ITunes behind an ISA 2004 Firewall

Since upgrading to iTunes 6.0, I can no longer access the Music Store or any of the streaming radio stations. Installation went fine.
When attempting to go to Music Store, I get the following error: iTunes could not connect to the Music Store. "An unknown error occurred (502). Make sure your network connection is active and try again."
Seems that something has changed in the 6.0 release, thus causing me to have to reconfigure my ISA 2004 Enterprise firewall rules.
I currently allow the following outbound TCP ports:
3689
42000-42999
8000-8999
9022
What's changed, and does anyone else run ISA 2004 and iTunes successfully?
I understand that there may be some proxy settings in QT that get picked up and used by iTunes? Can anyone clairify?

hi Ashley!
Only problem: I'm not using the Firewall Client -- I'm doing all access via the web proxy.
hmmm. i've seen some versions of this caused when servers on a network aren't exempting the following domains:
phobos.apple.com
phobos.apple.com.edgesuite.net
the following text is from a post by Robert Eckdale:
I wanted to share my experience with connectivity issues to the iTunes Music Store. I am including some background info in this post... so it's admittedly a bit long-winded.
Users on my network were receiving the following error when attempting to connect to the iTunes Music Store (IMS):
"We could not complete your Music Store Request. An unknown error occured (502).
There was an error in the Music Store. Please try again later."
At first it seemed likely this was an IMS service outage, and given that IMS isn't a business critical app, I set it aside for a couple of days. When the issue still existed 3 days later it became apparent this was likely related to our firewall security configuration.
I performed a packet capture on a workstation while iTunes attempted to connect to IMS. Sure enough the results indicated that the request was rejected by the firewall's HTTP filter.
The firewall/proxy being used is Microsoft Internet Security and Acceleration Server 2004. (ISA 2004) One of the benefits of ISA is its advanced application-layer security. I won't get into the details, but if you want more info a good place to start would be http://www.microsoft.com/isaserver.
The next thing to determine was the specifics of the HTTP request and the cause for rejection. On the ISA server I setup a logging query that monitored live traffic from my test workstation for connections denied due to various HTTP filter values. The query indicated that the request was being denied because the HTTP traffic was encoded, thus not allowing the traffic to be inspected. Not sure why Apple is encoding HTTP traffic, but that’s another discussion.
So the solution: (It’s about time…right?) On the ISA server I created the following Domain Name Set:
Name: iTunes Music Store
Domain names included in this set: *.phobos.apple.com and *.phobos.apple.com.edgesuite.net.
I then created an Access Rule with the following properties:
Action: Allow
Protocols: HTTP (Disabled the Web Proxy application filter.)
Source: Workstations (This is just a group of IP’s used by our workstations)
Destination: iTunes Music Store (The Domain Name Set I created earlier)
I placed this new access rule “above” the default HTTP rule used by our workstations. This results in the new rule being processed first. So, if a workstation makes an HTTP request, the ISA server determines if its destination is to either of the domains used by IMS. If it is, the request is allowed and no application layer filtering is applied. If the destination of the request is not to either of the IMS domains, it is allowed but HTTP application layer filtering is applied.
There might be better ways to do this, but it seems like an acceptable solution. The security trade-off is that if there were an HTTP exploit used at either of those IMS domains my users would not be protected.
Eckdale post ends
love, b

