ISA in SBS - yes, it's secure

A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Lingo - The Talk of Broadband

Monday, February 05, 2007

Update: iTunes ISA 2004 SP2

In a previous blogpost I pointed you to the ISA Product Team blog for instructions on how to allow iTunes through ISA. I've got a little personal experience with this now and some new information for you.

If you're having problems visiting the iTunes site, you'll notice in the ISA logs that the packets are being rejected because ISA wasn't expecting compressed content but the iTunes responds with compressed content. I think this is a web development issue. The tighter we make our firewall configurations the more we expect development to follow the rules. Repsonding with compressed content when it wasn't requested is a no-no and the packet will be handled according to the settings under General, Define HTTP Compression Preferences. You'll notice that by default any packets trying to send compressed content that you didn't ask for will be dropped.

Following the instructions in the previous blog you'll need to provide a "site" for the exception to our compressed content restrictions. By "site" what is really meant is computer set. So create one and let's call it iTunes. Add the following IP addresses to this set.
  • 89.149.169.80-.89.149.169.97
  • 194.109.192.22
  • 194.109.192.7
  • 17.250.236.65
  • 69.44.123.19
  • 69.44.123.26

Once you have your "site" created check the box Request Compressed HTTP Content from Servers.

You'll be able to speak to the iTunes servers now.

4 Comments:

At 8:29 PM, Blogger Unknown said...

I tried your solution exactly as described, but could not get iTunes to work. I've double checked the entries. Is there perhaps some other problem?

 
At 8:02 AM, Blogger Amy - Harbor Computer Services said...

You may also need to add anonymous access, using a URL set for *.apple.com and *.edgesuite.net. In addition if Apple adds any more servers you would need to add the IP addresses for those to your exception site for HTTP compression.

 
At 3:14 PM, Blogger Unknown said...

The multiple IP addresses iTunes Store uses has turned out to be the problem. Apparently, they have many and switch frequently depending on server demand. This morning we put in the range 67.28.122.0 to 255 and it's been working fine so far (for today). We will continue to check the ISA logs to find the IP's that fail. Thanks for the help.

 
At 2:01 AM, Anonymous Anonymous said...

how about error messages 502 with iTunes Store?

 

Post a Comment

<< Home