Endpoint Protection

Having a hard time properly configuring firewall rules, in SEP 12.1.2, to allow iTunes AirPlay streaming through Apple TV (on the same network, obviously). Help with specific rule settings would be greatly appreciated. Thanks to all. Here's the details:

iTunes (either 10.7 or 11.0.2) would not connect to Apple TV unless NTP is disabled. Created an app rule for iTunes.exe to allow all traffic, both ways, on all hosts and protocols. Alternatively, tried creating 2 rules based on this: http://www.symantec.com/docs/TECH155340. Not sure I did it correctly, though. Also checked this doc, but didn't notice anything specific: http://support.apple.com/kb/TS1629.

In either instance, the problem is the initial connection to Apple TV, which will not occur unless NTP is disabled and iTunes is re-started. Once the connection is completed, and iTunes is streaming to Apple TV, NTP can be re-enabled and streaming continues without any problems - for about an hour, then NTP has to be disabled again and iTunes re-started.

Here's a screenshot of SEP's Network Activity monitor while it's streaming problem-free (...148 is the PC, ...161 is Apple TV):

Thanks again for any assistance in resolving.

Can you post the Traffic log from the client? Something other connection attempt is not being allowed which is causing the problem.

I'm unable to click on the screenshot. It won't expand.

Not sure if I set it properly (the screenshot properties). Hope this works and helps. Thanks.

Can you post the traffic log from the client? I think there is still something being missed, perhaps a connection to something else other than from iTunes

Is this client managed or Unmanaged ?

In the Traffic log what do you see as blocked ?

Also is it Firewall blocking it or IPS ? can you try removing IPS only to check if it works ?

The attached spreadsheet has 2 tabs. One for the traffic and one for the sys management log. I opened iTunes at 2 p.m. with all protections enabled in SEP and it would NOT sync with Apple TV. You'll note in the logs when I turned various protections off for testing. At 2:13 - after iTunes synced with Apple TV - I turned the firewall back on. Please keep in mind that after about an hour of successful streaming the sync is blocked and the process of re-setting the firewall needs to be repeated in order to re-sync.

FYI... Apple TV's MAC address is 7C:D1:C3:05:F9:08, and it's LAN IP address is .161

Attachment(s)

2013-03-05 SEP Logs.xlsx   165 KB 1 version

The client is unmanaged. The attached doc contain screenshots of NTP configs. Please see the other thread for additional info on the traffic & management logs. Please advise further. Thank you.

Attachment(s)

2013-03-05 SEP NTP Configs.docx   165 KB 1 version

Create a rule to allow MAC 7C-D1-C3-05-F9-08 to use UDP over port 5353. Move it above the Block_all rule

I see lot of block events on block all other traffic which matches list of ports by apple

UDP 1900 and UDP 5353 and ICMP 3

Create a rule to allow above ports

UPnP uses UDP port 1900 but I believe a default rule in SEP is to block it from non private IP addresses.

I believe UDP 5353 being blocked is the issue

The article posted has a doc by apple http://support.apple.com/kb/TS1629 which says it uses 1900 and 5353

Not good, considering how vulnerable it has been found to be just recently.

OK guys, here's the latest... I had created an "allow all" rule for iTunes.exe prior to starting this post. It did not suffice. After our chatter exchange, I created 2 rules for ports UDP 5353 and TCP 3689 and disabled the previously created iTunes rule. All seems to be well now.

Ironically enough, prior to creating this post, I created the port rules pursuant to the TECH155340 article and it DIDN'T work, prompting me to create this post. I guess we'll chalk this one up to poltergeist ;-)

Thanks for your help Brian & Vikram.

Glad it is working.

I knew this was an option, Brian. But I didn't want to use it because the goal was to allow iTunes streaming to ANY AirPlay enabled device (whether Apple TV or other) in any location.