Similar Messages

  • Unable to connect to internet using DHCP with WRT54G behind ISA 2004

    Hello,
    For starters, the Linksys WRT54G is located behind the ISA 2004 Sever firewall. The gateway for the LAN and internet segment is set at 192.168.1.1 and 192.168.2.1 for the WLAN segment on the ISA box. All the proper network rules and access rules have been created. If I set the adapter card on the lap top with a static IP, e.g. ip address as 192.168.2.3, subnet mask: 255.255.255.0 default gateway: 192.168.2.1 and primary DNS: 192.168.1.1 the lap top can connect to the internet through the WLAN segment. At this point the WRT54G is set for internet connection type as automatic configuration DHCP, local IP address as 192.168.2.2 subnet mask as 255.255.255.0 and DHCP server disabled
    When using DHCP on the WRT54G by enabling it and setting the Starting IP address to 192.168.2.3, I cannot connect to the internet. When using the CMD prompt and doing a ipconfig /all this is the result
    I get       DHCP enabled: yes
                   Autoconfiguration Enabled: yes
                 IP Address: 192.168.2.3
                   Subnet Mask: 255.255.255.0
                   Default Gateway: 192.168.2.2
                   DHCP Server: 192.168.2.2
                   DNS Server: 192.168.2.2
    Is it possible to configure the WRT54G so that the default gateway can be set? Each time I change the Local IP address of the WRT54G e.g. 192.168.2.10, the default gateway gets the same IP address.
    Any help would be much appreciated.
    Thanks
    Karl

    In the 54g, setup an extra route to the other default gateway.
    ie; route 192.168.2.2 mask 255.255.255.2 gate 192.168.2.1

  • Contribute and ISA 2004

    Has anyone managed to get COntribute to work form behind a
    ISA 2004 friewall/prxy serevr? If so how was ISA set up?
    Thanks
    martion

    Check the link it might help.
    http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800b12b5.shtml

  • Windows 7 updates fail behind SBS 2003 and ISA 2004

    Windows 7 update is failing with 'Code 80072EFD'.  I am using SBS 2003 with ISA 2004.  We just recently updated the client machine from Windows XP.  WSUS is completely disabled from SBS 2003 and all updates are download directly from windows
    update server.  Updates were working fine before we updated the machine to Windows 7.
    How can I fix updates for the Windows 7 machine?

    Hi,
    Based on your description, please refer to following article and check if can help you.
    Windows Update
    error 80072efd
    If any update, please feel free t let me know.
    Hope this helps.
    Best regards,
    Justin Gu

  • Decommission ISA 2004 servers

    Hello forum, I have to decommission few ISA servers because our project team implemented TMG in our environment. The ISA version is 2004 and the traffic logging is done on a different box with SQL 2005. Which means that all server, service/application or
    user generated traffic first hits ISA boxes and data is logged in SQL server. Now, I ran a query on SQL boxes to see if there are servers or applications still accessing old ISA servers and found that many still are using that route. The query I ran is 
    select clientusername,Max(logtime)
    from webproxylog
    where logtime > '2014-03-04'
    Group by Clientusername
    Outcome is a list of servers and users accessing old ISA servers, please see below
    clientusername
    TimeStamp
    Domain\USER1
    12/03/2014 9:42
    Domain\USER2
    10/03/2014 8:29
    Domain\SERVER1$
    12/03/2014 6:33
    Domain\SERVER2$
    7/03/2014 23:05
    Domain\SERVER3$
    7/03/2014 23:09
    Domain\SERVER4$
    7/03/2014 22:18
    Domain\SERVER10$
    12/03/2014 0:15
    Domain\SERVER12$
    6/03/2014 13:00
    Domain\SERVER21$
    9/03/2014 15:05
    Domain\USER46$
    6/03/2014 7:17
    Domain\SERVER22$
    5/03/2014 17:25
    Domain\SERVER73$
    12/03/2014 9:11
    Domain\SERVER14$
    5/03/2014 17:31
    So I logged on to few servers to check proxy settings. The server list comprise of Windows 2003 and 2008 R2 boxes. On a handful of servers I found proxy, under IE settings but on others I didn't find any proxy settings (under IE). Then I tried proxcfg.exe
    (pre 2008) and netsh winhttp show proxy (post 2008) but I got following results, please see below. 
    C:\proxycfg
    Microsoft (R) WinHTTP Default Proxy Configuration Tool
    Copyright (c) Microsoft Corporation. All rights reserved.
    Current WinHTTP proxy settings under:
      HKEY_LOCAL_MACHINE\
        SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
          WinHttpSettings :
         Direct access (no proxy server).
    C:\netsh winhttp show proxy
    Current WinHTTP proxy settings:
        Direct access (no proxy server).
    I have also looked at registry keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings but found nothing of relevance. Checked IE settings and found no proxy configuration. I know that these boxes are still using old proxy
    servers because they show up when I query ISA logs.
    I tried few network sniffing tools but the trouble is that those servers and applications\users are not accessing the server all the time. How can I verify what data is being passed through ISA? I have date & time but not the reason. How can I check
    which application or service is using proxy and on which port? Thanks again.

