08 Aug 2012 22:45:14 GMT

                          Proxy-Connection    Keep-Alive

                          Server    Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7d

                          Via    1.1 10.116.20.19 (McAfee Web Gateway 7.2.0.1.0.13253)

                          Request Headersview source

                          Accept    text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

                          Accept-Encoding    gzip, deflate

                          Accept-Language    en-us,en;q=0.5

                          Cookie    stUtil_cookie=1%7C%7C6349750451344000276344; s_vi=[CS]v1|280DE88B0501336C-6000010960038CA8[CE]; SESSION_1=; s_cc=true; s_sq=%5B%5BB%5D%5D

                          Host    mediadownloads.mlb.com

                          Proxy-Connection    keep-alive

                          Referer    http://mlb.com/shared/flash/video/flvplayer_v4.swf?v=6

                          User-Agent    Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1

                           

                           

                          cloud 1:

                           

                           

                          Accept-Ranges    bytes

                          Content-Length    36396046

                          Content-Type    video/mp4

                          Date    Thu, 09 Aug 2012 15:36:46 GMT

                          Etag    "723f68f-22b5c0e-4c6c8dd41c49d"

                          Last-Modified    Wed, 08 Aug 2012 22:45:14 GMT

                          Proxy-Connection    Keep-Alive

                          Server    Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7d

                          Via    1.1 10.1.65.74 (McAfee Web Gateway 7.1.6.1.0.12742)

                          X-MFE-SAFE-SEARCH    enabled

                          Request Headersview source

                          Accept    text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

                          Accept-Encoding    gzip, deflate

                          Accept-Language    en-us,en;q=0.5

                          Cookie    stUtil_cookie=1%7C%7C6349750451344000276344; s_vi=[CS]v1|280DE88B0501336C-6000010960038CA8[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D

                          Host    mediadownloads.mlb.com

                          If-Range    "723f68f-22b5c0e-4c6c8dd41c49d"

                          Proxy-Connection    keep-alive

                          Range    bytes=994478-

                          Referer    http://mlb.com/shared/flash/video/flvplayer_v4.swf?v=6

                          User-Agent    Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1

                           

                           

                           

                          cloud 2 -- after clearing cache, cookies, etc.

                           

                          Accept-Ranges    bytes

                          Content-Length    36396046

                          Content-Type    video/mp4

                          Date    Thu, 09 Aug 2012 15:39:18 GMT

                          Etag    "723f68f-22b5c0e-4c6c8dd41c49d"

                          Last-Modified    Wed, 08 Aug 2012 22:45:14 GMT

                          Proxy-Connection    Keep-Alive

                          Server    Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.7d

                          Via    1.1 10.1.65.72 (McAfee Web Gateway 7.1.6.1.0.12742)

                          X-MFE-SAFE-SEARCH    enabled

                          Request Headersview source

                          Accept    text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

                          Accept-Encoding    gzip, deflate

                          Accept-Language    en-us,en;q=0.5

                          Cookie    stUtil_cookie=1%7C%7C6349750451344000276344; s_vi=[CS]v1|280DE88B0501336C-6000010960038CA8[CE]; s_cc=true; s_sq=%5B%5BB%5D%5D

                          Host    mediadownloads.mlb.com

                          Proxy-Connection    keep-alive

                          Referer    http://mlb.com/shared/flash/video/flvplayer_v4.swf?v=6

                          User-Agent    Mozilla/5.0 (Windows NT 6.1; rv:14.0) Gecko/20100101 Firefox/14.0.1

                           

                           

                          The key differences are

                           

                          0. Obviously, the version is slightly different (7.1 for cloud, 7.2 for mwg)

                           

                          1. mwg test:

                          Cookie includes:  SESSION_1=;

                           

                           

                          2. the first cloud test includes these:

                           

                          If-Range    "723f68f-22b5c0e-4c6c8dd41c49d"

                          Range    bytes=994478-

                           

                           

                          3. both cloud sessions have this:

                          X-MFE-SAFE-SEARCH    enabled

                           

                           

                           

                          So ultimately the question is what the cloud service is doing differently that allows this to work.

                          1 2 Previous Next