SEP firewall rule(s) for iTunes AirPlay/Home Sharing
Having a hard time properly configuring firewall rules, in SEP 12.1.2, to allow iTunes AirPlay streaming through Apple TV (on the same network, obviously). Help with specific rule settings would be greatly appreciated. Thanks to all. Here's the details:
iTunes (either 10.7 or 11.0.2) would not connect to Apple TV unless NTP is disabled. Created an app rule for iTunes.exe to allow all traffic, both ways, on all hosts and protocols. Alternatively, tried creating 2 rules based on this: http://www.symantec.com/docs/TECH155340. Not sure I did it correctly, though. Also checked this doc, but didn't notice anything specific: http://support.apple.com/kb/TS1629.
In either instance, the problem is the initial connection to Apple TV, which will not occur unless NTP is disabled and iTunes is re-started. Once the connection is completed, and iTunes is streaming to Apple TV, NTP can be re-enabled and streaming continues without any problems - for about an hour, then NTP has to be disabled again and iTunes re-started.
Here's a screenshot of SEP's Network Activity monitor while it's streaming problem-free (...148 is the PC, ...161 is Apple TV):
Thanks again for any assistance in resolving.
Comments 14 Comments • Jump to latest comment
Can you post the Traffic log from the client? Something other connection attempt is not being allowed which is causing the problem.
I'm unable to click on the screenshot. It won't expand.
SEP Knowledge Base
Endpoint SWAT
Not sure if I set it properly (the screenshot properties). Hope this works and helps. Thanks.
Can you post the traffic log from the client? I think there is still something being missed, perhaps a connection to something else other than from iTunes
SEP Knowledge Base
Endpoint SWAT
The attached spreadsheet has 2 tabs. One for the traffic and one for the sys management log. I opened iTunes at 2 p.m. with all protections enabled in SEP and it would NOT sync with Apple TV. You'll note in the logs when I turned various protections off for testing. At 2:13 - after iTunes synced with Apple TV - I turned the firewall back on. Please keep in mind that after about an hour of successful streaming the sync is blocked and the process of re-setting the firewall needs to be repeated in order to re-sync.
FYI... Apple TV's MAC address is 7C:D1:C3:05:F9:08, and it's LAN IP address is .161
Is this client managed or Unmanaged ?
In the Traffic log what do you see as blocked ?
Also is it Firewall blocking it or IPS ? can you try removing IPS only to check if it works ?
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
The client is unmanaged. The attached doc contain screenshots of NTP configs. Please see the other thread for additional info on the traffic & management logs. Please advise further. Thank you.
Create a rule to allow MAC 7C-D1-C3-05-F9-08 to use UDP over port 5353. Move it above the Block_all rule
SEP Knowledge Base
Endpoint SWAT
I knew this was an option, Brian. But I didn't want to use it because the goal was to allow iTunes streaming to ANY AirPlay enabled device (whether Apple TV or other) in any location.
I see lot of block events on block all other traffic which matches list of ports by apple
UDP 1900 and UDP 5353 and ICMP 3
Create a rule to allow above ports
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
UPnP uses UDP port 1900 but I believe a default rule in SEP is to block it from non private IP addresses.
I believe UDP 5353 being blocked is the issue
SEP Knowledge Base
Endpoint SWAT
The article posted has a doc by apple http://support.apple.com/kb/TS1629 which says it uses 1900 and 5353
Vikram Kumar
Symantec Consultant
The most helpful part of entire Symantec connect is the Search button..do use it.
Not good, considering how vulnerable it has been found to be just recently.
SEP Knowledge Base
Endpoint SWAT
OK guys, here's the latest... I had created an "allow all" rule for iTunes.exe prior to starting this post. It did not suffice. After our chatter exchange, I created 2 rules for ports UDP 5353 and TCP 3689 and disabled the previously created iTunes rule. All seems to be well now.
Ironically enough, prior to creating this post, I created the port rules pursuant to the TECH155340 article and it DIDN'T work, prompting me to create this post. I guess we'll chalk this one up to poltergeist ;-)
Thanks for your help Brian & Vikram.
Glad it is working.
SEP Knowledge Base
Endpoint SWAT
Would you like to reply?
Login or Register to post your comment.