    Well I think I can see your issue.  Why are these servers still pointed at the ISA server?
    I haven't worked with ISA for a bit but I did have and issue last year while setting up Office 365 behind an ISA server.  This made meaware of how automatic these things can be.
    If ther is an IIS server set to proxy you will get users connecting IE through the ISA.  Look close the ISA configuration.  Be sure it is not set up to force autoproxy on IE.  I don't remember what the settings are.
    Is the ISA client installed on any of these machines?  If so is it configured for auto discovery.
    Are any services running that require proxy settings like AV software.
    Search the firewall logs on these servers to find what connections are through the proxy.
    What tasks are scheduled that might be setting up their own proxy settings?
    I do not think there is simple single solution.
    Also look for an WPAD servers.  These are IIS servers that have a file that sets the proxy to redirect the client.  WPAD can be distributed by ISA or manually.  Be careful of Unix boxes with web servers that have been configured to serve WPAD. 
    That was the one that got me.  I thought my IE settings were clearly set to auto and no machine proxy was set.  The WPAD file on a server caused the license validation for office 365 to fail because it cannot tolerate blind redirection during
    the license validation.  I found the WPAD file and deleted it and restarted the IIS service and the client validated.  It drove me and a dozen support techs at Microsoft crazy for three weeks.
    ¯\_(ツ)_/¯

  • ISA 550 Firewall Rule - how to specify a domain (to resolve a DDNS)

    I want to lock down access to an ISA 550 Firewall to 4 locations.  2 of the locations have dynamic IP addresses.
    Both sites have a dynamic domain maintained at no-ip.org.
    How can I enter 'name.no-ip.org' in to a firewall rule?

    There is not a way to use a domain name in a firewall rule.  When the traffic comes in the packets are addressed with IPs, not with domain names, so when the router looks things up it compares IP addresses. 
    In fact I have never seen this done, even on an enterprise device.  I'm not saying nothing can do it, but it definitely isn't possible with the ISA. 
    Your best bet would be to try and get some static IPs for those two sites as well.
    It is however possible to setup site-to-site VPNs between these devices even if some of them are using DDNS.  This does require those other site's routers to support site-to-site tunnels.  That way those four sites would be able to access resources behind the ISA, but no one else would, and you could still keep using the DDNS for the two dynamic sites.
    Thank you for choosing Cisco,
    Christopher Ebert
    Network Support Engineer - Cisco Small Business Support Center
    *please mark/rate helpful answers*

  • SBS 2003 R2 premium (with ISA 2004) Exchange ActiveSync not working

    A client has a SBS 2003 R2 premium (with ISA 2004) and wants to sync iPhones and Android phones.
    When using the Microsoft Remote Connectivity Analyzer and selecting 'Exchange ActiveSync' we get 'The test of the FolderSync command failed. Exchange ActiveSync returned an HTTP
    500 response.'
    We tried every solution we could find on the internet, without success.
    This is what we tried and checked so far:
    - fixed IP, DNS, trusted SSL (comodo) seem all OK
    - Exchange 2003 SP2 and ISA 2004 SP3 installed.
    - RWW and OWA working fine.
    - tests with iPhone and Android -> 'cannot get mail. The connection to the server failed'.
    - event viewer reveals no further clues.
    - ran CEICW several times enabling and disabling most remote options (OWA OMA,...)
    - manually checked all vDir settings in IIS6
    - tested with different accounts, created a testaccount without any administrative privileges in Active Directory.
    - surfing to servername/microsoft-server-activesync from local network and to domain/microsoft-server-ActiveSync from external computer both give: HTTP 501/HTTP 505 error as expected.
    - reset the default virtual directories
    - on ISA a query by dest port (443) shows traffic reaching the ISA server ending in:
    Log   type:
    Web   Proxy (Reverse)
    Status:  
    500   Internal Server Error
    Rule:
    SBS OMA Web Publishing Rule
    Source:
    External ( XX.XX.XX.XX:0)
    Destination:
    ( XX.XX.XX.XX:443)
    Request:
    POST
    Filter information:
    Req ID: 1c6d0bea
    Protocol:  
    https
    User:  
    anonymous
    Could anyone give me any pointers on what I need to do to get this working please?
    Many thanks in advance for your assistance.
    Regards
    Jean-Paul Laffargue
    ARCOM BVBA

