Apple Services with WAN/Border Firewall

Apple Services with WAN/Border Firewall

firewall

Overview


A firewall is a hardware or software network security device that sits at the juncture between two networks to control what information is allowed to pass between those networks. Usually, the two networks are an organization’s internal network and the Internet. A firewall’s primary role in information security is to protect computers on the internal network from intentional attacks. Internal network firewalls consist of internal computers and systems, and may be firewalled internally based on risk. A border firewall is intended to prevent unsolicited and frequently malicious traffic from the Internet at large from hitting a enterprises’ network. By default, a small list of TCP/IP ports associated with frequently vulnerable services are blocked on the perimeter.

Our university is investigating WAN/Border Firewall solutions like Checkpoint, Palo Alto and Cisco and wanted to minimize impact on Apple services by users using Apple devices on campus.

Apple Services


Here is a list of FQDN and TCP ports that needs to be allowed to impact Apple devices to access Apple services.

  • itunes.apple.com
  • ax.itunes.apple.com
  • ax.init.itunes.apple.com
  • albert.apple.com
  • gs.apple.com
  • mzstatic.com

What are the specific services each hostname represents?

  • albert.apple.com – Activation
  • ax.itunes.apple.com – Search
  • buy.itunes.com – credit card & account validation (multiple buy servers eg buy-1, buy-2)
  • deimos.apple.com – iTunes U (There are multiple deimos servers eg; deimos3)
  • gs.apple.com – Validates the iOS signature, and the UDID authorization if iOS beta distribution
  • itunes.apple.com – Legacy iTunes service name
  • metrics.apple.com – Statistics Gathering
  • ocsp.apple.com – Certificate Validation
  • phobos.apple.com – Downloads , iTunes music, TV, and movie store, podcast directory, ping
  • su.itunes.apple.com – Software update
  • ax.su.itunesapple.com – Query for software update

iTunes contacts VeriSign’s OCSP servers during an iPhone restore to validate the signature on the disk image containing the software update:

  • evintl-ocsp.verisign.com
  • evsecure-ocsp.verisign.com

There is a possibility that the requesting client may receive a referral to Akamai’s content delivery network (CDN), the Akamai content servers reside in the edgesuite.net domain, so you may need to allow *.edgesuite.net as well.

Each of these hostnames have corresponding cnames on the *.edgesuite.net and Akami’s networks that the customer should perform an NSLOOKUP to identify and authorize into their network. Many hostnames have prefixed hostnames for load balancing. For example, phobos has many servers that are prefixed to it (i.e. a806.phobos.apple.com) as these servers load share for downloads.

Please also read through the articles links below for troubleshooting iTunes/App Store for more details:

iTunes background process and server host connections

Advanced steps for fixing issues with iTunes Store connection

TCP and UDP ports used by Apple software products

Client-initiated connection to a server in Apple (17.x.x.x) to obtain a small amount of secure information. This is almost always using port 80 or 443.

We would like to reiterate that the information above should not be considered comprehensive, and is subject to change with our testing and input from others. If you find in testing that allowing access to the hosts and domains referenced above is inadequate, you will need to evaluate packet traces or firewall logging to determine what other allowances may be required.

Blocking Apple Services


And for those wanting to block Apple services for some reason or other, you can use the information included within blog post, and the github repo called “osxparanoia“.

If you have feedback or suggestions, please let us know and we can update the information to share & benefit of the community.

3 Comments
  • Ben Toms
    Posted at 08:29h, 01 March Reply

    Hi Richard,

    For those of us outside the US, Apple are using some Akamai CDN’s for some stuff instead of the 17.x.x.x range.

    However, that range has not been published.

    • Richard Glaser
      Posted at 03:41h, 02 March Reply

      Hello Ben:

      Thanks for the information.

  • Jay
    Posted at 04:26h, 13 March Reply

    I would just like to clarify, for future references that the domains bellow, for iOS devices (perhaps Mac’s too), affect Apple’s App Store services, not OS update services.

    su.itunes.apple.com – Software update
    ax.su.itunesapple.com – Query for software update

Leave a Reply to Ben Toms Cancel reply