02-21-2014 09:11 AM - edited 02-21-2014 09:15 AM
My Captive portal and Guest WLAN access for web and email are working fine without any issues, but I can not figure out the required firewall ACL to allow YouTube iOS app on Guest WLAN.
With a simple Google search, I find many hits on transparent proxy setup that is required for the app. Can anyone help me on this implementation on my 650 controller? I am currently running 18.104.22.168 release.
Sample google search on "ios youtube app firewall".
02-21-2014 09:16 AM - edited 02-21-2014 09:25 AM
The issue with media sites these days are that they use content delivery networks which use different dns names and IPs which are regionally distributed. This makes using a traditional netdestination with DNS name (*.youtube.com) not possible. The YouTube page will load, but the actual media streams will end up blocked.
Newer controllers support AppRF 2.0 in AOS 6.4 which is actually able to fingerprint the YouTube traffic and allow you to use it in a session ACL.
You could try allowing *.googlevideo.com but that may not catch everything.
02-21-2014 09:32 AM - edited 02-21-2014 09:33 AM
Yes. You would have to try allowing the Google video cache DNS names in your ACLs. You may have to do a packet capture to figure out the different sites but you may be safe with *.youtube.com and *.googlevideo.com.
02-21-2014 09:36 AM
Do you mean to allow inbound connection from those hosts? I don't think I am currently blocking any hosts outbound on guest WLAN.
Thank you for the detailed information so far.
02-21-2014 09:53 AM
To be clear, this only impacting iOS YouTube application on iPhone and iPad; I have not tested the Android YouTube app yet.
The browers on Mac and PC has no problem accessing the YouTube web services.
02-21-2014 11:40 AM
I did a quick packet capture of an iPhone with the YouTube app. Here are the destinations: