Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
4788 Views 17 Replies Latest reply: Sep 16, 2013 1:39 PM by ashwinb RSS 1 2 Previous Next
shaneg Newcomer 28 posts since
Jun 28, 2012
Currently Being Moderated

Aug 22, 2012 12:38 PM

Apple and 'Facetime'

With the migration to our new McAfee webgateway solution in place (and the advent of SSL scanning to our traffic now) the crash course of all things McAfee has begun (and well) made my brain go on overload.

 

One of my more recent issues have come into play when it comes to SSL based traffic, and namely - Apples 'Facetime' application.   I dhelved through logs, pulled reports and the lot - even contacted plat support but even they were 'stumped' and had me submit a new 'Product Enhancement Request'. 

 

Here is the transscript of (our) conversation and the disconnect that Apple (aka the Devil) and McAfee seem to be having.

 

"Unfortunately, Ican't see a way to make this work due to the way Apple has this setup. Theapplepushserviced first does a DNS TXT query for "push.apple.com" [nslookup -query=txt push.apple.com] . This will return "count=50" orsome number XX. The daemon then creates a name using a number between 1..XX andcreates DNS name X-courier.push.apple.com. This DNS name is then handle byAkamai DNS to return an ipaddress in the 17.X netblock that belongs to Apple.The iPad then attempts to make the connection to that IP which is thetransparently re-directed to the Web Gateway in your environment. The problemis that the CLIENT HELLO includes SNI (server name indication) which lists thehost as simply 'courier.push.apple.com'. This causes the Web Gateway to do aDNS lookup for 'courier.push.apple.com', which will not resolve to an IPaddress but instead will only return a CNAME record:courier-push-apple.com.akadns.net. Without an IP address to connect to the WebGateway sends back the '502 not resolvable' error page. The only workaroundthat I can think of that includes the Web Gateway would be an option to havethe proxy ignore the SNI and connect directly to the IP address as requested bythe client. Unfortunately, we do not currently have an option to do so."

 

Am I missing something here, or is there a ruleset/change that can be made/modified to help alleviate this issue?

Or should we start looking for another solution to (PunchMeInThe)Facetime for iPads?

  • michael_schneider McAfee SME 424 posts since
    Nov 14, 2009
    Currently Being Moderated
    1. Aug 23, 2012 5:36 AM (in response to shaneg)
    Re: Apple and 'Facetime'

    We are currently building a lab to better understand what you are describing.

    Looking into the data and analysis might take a while. We'll keep you posted.

     

    Michael


    --
    CISSP
    Sr. Product Manager Web Security
    Network Security BU

    **no personal messages please, unless requested**
  • michael_schneider McAfee SME 424 posts since
    Nov 14, 2009
    Currently Being Moderated
    2. Aug 23, 2012 6:18 AM (in response to shaneg)
    Re: Apple and 'Facetime'

    As additional quick question, where does the transcript come from? Apple to McAfee Support?

    We just setup an MWG in brdige mode and had Facetimesessions running over it, even with a MWG rule in place that blokcs all MWG can see.

    Can you as well specify your environment in more details, please?

     

    thanks,

    M.


    --
    CISSP
    Sr. Product Manager Web Security
    Network Security BU

    **no personal messages please, unless requested**
  • asabban McAfee SME 1,354 posts since
    Nov 3, 2009
    Currently Being Moderated
    3. Aug 23, 2012 6:35 AM (in response to michael_schneider)
    Re: Apple and 'Facetime'

    Here is what we tested:

     

    - Apple iPhone 4 with Facetime connected to Access Point via Wifi

    - MWG in transparent bridge mode between Access Point and upstream network

    - A Mac with Facetime in a different network

     

    What we can see is that communication seems to be mainly UDP based. MWG running in transparent bridge mode only intercepts port 80/443 TCP, so all other traffic is simply passed on to the remote server.

     

    We tried inbound/outbound Facetime calls succesfully. Please share some more information about your test environment, so that we can probably adjust our test here to better understand what you are doing.

     

    Best,

    Andre

  • michael_schneider McAfee SME 424 posts since
    Nov 14, 2009
    Currently Being Moderated
    5. Aug 23, 2012 7:56 AM (in response to shaneg)
    Re: Apple and 'Facetime'

    Hi,

     

    proxy.pac with WCCP ? WCCP is a network based redirection to avoid the need of proxy.pac

    I think the info we need is - how does traffic from your device gets onto Web Gateway? Have you set a proxy.pac on the iOS device, or are you redirecting via WCCP in your wireless network?

     

    thanks,

    Michael


    --
    CISSP
    Sr. Product Manager Web Security
    Network Security BU

    **no personal messages please, unless requested**
  • jspanitz Apprentice 118 posts since
    Nov 4, 2009
    Currently Being Moderated
    7. Aug 24, 2012 8:17 AM (in response to shaneg)
    Re: Apple and 'Facetime'

    We have the same setup and I'm curious as to see how this turns out.

1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points