Apple Firewall Issues

jesselvella's picture

jesselvella

Joined: Sep 11, 2015
Your rating: None (6 votes)

Everyone,

Just a heads up that it looks like Apple may be using a different service now to load the App Store. I ran into the issue today where the App Store was blocked for all of our students' iPads. I ran a trace on the HTTPS traffic coming from the device when it said it couldn't connect and I found it trying to hit this IP: 69.192.18.217

That IP also resolves to the domain name of:

http://a69-192-18-217.deploy.akamaitechnologies.com/

I hope this helps anyone that may be having issues connecting to the App Store or maybe some can provide us with info on why the App Store seems to want to connect to that IP now.

Thanks!
Jesse

Top
jesselvella's picture

jesselvella

Joined: Oct 23, 2013

Apple Firewall Settings (Per Apple Engineers)

Your rating: None (1 vote)

Just in case anyone needs this, here is a list of things to unblock for Apple services.

iTunes must be allowed to connect on port 80 and 443 to the following hostnames:
albert.apple.com
ax.itunes.apple.com
buy.itunes.com
deimos.apple.com
gs.apple.com
itunes.apple.com
metrics.apple.com
ocsp.apple.com
phobos.apple.com
su.itunes.apple.com
ax.su.itunesapple.com

Each of these hostnames have corresponding cnames on the edgesuite and akami networks that the customer should perform an NSLOOKUP to identify and authorize into their network.

Many hostnames have prefixed hostnames for load balancing. For example, phobos has many servers that are prefixed to it (i.e. a806.phobos.apple.com) and suffixes (i.e. a806.phobos.apple.com.suite.edge.net), as these servers load share for downloads.

There are also lookups to:
ocsp.verisign.net
evintl-ocsp.verisign.com
evsecure-ocsp.verisign.com

What are the specific services each hostname represents?

albert.apple.com - Activation
ax.itunes.apple.com - Search
buy.itunes.com - credit card / account validation (multiple buy servers eg buy-1, buy-2)
deimos.apple.com - iTunesU (There are multiple deimos servers eg; deimos3)
gs.apple.com - Validates the iOS signature, and the UDID authorization if iOS beta distribution
itunes.apple.com - Legacy iTunes service name
metrics.apple.com - Statistics gathering
ocsp.apple.com - Certificate Validation
phobos.apple.com - Downloads , iTunes music, TV, and movie store, podcast directory, ping
su.itunes.apple.com - Software update
ax.su.itunesapple.com - Query for software update

iTunes contacts VeriSign’s OCSP servers during an iPhone restore to validate the signature on the disk image containing the iOS software update:
ocsp.verisign.net and it’s cnames:
evintl-ocsp.verisign.com and evsecure-ocsp.verisign.com

Top
Johan Gunverth's picture

Johan Gunverth

Joined: Mar 18, 2011
WWW

Akamai has over 4000 IPs

Your rating: None

Akamai has over 4000 IPs worldwide and this one may be around your area. Apples own network is by the way at 17.0.0.0/8

Top
jesselvella's picture

jesselvella

Joined: Oct 23, 2013

Akamai

Your rating: None

Correct! Apple uses various distribution services to offload many different types of services they run. I wonder if unblocked the URL string for Akamai works or not. I tried *.akamaitechnologies.com but who knows how many ranges they have.

If you have any more suggestions please let us know!

Thanks!

Top
jpwilson's picture

jpwilson

Joined: Oct 10, 2014

All, Seeing a similar issue.

Your rating: None

All,

Seeing a similar issue. Our problem is that we are using device supervision and a private carrier APN. When using the carrier network it ignores our Global Proxy settings and tries to connect to the sites directly, bypassing our proxies.

On wireless it still uses the proxy though.

iOS 7 worked fine, just happening with iOS 8. Makes it impossible to install software unless in wireless range.

Jason

Top
nicdai's picture

nicdai

Joined: Oct 15, 2014

ssl inspection

Your rating: None

Hello, we do ssl inspection and we have the same problem here. Some of our iPad work in ios 8.0.2 other don't. The one that don't work in our enterprise network work well over other connection (3g, lte).

I think that the appstore app use new url/port that we need to unlock. If somebody have the info other than the ip, I would like to know.

Thanks

Top
JD's picture

JD

Joined: Dec 4, 2014

I have found a similar issue

Your rating: None

I have found a similar issue when Apple changed the range of Akamai hostnames it uses. Our whitelists no longer included all the servers returned via round robin so some installs would fail, some would succeed, with no way to predict the outcome.

Top
JD's picture

JD

Joined: Dec 4, 2014

Further update from

Your rating: None

Further update from Apple,
They recently changed a SSL cert used to secure APNS to device communication.
Devices that get the new cert try to validate it by going out on port 80 to aia.entrust.net If your network blocks comms to that IP/host the device will not trust the new APNS and will fail the SSL handshake. It will try on 443, which again fails because the cert authenticity has not been verified.
That's it in a nutshell, it obviously affects people on secure networks that don't have free access to the internet.
And it appears to be fixed in 9.1, so you may see those devices work.
Hope this helps!

Top

Who is online?

There are currently 0 admins, 2 users and 20 guests online. Connected users: radossc, kees4.

Recent Activity