USG FLEX 100 and Apple FaceTime Video

Options
infosecwest
infosecwest Posts: 13  Freshman Member
10 Comments
Hi folks,

I have a client network using a USG FLEX 100 with load balancing between to ISP connections. All is working well but the client advises that they cannot make / receive FaceTime Video connections from the network.

At first I suspected a Firewall rule, but after adding manual rules to allow the FaceTime ports as per https://support.apple.com/en-au/HT202078 they are still unable to get this working.

ADP is enabled
Session Limit disabled

UPNP and NAT-UPNP, Allow UPnP or NAT-PMP to pass through Firewall is enabled

App Patrol disabled
Content Filter disabled
Anti-Malware enabled
URL Blocking disabled
IPS enabled
Email Security disabled
CDR enabled

Anyone seen this, or have any ideas or suggestions? would be greatly appreciated.
«1

All Replies

  • infosecwest
    infosecwest Posts: 13  Freshman Member
    10 Comments
    Options
    After a bit more debugging, it now appears that an outbound FaceTime Video call can be made from the network ok, but an externally initiated (from the Internet) does not work.
  • infosecwest
    infosecwest Posts: 13  Freshman Member
    10 Comments
    Options
    ...More Testing shows this as inconsistent :-(

    Looks like an issue with UPNP: (received this from upnpc)

    ...

    List of UPNP devices found on the network :

     desc: http://192.168.4.1:41188/rootDesc.xml

     st: urn:schemas-upnp-org:device:InternetGatewayDevice:1


    Found a (not connected?) IGD : http://192.168.4.1:41188/ctl/IPConn

    No valid UPNP Internet Gateway Device found.

  • infosecwest
    infosecwest Posts: 13  Freshman Member
    10 Comments
    Options
    One thread on Reddit suggests that i may need NAT reflection to be enabled also https://www.reddit.com/r/PFSENSE/comments/kphg9n/any_idea_why_i_cant_make_a_facetime_call_between/ - any thoughts?
  • smb_corp_user
    smb_corp_user Posts: 161  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    I concur with the threads on reddit. The Apple FaceTime service appears to prefer peer-to-peer communication, meaning that it works best if the internal unit replies as if it was connected directly to the internet via the phone service provider, or as if both devices were on the same local network. This software design choice puts more demand on security admins to find alternate solutions for such scenarios. Unfortunately I do not have personal experience with this scenario, so I hope someone from the ZyXEL team will respond to your query.
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,454  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @infosecwest,

    Welcome to Zyxel community.  :)
    Do you have any policy route to force restrict traffic to specific wan interface ?
  • infosecwest
    infosecwest Posts: 13  Freshman Member
    10 Comments
    Options
    No, Not at this stage.
    should i?
  • infosecwest
    infosecwest Posts: 13  Freshman Member
    10 Comments
    Options
    I have added a new Policy rule to route traffic to one of the gateways. Still not working :-(
  • infosecwest
    infosecwest Posts: 13  Freshman Member
    10 Comments
    Options
    Also notable is that the firewall seems to be preventing LAN to LAN FaceTime Video connections
  • Zyxel_Cooldia
    Zyxel_Cooldia Posts: 1,454  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @infosecwest,
    Can you send me startup configuration file in PM.
    I would like to conduct a lab test based on your configuration file.
  • infosecwest
    infosecwest Posts: 13  Freshman Member
    10 Comments
    Options
    Am on the road for a week but will do when I return

Security Highlight