iOS APP Store - Content filtering blocking app store access

SOLVED
VascoFCosta
Getting noticed

iOS APP Store - Content filtering blocking app store access

Hi,

 

Anyone with experience in deploying content filtering but letting access to iOS App store?

 

We've whitelisted severeal URL: 

 

itunes.com
itunes.apple.com
appstore.com
icloud.com
apple.com

 

If we used a web browser we can access those sites but if we try to install an APP, the traffic is blocked.
Anyone experience this problem?

 

Kind regards,

Vasco

 


Cheers,
Vasco
____________
@VascoFCosta
Found this helpful? Please give me some Kudos!
1 ACCEPTED SOLUTION

Solved

 

We were testing with an iphone7 and the customer was using iphone6 and SE and we found that there are differences.
Found which extra sites were required when the APP was running in a iphone6 and SE, added those to the white-list and it's now up and running.


Cheers,
Vasco
____________
@VascoFCosta
Found this helpful? Please give me some Kudos!

View solution in original post

7 REPLIES 7
PhilipDAth
Kind of a big deal
Kind of a big deal

Is it an MX doing content filtering?

 

If so, upgrade it to 13.28.

Thanks for the qucik reply Philip.
Upgraded to 13.28 . Waiting for the customer to test it.


Cheers,
Vasco
____________
@VascoFCosta
Found this helpful? Please give me some Kudos!

Customer told that it worked with an ipad and an iphone but it's failing again.

Any ideias?
I'll see if I can go there an run some tests.


Cheers,
Vasco
____________
@VascoFCosta
Found this helpful? Please give me some Kudos!

Solved

 

We were testing with an iphone7 and the customer was using iphone6 and SE and we found that there are differences.
Found which extra sites were required when the APP was running in a iphone6 and SE, added those to the white-list and it's now up and running.


Cheers,
Vasco
____________
@VascoFCosta
Found this helpful? Please give me some Kudos!
team_rocket
Conversationalist

We are having the same issue as well using an MX100.  To test, we have put an iPad running iOS 10.3.3 with no layer 3 and 7 rules and only typical blocked website categories such as adult content, etc.  We can search for apps in the app store and initialize the download, but the download doesn't start.  We are able to download using the same iPad when connected to a cellular hotspot.  A few months ago, we have  found some G-Suite content had been blocked by one of the content filter website categories, so would it be possible for one of the website categories may be blocking the download of apps?  A packet capture of the download attempts for Google Classroom are included below:

 