    I used to have a SBS2003 on ISA running activesync with no issues so I'll try and give you guidance although it's been a while.  I gather this is the first time use of this feature on this SBS?  If so make sure you follow the instructions here:
    http://technet.microsoft.com/en-us/library/cc182239.aspx
    Also make sure you've enabled all mobile services in exchange features and updated your users with the Mobile User profile (I think they need to be members of the Mobile and Remote Web Workplace groups in Manage Users IIRC).  Anything in the event logs?
     Also, for some phones you need to manually download the certificate if you use a self-signed type.
    Note that in the end it may be time to replace this soon to be unsupported ISA with a separate firewall (or a "free" Untangle box) and go to a one NIC solution.  It simplifies things and you need to do that anyway to transition off SBS2003 when it is
    unsupported next year.
    -- Al

  • When I run itunes diagnostic tests, I am told secure link to itunes store failed. My firewall is not blocking itunes. I have tried to download two itunes products and these have failed to download properly. What do I do?

    When I run itunes diagnostic tests, I am told secure link to itunes store failed. My firewall is not blocking itunes. I have tried to download two itunes products and these have failed to download properly. What do I do?

    WIndows Vista and 7 uninstall instructions:
    http://support.apple.com/kb/HT1923
    Windows XP instructions:
    http://support.apple.com/kb/HT1925
    I would say a removal is necassary! this will not affect the content

  • Access to WAN Port 2 on an CISCO ISA 550 Firewall

    Hi all
    On a CISO ISA 550 Firewall i created a 2 WAN Port Failover whichs works fine. But how can access the WAN2 Port (see Attaments) from my Workstation even the WAN1 Port is up an runnig, i created also a new Zone and Firewall Rule but this dosen't work..
    Thanks for your help

    Upgrade Firmware...

  • How can I connect to Itunes store again looks like it stop connecting. I ran the diagnotics and this is the results:Firewall Information  Windows Firewall is on. iTunes is enabled in Windows Firewall.  Connection attempt to Apple web site was unsuccessful

    I ran the diagnostics in Itunes and this is the results
    Firewall Information
    Windows Firewall is on.
    iTunes is enabled in Windows Firewall.
    Connection attempt to Apple web site was unsuccessful.
    The network connection timed out.
    Basic connection to the store failed.
    The network connection timed out.
    Connection attempt to Gracenote server was successful.
    The network connection timed out.
    Last successful iTunes Store access was 2012-04-15 22:46:58.
    Itunes just keeps loading

    Use this article to continue trying to troubleshoot this issue.
    Can't connect to iTunes Store
    B-rock

  • Exchange 2010, Outlook Anywhere, Autodiscover, SAN Certs and ISA 2004

    Hi
    Everything I have read says that SAN certs do not work with ISA 2004.  However I have read through the "White Paper: Understanding the Exchange 2010 Autodiscover Service" document to understand my options (url below) and notice that the SAN
    cert option in the "Summary of supported scenarios for connecting to the Autodiscover service from the Internet" section implies that ISA 2004 may be able to work:
    "Requires additional configuration if used together with either ISA Server 2004 or ISA Server 2006"
    http://technet.microsoft.com/en-us/library/jj591328(v=exchg.141).aspx
    Does anyone know if there is a supported ISA 2004 scenario where SAN certs can work?
    Thanks!

    It's highly doubtful, since ISA 2004 has been in extended support for two years.  See
    http://blogs.technet.com/b/isablog/archive/2009/10/05/mainstream-support-ending-for-isa-server-2004-standard-edition-sp3.aspx for details about ISA 2004 support - it goes totally out of support next year.

