XG Firewall Apple TV+ Connection Issues

Question

Ok, so I decided to give Apple TV+ a try. I am aware of how finicky Apple products can be, but decided to give it a whirl anyway. Perhaps I'm beating a dead horse on this. 
 The first issue was the XG blocking QUIC, once I allowed QUIC, streaming seemed to work fine. Then things started going off the rails. I now get intermittent issues where Apple Music and Apple TV+ cannot connect. Apple TV+ provides the following message "Content Unavailable". This occurs no matter if I use an iPad, iMac or Android box. 
 I use Android boxes with the Apple TV+ app installed. 
 Apple Music and Apple TV+ drop out every 15 or 20 minutes and they remain gone for several minutes before miraculously connecting. During the Apple down time, the Apple TV+ connection tests pass connecting to the internet but fail with connection to Apple. I can stream using Disney+ with full 4k HDR10 without a single hiccup at any time and no rule exemptions. My Speedtest shows absolutely no issues with my fibre line. 
 I have tried a number of "troubleshooting" steps with disabling one thing or the other. This became extremely time consuming since the XG takes a very long time to update a firewall rule. To speed things up, I have created the following rule at the top of my rules list: 
 
 LAN to WAN 
 Allow any service 
 Allow any source 
 Allow any destination 
 Web Policy = "Allow All" 
 Malware scanning disabled 
 Use web proxy instead of DPI 
 App Control = "Allow All" 
 IPS = "None" 
 
 Believe it or not, with the above rule the Apple TV+ and Apple Music still refuse to connect. 
 At this stage I am at a complete loss as to how to troubleshoot this further. I cannot see how the XG might be interfering with the connection. 
 I should add that I am attempting to troubleshoot this from my iMac by testing the Apple TV+ app on it. 
 As I finish typing this post, Apple TV+ & Apple Music both came back online.

Casual_User · Accepted Answer

I have solved this issue. It was not related to the XG, my computer or my ISP. Oddly enough, it was Windows Update for a Windows 10 computer that I have which put me on the trail of the underlying issue. 
 I use an iMac for my main computer. I have a number of other devices including a Windows 11 machine and Windows 10. I rarely use the Win10 computer as it is just a spare. Recently I noticed that the Win10 machine could not connect to Windows Update while Win11 machine worked fine. The Win10 machine had no issues with internet or network access. The Windows troubleshooter on the Win10 machine indicated that it could not lookup an address in the format of xxx.catalog.xxx.microsoft.com. While I could not lookup this address using nslookup other addresses resolved fine. When I pointed nslookup directly to the outside DNS servers (forwarders) that I am using, it could resolve the address fine. So that meant that there was an issue with my internal DNS server. Clearing the DNS cache on my DNS server resolved the problem. I am still trying to figure out the underlying issue. I. don't understand why my DNS server couldn't resolve the address although it was using the same external reference DNS server that I used for the manual nslookup. It is set to scavenge addresses after 7 days. 
 The obvious deduction was that if Windows update could not resolve some external IP addresses, then the same must be true for other domains including the ones needed for Apple TV+ to work. 
 To summarize, the firewall rules etc posted here work with the requisite TLS/SSL exemptions. I am using DPI instead of the proxy and things seem to work fine as long as you have the correct TLS/SSL exemptions. 
 I wish Apple had a troubleshooter as it would have been much easier to resolve my issue if they did. Thankfully, and strangely, the Microsoft troubleshooter for Windows 10 updates helped my solve my Apple TV+ connectivity issue on my iMac.

rfcat_vk · Answer

Hi, 
 all apple device will not put up with decrypt and scan, they need an exception or a rule that allows their traffic through. I have a specific rule for the Apple devices that only allows them to connect to Apple sites. If you review thew SSl/TLS exception list you willl find it has exceptions for APPLe networks. Further the XG calssification system mis-classifies some of the Apple traffic which depends on how strict your rules are might be causing part of your issue. 
 My network has mac mini.MBPs, ipad , timemachine and iPhones all using the FQDN except rule for IP4 traffic and IP addressing for IPv6 traffic. As Wayne advised QUIC is not used and is blocked. 
 Ian 
 Edit:- and I forgot an Apple TV.

Vivek Jagad · Answer

Hello Casual_User ,

Thank you for reaching out to the community, you can add the urls used by the Apple product into the exceptions and continue to observe, please find the useful articles below:
1.) Ports used by Apple products - https://support.apple.com/en-us/HT202944
2.) Domains/Urls used by Apple products - https://support.apple.com/en-us/HT210060
3.) How to create an exception in Sophos Firewall - https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Web/Exceptions/index.html

Thanks & Regards,
_______________________________________________________________

Vivek Jagad | Team Lead, Global Support & Services

Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.

XG Firewall Apple TV+ Connection Issues

Top Replies