USG FLEX 100 and Apple FaceTime Video
Options
infosecwest
Posts: 13 
Freshman Member
Freshman Member
in Security
Hi folks,
I have a client network using a USG FLEX 100 with load balancing between to ISP connections. All is working well but the client advises that they cannot make / receive FaceTime Video connections from the network.
At first I suspected a Firewall rule, but after adding manual rules to allow the FaceTime ports as per https://support.apple.com/en-au/HT202078 they are still unable to get this working.
ADP is enabled
Session Limit disabled
UPNP and NAT-UPNP, Allow UPnP or NAT-PMP to pass through Firewall is enabled
App Patrol disabled
Content Filter disabled
Anti-Malware enabled
URL Blocking disabled
IPS enabled
Email Security disabled
CDR enabled
Anyone seen this, or have any ideas or suggestions? would be greatly appreciated.
I have a client network using a USG FLEX 100 with load balancing between to ISP connections. All is working well but the client advises that they cannot make / receive FaceTime Video connections from the network.
At first I suspected a Firewall rule, but after adding manual rules to allow the FaceTime ports as per https://support.apple.com/en-au/HT202078 they are still unable to get this working.
ADP is enabled
Session Limit disabled
UPNP and NAT-UPNP, Allow UPnP or NAT-PMP to pass through Firewall is enabled
App Patrol disabled
Content Filter disabled
Anti-Malware enabled
URL Blocking disabled
IPS enabled
Email Security disabled
CDR enabled
Anyone seen this, or have any ideas or suggestions? would be greatly appreciated.
0
All Replies
-
After a bit more debugging, it now appears that an outbound FaceTime Video call can be made from the network ok, but an externally initiated (from the Internet) does not work.0
-
...More Testing shows this as inconsistent :-(
Looks like an issue with UPNP: (received this from upnpc)...
List of UPNP devices found on the network :
desc: http://192.168.4.1:41188/rootDesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
Found a (not connected?) IGD : http://192.168.4.1:41188/ctl/IPConn
No valid UPNP Internet Gateway Device found.
0 -
One thread on Reddit suggests that i may need NAT reflection to be enabled also https://www.reddit.com/r/PFSENSE/comments/kphg9n/any_idea_why_i_cant_make_a_facetime_call_between/ - any thoughts?0
-
I concur with the threads on reddit. The Apple FaceTime service appears to prefer peer-to-peer communication, meaning that it works best if the internal unit replies as if it was connected directly to the internet via the phone service provider, or as if both devices were on the same local network. This software design choice puts more demand on security admins to find alternate solutions for such scenarios. Unfortunately I do not have personal experience with this scenario, so I hope someone from the ZyXEL team will respond to your query.0
-
Hi @infosecwest,
Welcome to Zyxel community.
Do you have any policy route to force restrict traffic to specific wan interface ?0 -
No, Not at this stage.
should i?0 -
I have added a new Policy rule to route traffic to one of the gateways. Still not working :-(0
-
Also notable is that the firewall seems to be preventing LAN to LAN FaceTime Video connections0
-
Hi @infosecwest,
Can you send me startup configuration file in PM.
I would like to conduct a lab test based on your configuration file.0 -
Am on the road for a week but will do when I return0
Master Member
Zyxel Employee
Categories
- All Categories
- 397 Beta Program
- 2.1K Nebula
- 116 Nebula Ideas
- 78 Nebula Status and Incidents
- 5.1K Security
- 52 USG FLEX H Series
- 247 Security Ideas
- 1.3K Switch
- 70 Switch Ideas
- 907 WirelessLAN
- 34 WLAN Ideas
- 5.9K Consumer Product
- 211 Service & License
- 332 News and Release
- 71 Security Advisories
- 21 Education Center
- 5 [Campaign] Zyxel Network Detective
- 1.9K FAQ
- 880 Nebula FAQ
- 415 Security FAQ
- 221 Switch FAQ
- 195 WirelessLAN FAQ
- 46 Consumer Product FAQ
- 137 Service & License FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 72 About Community
- 63 Security Highlight
