TMG 2010 and Apple Woes

Several years ago I went through a lot of tweaking to get iTunes to work properly through ISA 2004/2006. I had forgotten just how much fun that was until I upgraded to Forefront TMG 2010. Since I was not able to perform an actual upgrade from ISA to TMG but rather a reinstall, I had to figure all this out again.

In addition, TMG appears not to like Apple devices streaming video. There is a post about this on ISAServer.org where it cited a problem with HTTPS inspection and certs. Yet I saw this problem with HTTPS inspection turned off globally. Thus far, the only way I have been able to get iPhones to stream video is to except them from Malware Inspection.

In addition, an out-of-the-box TMG installation will cause 8012 errors when downloading video from iTunes, among other problems, such as purchasing gift cards. I was only able to bypass after turning off Malware and Network Inspection globally.

I searched for the information I used to configure iTunes a few year back…

First, I put all the iTunes urls into an object. They are:

  • itunes.apple.com
  • ax.itunes.apple.com
  • albert.apple.com
  • gs.apple.com

… per this Apple technote. And some where else I saw phobos.apple.com too.

Then I added this object to the exceptions lists for Malware Inspection.

In 2006, the Frontfront TMG (then ISA) blog ran this advice on HTTP compression settings. In 2007, Amy Babinchak posted some updated commentary on her SBS blog.

If you’re having problems visiting the iTunes site, you’ll notice in the ISA logs that the packets are being rejected because ISA wasn’t expecting compressed content but the iTunes responds with compressed content. I think this is a web development issue. The tighter we make our firewall configurations the more we expect development to follow the rules. Responding with compressed content when it wasn’t requested is a no-no and the packet will be handled according to the settings under General, Define HTTP Compression Preferences. You’ll notice that by default any packets trying to send compressed content that you didn’t ask for will be dropped.

Following the instructions in the previous blog you’ll need to provide a “site” for the exception to our compressed content restrictions. By “site” what is really meant is computer set. So create one and let’s call it iTunes. Add the following IP addresses to this set.

* 89.149.169.80-.89.149.169.97
* 194.109.192.22
* 194.109.192.7
* 17.250.236.65
* 69.44.123.19
* 69.44.123.26

Once you have your “site” created check the box Request Compressed HTTP Content from Servers.

So I have recreated the configuration from ISA, but I still cannot download video.

Share