  • ColdFusion RDS and ISA 2004

    I can't get this to work to save my life...not that I'm an
    ISA expert...but it's pretty straight forward.
    I can't get folders to be returned to CF Studio or
    Dreamweaver from a server with ISA 2004 on it. It's publishing
    pages perfectly and I have the LAN connection set up...but it's at
    a datacenter and I have to rds to work on the pages.
    Has anyone had a problem with this before or know (even
    better) of how RDS fits into ISA?
    Thanks a lot,
    Chris

    The answer for me was to uncomment the RDS servlet sections
    in the
    web.xml file on the server.

  • Problems with iTunes 6 and Norton Internet Firewall

    Hello all,
    I am unable to start itunes with NIF running. I have checked so of the other threads and have configured program rules for itunes, ituneshelper and some of the quicktime programs to "permit all" but no luck. The only way for me to run itunes is to turn the firewall off. Any ideas?
    thanks,
    Buster

    Hello all,
    I am unable to start itunes with NIF running. I have checked so of the other threads and have configured program rules for itunes, ituneshelper and some of the quicktime programs to "permit all" but no luck. The only way for me to run itunes is to turn the firewall off. Any ideas?
    thanks,
    Buster

  • I am behind a Cisco PIX Firewall. What addresses and ports do I need to permit through to allow Firefox updates?

    I want to be able to upgrade my Firefox installations that are located behind a Cisco PIX Firewall. What are the TCP/IP addresses and ports required to be opened for updating to occur?

    This is less likely to be a firefox problem, as it appears something bad has happened to your network. Can you access the internet with other programs? Try email/ IRC/ Skype or even updating your computer.
    What operating system are you using?
    Ian.

  • When I try to download iTunes 10.5.3.3 it says "A program required for this install to complete could not be run...." I have uninstalled itunes, restarted my pc, disabled firewall and antivirus. HELP

    I used to have iTunes 4.3.1, something like that, it kept asking me to upgrade but i had an older ipod so i couldnt. I recently broke my ipod so now i have one for itunes 10.5.3.3 because my ipod came shipped with ios5.0 installed. So i tried to update itunes, didnt work.  I uninstalled it, didnt work. I disabled firewall and antiviurs, didnt work. Ive called tech support, as soon as the person hung up thinking that it was working, it stopped working. I REALLY LOVE MUSIC and want songs on my new ipod. Please someone help....

    First try removing and reinstalling all the Apple software using the following or the link within it that applies to XP.
    Removing and reinstalling iTunes, QuickTime, and other software components for Windows Vista or Windows 7
    Then try the other items in:
    iPhone, iPad, or iPod touch: Device not recognized in iTunes for Windows

Maybe you are looking for

  • HT3819 I have a new HP computer and would like to transfer my iTunes library from my old PC

    I have been trying to transfer my iTunes library from my old PC to our new HP PC (Windows 8.1). We did back up our old PC files to an external harddrive but the iTunes files are 'jumbled'when I open them on the new PC and not in any format - only str

  • How to protect JDBC data srouce

    How to configure the WebLogic server to enable users to access data sources through beans only? I don't want the users to look up the data source objects directly in the JNDI tree and use them? My problem is this: if I disable the users to look up th

  • 'save to web' - 'program error'

    I have just installed PSE10.  When I try the 'save to web' command it fails with a 'program error'. How can I get past this hurdle please?

  • Duplicate Contacts when migrating mailboxes to exchange 2013 SP1 CU7

    Hello, We started to notice that when we move a user from our legacy exchange 2007 to exchange 2013, the contact list appears twice for users.  I heard CU6 was suppose to fix this issue but we went ahead and downloaded the latest version and we are s

  • Can't migrate data from MacBook to New MacAir

    I just bought a new MacAir and am trying to move all my settings/files/preferences/applications etc. from my old MacBook to it (both running 10.9.  I've tried restoring from Time Cap., used Mig. Asst. both wireless and wired numerous times and get th