February 29, 2016 Apple Services with WAN/Border Firewall
A firewall is a hardware or software network security device that sits at the juncture between two networks to control what information is allowed to pass between those networks. Usually, the two networks are an organization’s internal network and the Internet. A firewall’s primary role in information security is to protect computers on the internal network from intentional attacks. Internal network firewalls consist of internal computers and systems, and may be firewalled internally based on risk. A border firewall is intended to prevent unsolicited and frequently malicious traffic from the Internet at large from hitting a enterprises’ network. By default, a small list of TCP/IP ports associated with frequently vulnerable services are blocked on the perimeter.
Our university is investigating WAN/Border Firewall solutions like Checkpoint, Palo Alto and Cisco and wanted to minimize impact on Apple services by users using Apple devices on campus.
Here is a list of FQDN and TCP ports that needs to be allowed to impact Apple devices to access Apple services.
What are the specific services each hostname represents?
- albert.apple.com – Activation
- ax.itunes.apple.com – Search
- buy.itunes.com – credit card & account validation (multiple buy servers eg buy-1, buy-2)
- deimos.apple.com – iTunes U (There are multiple deimos servers eg; deimos3)
- gs.apple.com – Validates the iOS signature, and the UDID authorization if iOS beta distribution
- itunes.apple.com – Legacy iTunes service name
- metrics.apple.com – Statistics Gathering
- ocsp.apple.com – Certificate Validation
- phobos.apple.com – Downloads , iTunes music, TV, and movie store, podcast directory, ping
- su.itunes.apple.com – Software update
- ax.su.itunesapple.com – Query for software update
iTunes contacts VeriSign’s OCSP servers during an iPhone restore to validate the signature on the disk image containing the software update:
There is a possibility that the requesting client may receive a referral to Akamai’s content delivery network (CDN), the Akamai content servers reside in the edgesuite.net domain, so you may need to allow *.edgesuite.net as well.
Each of these hostnames have corresponding cnames on the *.edgesuite.net and Akami’s networks that the customer should perform an NSLOOKUP to identify and authorize into their network. Many hostnames have prefixed hostnames for load balancing. For example, phobos has many servers that are prefixed to it (i.e. a806.phobos.apple.com) as these servers load share for downloads.
Please also read through the articles links below for troubleshooting iTunes/App Store for more details:
Client-initiated connection to a server in Apple (17.x.x.x) to obtain a small amount of secure information. This is almost always using port 80 or 443.
We would like to reiterate that the information above should not be considered comprehensive, and is subject to change with our testing and input from others. If you find in testing that allowing access to the hosts and domains referenced above is inadequate, you will need to evaluate packet traces or firewall logging to determine what other allowances may be required.
Blocking Apple Services
And for those wanting to block Apple services for some reason or other, you can use the information included within blog post, and the github repo called “osxparanoia“.
If you have feedback or suggestions, please let us know and we can update the information to share & benefit of the community.