Problems with getting Pandora to work

Reply
L3 Networker

Problems with getting Pandora to work

All,

In our current URL filtering setup (WebWashers utilizing WCCP) we have rules setup that allow a particular AD group access to pandora which works fine. We're trying to port this rule over to our PAs but am running into some issues.

In the Security Policy I have a rule setup that allows the pandora group to use flash,pandora, web browsing, and ssl apps, and I created a custom URL category with pandora.com in it

I've found that when I put this in place I'll have a HUGE number of URL blocks because it appears that pandora grabs content (mostly ads I'd say) from all over the place. So I put a number of those sites in there as well, but still get lots of blocks, and the music never starts, it always says there's a problem..

So, does anyone have something like this setup? If so, what did you all do to make it work?

Thanksp

-Steve

Tags (3)

Accepted Solutions
L3 Networker

It is easy!  However I think perhaps there's some misunderstanding here on the use of URL categories as Policy Match criteria.  By defining your rule this way, you are *restricting* it to URLs that match the streaming media category, not opening it up.  If you remove the URL category, then the rule (allow pandora) will apply to any URL, including CDNs, ad servers, unknowns, or anything else Pandora relies on. 

I just mocked this up in my lab, and it works like a charm.  Here are the 3 rues I created to apply to my VM:

rules.png

The first rue has a URL filtering profile that blocks the streaming media category.  Here are the logs from successfully playing a pandora stream on the VM:

logs.png

Hope this helps.

View solution in original post


All Replies
L4 Transporter

What happens if you take the URL category out?

L3 Networker

That doesn't work..

Here's some more info...

If I look in my Traffic Monitor I see this user hitting the various rules, including my App/URL rule, however I see some incompletes...

Hmmmmm..

I wonder if I'm seeing the incompletes because part of the traffic is going out my App/Rule rule, and it looks like sometimes it's going out a different rule farther down. Like I said I'm allowing the various app types out my App/Rule, however the actual URL browsing policy doesn't kick in for this user/group until later in the policy. This is a special exception which I have to do farther up in order for it to work before they get denied by the regular policy..

Is this just not possible?

Thanks!

-Steve

L3 Networker

In general, trying to control applications using URLs is problematic - it tends to work better for blocking apps than for allowing them.  For example, in your particular case, blocking access to the pandora.com URL would obviously prevent users from using those services, but the converse is not true due to fun things like ad networks, CDNs, etc.  (it's not at all uncommon for web2.0 apps to use dozens of URLs from numerous domains).  We generally suggest controlling access to apps such as this via AppID only, as the AppIDs are much more granular and accurate than a single URL ever could be.

L3 Networker

Ok..

Hmmmm..  So I have my rule above all others that states this testuser is allowed to run Flash, Pandora, with the Service/URL Category of streaming-media

If I try it with just that I get denied going to pandora.com. I added the apps web-browsing, ssl and now I'm able to get there, but still the same issue..

Looking in my traffic logs I'm still seeing some incompletes hitting my App rule on port 80, appears to be different destination addresses too..

I'm also seeing some blocks in my URL filtering monitor, some classified as Internet Communication, Computer Security, Malware, wonder if those are just some extra junk content it's trying to bring in.. You'd think it would still run without them though...

L3 Networker

Sounds about right - trying to manage Apps with URL categories tied to them is problematic.  I'd take the URL category out of your Pandora rule and just leave the application control to AppID. 

L3 Networker

The problem with doing that is if I'm not allowing the streaming-media category you can't get to the site because streaming-media, and/or Pandora isn't allowed any place else in the rule base..

Soo, kind of stuck..

Wow, you'd think something like this would be easy.. Guess not.. :smileysad:

L3 Networker

Yeah, no matter what I do I always see incompletes in my traffic log, so for whatever reason something is not matching my rules which is preventing it from starting.

I've even taken out the Apps and just put in service rules for ports 80/443 and still no luck..

I think I may have to open a case on this cause I'm just not getting anywhere..

Thanks!

-Steve

L3 Networker

It is easy!  However I think perhaps there's some misunderstanding here on the use of URL categories as Policy Match criteria.  By defining your rule this way, you are *restricting* it to URLs that match the streaming media category, not opening it up.  If you remove the URL category, then the rule (allow pandora) will apply to any URL, including CDNs, ad servers, unknowns, or anything else Pandora relies on. 

I just mocked this up in my lab, and it works like a charm.  Here are the 3 rues I created to apply to my VM:

rules.png

The first rue has a URL filtering profile that blocks the streaming media category.  Here are the logs from successfully playing a pandora stream on the VM:

logs.png

Hope this helps.

View solution in original post

L3 Networker

by the way, the insufficient-data log in the screenshot above is from an open bittorrent session that my new rules blocked.  Everything related to pandora fell under the pandora rule, and all other web-browsing and ssl traffic went to the web-browsing rule. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!