--- Start Of Stream ---
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on all_lan_sniff, link-type EN10MB (Ethernet), capture size 262144 bytes
19:21:33.946102 IP 10.55.150.92.49583 > 17.173.66.181.443: Flags [.], seq 3844638805:3844640265, ack 1731956245, win 8192, length 1460
19:21:33.946516 IP 10.55.150.92.49583 > 17.173.66.181.443: Flags [P.], seq 1460:1924, ack 1, win 8192, length 464
19:21:33.967896 IP 17.173.66.181.443 > 10.55.150.92.49583: Flags [.], ack 1924, win 2439, length 0
19:21:33.977419 IP 17.173.66.181.443 > 10.55.150.92.49583: Flags [P.], seq 1:623, ack 1924, win 2439, length 622
19:21:33.977421 IP 17.173.66.181.443 > 10.55.150.92.49583: Flags [P.], seq 623:867, ack 1924, win 2559, length 244
19:21:33.979176 IP 10.55.150.92.49583 > 17.173.66.181.443: Flags [.], ack 623, win 8172, length 0
19:21:33.979538 IP 10.55.150.92.49583 > 17.173.66.181.443: Flags [.], ack 867, win 8184, length 0
19:21:34.092456 IP 10.55.150.92.49585 > 17.125.249.11.443: Flags [.], seq 4068371053:4068372513, ack 399112875, win 8192, length 1460
19:21:34.092675 IP 10.55.150.92.49585 > 17.125.249.11.443: Flags [P.], seq 1460:1783, ack 1, win 8192, length 323
19:21:34.093457 IP 10.55.150.92.49585 > 17.125.249.11.443: Flags [.], seq 1783:3243, ack 1, win 8192, length 1460
19:21:34.093727 IP 10.55.150.92.49585 > 17.125.249.11.443: Flags [P.], seq 3243:3498, ack 1, win 8192, length 255
19:21:34.154771 IP 10.55.150.92.49581 > 104.101.203.189.443: Flags [.], seq 3857530796:3857532244, ack 3892946671, win 4096, options [nop,nop,TS val 589992344 ecr 2924499616], length 1448
19:21:34.155020 IP 10.55.150.92.49581 > 104.101.203.189.443: Flags [P.], seq 1448:1825, ack 1, win 4096, options [nop,nop,TS val 589992344 ecr 2924499616], length 377
19:21:34.155765 IP 10.55.150.92.49584 > 104.101.203.189.443: Flags [.], seq 4292148735:4292150183, ack 3897529545, win 4096, options [nop,nop,TS val 589992345 ecr 2924499959], length 1448
19:21:34.156036 IP 10.55.150.92.49584 > 104.101.203.189.443: Flags [P.], seq 1448:1824, ack 1, win 4096, options [nop,nop,TS val 589992345 ecr 2924499959], length 376
19:21:34.156252 IP 10.55.150.92.49581 > 104.101.203.189.443: Flags [P.], seq 1825:3251, ack 1, win 4096, options [nop,nop,TS val 589992345 ecr 2924499616], length 1426
19:21:34.156703 IP 10.55.150.92.49584 > 104.101.203.189.443: Flags [P.], seq 1824:2403, ack 1, win 4096, options [nop,nop,TS val 589992346 ecr 2924499959], length 579
19:21:34.157465 IP 104.101.203.189.443 > 10.55.150.92.49581: Flags [.], ack 1825, win 1934, options [nop,nop,TS val 2924519628 ecr 589992344], length 0
19:21:34.158602 IP 104.101.203.189.443 > 10.55.150.92.49584: Flags [.], ack 1448, win 1844, options [nop,nop,TS val 2924519629 ecr 589992345], length 0
19:21:34.158683 IP 104.101.203.189.443 > 10.55.150.92.49584: Flags [.], ack 1824, win 1934, options [nop,nop,TS val 2924519629 ecr 589992345], length 0
19:21:34.159572 IP 104.101.203.189.443 > 10.55.150.92.49584: Flags [.], ack 2403, win 2025, options [nop,nop,TS val 2924519630 ecr 589992346], length 0
19:21:34.166691 IP 17.125.249.11.443 > 10.55.150.92.49585: Flags [.], ack 1783, win 2448, length 0
19:21:34.167580 IP 17.125.249.11.443 > 10.55.150.92.49585: Flags [.], ack 3243, win 2462, length 0
19:21:34.167690 IP 17.125.249.11.443 > 10.55.150.92.49585: Flags [.], ack 3498, win 2446, length 0
19:21:34.170329 IP 17.125.249.11.443 > 10.55.150.92.49585: Flags [P.], seq 1:523, ack 3498, win 2665, length 522
19:21:34.172344 IP 10.55.150.92.49585 > 17.125.249.11.443: Flags [.], ack 523, win 8175, length 0
19:21:34.198797 IP 104.101.203.189.443 > 10.55.150.92.49581: Flags [.], ack 3251, win 2025, options [nop,nop,TS val 2924519670 ecr 589992345], length 0
19:21:34.203660 IP 104.101.203.189.443 > 10.55.150.92.49581: Flags [P.], seq 1:759, ack 3251, win 2025, options [nop,nop,TS val 2924519674 ecr 589992345], length 758
19:21:34.205474 IP 10.55.150.92.49581 > 104.101.203.189.443: Flags [.], ack 759, win 4072, options [nop,nop,TS val 589992391 ecr 2924519674], length 0
19:21:34.230214 IP 10.55.150.92.49585 > 17.125.249.11.443: Flags [.], seq 3498:4958, ack 523, win 8192, length 1460
19:21:34.230437 IP 10.55.150.92.49585 > 17.125.249.11.443: Flags [P.], seq 4958:5280, ack 523, win 8192, length 322
19:21:34.231011 IP 10.55.150.92.49585 > 17.125.249.11.443: Flags [P.], seq 5280:5986, ack 523, win 8192, length 706
19:21:34.232547 IP 104.101.203.189.443 > 10.55.150.92.49584: Flags [P.], seq 1:1055, ack 2403, win 2025, options [nop,nop,TS val 2924519703 ecr 589992346], length 1054
19:21:34.234423 IP 10.55.150.92.49584 > 104.101.203.189.443: Flags [.], ack 1055, win 4063, options [nop,nop,TS val 589992419 ecr 2924519703], length 0
19:21:34.304391 IP 17.125.249.11.443 > 10.55.150.92.49585: Flags [.], ack 5280, win 2448, length 0
19:21:34.304875 IP 17.125.249.11.443 > 10.55.150.92.49585: Flags [.], ack 5986, win 2446, length 0
19:21:34.306083 IP 17.125.249.11.443 > 10.55.150.92.49585: Flags [P.], seq 523:1045, ack 5986, win 2602, length 522
19:21:34.307665 IP 10.55.150.92.49585 > 17.125.249.11.443: Flags [.], ack 1045, win 8175, length 0
19:21:44.685966 IP 10.55.150.92.49579 > 17.173.66.181.443: Flags [F.], seq 744746666, ack 3649923289, win 8192, length 0
19:21:44.708022 IP 17.173.66.181.443 > 10.55.150.92.49579: Flags [F.], seq 1, ack 1, win 2559, length 0
19:21:44.710165 IP 10.55.150.92.49579 > 17.173.66.181.443: Flags [.], ack 2, win 8192, length 0
--- End Of Stream ---

Maybe...
For me, I had to trial&error and check at the Network-Wide->Event Log->Security Appliances which sites was being blocked.

For ipads I just needed to open apple.com and itunes.com
For iphone7 I had to open an access to the app manufacturer site

For iphone6 and SE I had to open a dozen different sites.

For androids I had to open a lot of more sites

 

To fullfill the customer requirments I had to configure 62 entries at the Whitelisted URL patterns list.


Cheers,
Vasco
____________
@VascoFCosta
Found this helpful? Please give me some Kudos!

Thanks for the quick reply.  I found that my issue was my own oversight.  I had assumed all our MX100's were up to date as the are set to auto update firmware, but I noticed the one I was testing on was stuck at version 12.24.  I manually updated to 13.28, and that resolved the issue.  

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels