We've progressively had to roll changes into our network environment over the past year and a bit to support Apple devices and applications as our network sits behind Blue Coat proxies that use NTLM for some of our sites and Basic Auth for others.
We have some legacy domains that are unauthenticated access (for reasons that I don't have handy)
swcdn.apple.com
swquery.apple.com
swscan.apple.com
In order for applications and/or iTunes store purchases to function we had to unauthenticate the domain:
se.itunes.apple.com
To upgrade IOS on a Device via iTunes we had to:
Enable gs.apple.com to be available unauthenticated. iTunes attempts to access this server after downloading and extracting the firmware to check it's legitimate. Requests to this site are being met with a proxy authentication page which halts the request.
To get IOS Device activation to work we had to enable direct access on our firewalls for the Apple network:
17.0.0.0/8 (Apple Network)
199.16.83.72 (Verisign OCSP)
199.7.55.72 (Verisign OCSP
To get iTunes to work on an iPAD we had to:
Set domain se.itunes.apple.com as unauthenticated
In order to get the Windows iTunes application to show content we had to:
* Force Basic Auth where agent contains "itunes"
* and the domain ax.init.itunes.apple.com was allowed unauthenticated
* and the domain ax.init.itunes.apple.com was not checked for valid SSL protocol
To allow Windows iTunes installer to be downloadable we had to bypass AV Scanning at the gateway for
itunes*.exe from appldnld.apple.com due to the way 'Thank you for downloading' page appears and severs the download connection due to AV performing scanning.
