Security

My Captive portal and Guest WLAN access for web and email are working fine without any issues, but I can not figure out the required firewall ACL to allow YouTube iOS app on Guest WLAN.

With a simple Google search, I find many hits on transparent proxy setup that is required for the app.  Can anyone help me on this implementation on my 650 controller?  I am currently running 6.3.1.2 release.

Sample google search on "ios youtube app firewall".

https://productforums.google.com/forum/#!topic/youtube/4vyNLc41d34

The issue with media sites these days are that they use content delivery networks which use different dns names and IPs which are regionally distributed. This makes using a traditional netdestination with DNS name (*.youtube.com) not possible. The YouTube page will load, but the actual media streams will end up blocked.

Newer controllers support AppRF 2.0 in AOS 6.4 which is actually able to fingerprint the YouTube traffic and allow you to use it in a session ACL.

You could try allowing *.googlevideo.com but that may not catch everything.

Looks like AppRF is not supported on 650 contoller.

Yes. You would have to try allowing the Google video cache DNS names in your ACLs. You may have to do a packet capture to figure out the different sites but you may be safe with *.youtube.com and *.googlevideo.com.

Do you mean to allow inbound connection from those hosts? I don't think I am currently blocking any hosts outbound on guest WLAN.

Thank you for the detailed information so far.

To be clear, this only impacting iOS YouTube application on iPhone and iPad; I have not tested the Android YouTube app yet.

The browers on Mac and PC has no problem accessing the YouTube web services.

I did a quick packet capture of an iPhone with the YouTube app. Here are the destinations:

And Android.