Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Warning for Sophos XG home users!!!! Sophos XG firmware SFOS 17.0.3 MR-3 kills streaming video and apps from iTunes on Apple-TV gen4

A few days after upgrading the firmware I noticed that I could not stream videos or install apps from iTunes on my Apple TV. Streaming from Netflix and HBO was working.

I reset Apple TV to factory standard and during setup it turned out that I could not login to iTunes and App Store with my iCloud ID.

I reverted back to firmware version SFOS 17.02 MR-2 and now everything is ok.



This thread was automatically locked due to age.
Parents
  • I also have troubles with streaming since updating to 17.0.3. specially streaming from the Amazon Prime Video app - i have no special rules defined and it was definitely working before (not sure if it was still working in 17 MR-2 but it was working with 17.0). I still can stream non HD videos from Amazon but no HD - and this is just happening on my AppleTV - on my MacBook, iPad, iPhone i can stream the whole HD content - sophos xg is then not blocking any of the video which i can't play on the AppleTV. If i connect the AppleTV directly to the Modem it works - so it should be a problem with the Sophos XG - i tried already adding Exceptions for Amazon, without success - also tried a rollback to MR2, no success :-( . I also had a problem with a streaming app of the austrian TV (ORF - TVthek) - there i also couldn't stream HD content - i added an "Exception" now it's working again. It's really annoying that it's not working anymore - hope we find a solution for it.

Reply
  • I also have troubles with streaming since updating to 17.0.3. specially streaming from the Amazon Prime Video app - i have no special rules defined and it was definitely working before (not sure if it was still working in 17 MR-2 but it was working with 17.0). I still can stream non HD videos from Amazon but no HD - and this is just happening on my AppleTV - on my MacBook, iPad, iPhone i can stream the whole HD content - sophos xg is then not blocking any of the video which i can't play on the AppleTV. If i connect the AppleTV directly to the Modem it works - so it should be a problem with the Sophos XG - i tried already adding Exceptions for Amazon, without success - also tried a rollback to MR2, no success :-( . I also had a problem with a streaming app of the austrian TV (ORF - TVthek) - there i also couldn't stream HD content - i added an "Exception" now it's working again. It's really annoying that it's not working anymore - hope we find a solution for it.

Children
  • I’m running Sophos XG 17 MR-3 with my Apple TVs running through a firewall rule with a custom Web and IPS Policy. I have no issues streaming HD content through the Apple Movies, Hulu or Netflix apps but when I tried using the Amazon Prime app, it would just sit there like it’s trying to load the video but never play. However, Amazon Prime videos stream fine on my iPad.

    I was able to get the Amazon Prime app on the Apple TV to mostly work by adding the following to a web exception list:

    aiv-delivery.net
    akamaihd.net
    amazon.com

    I noticed these domains were being accessed when trying to use the Amazon Prime app by monitoring the Web Filter in the Log Viewer. Unfortunately, some videos were still having issues. It appears to be an issue with the web proxy even though the Amazon Prime traffic is being “Allowed”. I gave up for now and simply added my Apple TVs to another firewall rule that does not have any Web or IPS policies assigned which allows me to stream with no issues.

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • There are no changes to MR3 that should affect video streaming.
     
    There was a change in v17.0 that improved video streaming, but we've discovered one issue with it when using range requests larger than 2GB.  This will be resolved in v17 MR5 which is being released soon.
     
    More information here:
    community.sophos.com/.../363068
  • hey - thx for your message!

    I updated to v17 MR5 today - but the update didn't change the problem - for the moment i can just say, that if my AppleTV is excluded from http scanning everything works fine for me - i added an extra firewall-rule for this and with this it works. So in my opinion/experience amazon-app+appleTV+http scanning (since at least v17MR2) are no friends and so it doesn't work. 

  • http scanning, IPS, and app control disabled as well I would say ...

    I re-installed a Checkpoint appliance.  That problem is gone.

    PJR

  • I'm still on 17.03 MR-3 and had to do the exact same thing (create custom Firewall Rule like above) in order to get my Apple-TV to stream Amazon Prime Video!...

    All was working fine for other streaming services like Netflix, Hulu, DirectvNow, HBOGo and even up until last week on Amazon Prime Video... but I think an auto-update to the tvOS got applied and after that APV wouldn't stream... the app would load the home screen and navigation to selections was OK, but as soon as an attempt was made to start/resume/stream a choice, I would get nothing but the spinner...

     

    Quite frustrating... I tried a variety of Web Policy additions and changes to ensure every possible domain that was denied during streaming attempts was allowed but still it wouldn't work... 

     

    Weird.

  • Sophos is just an infinite problems loop.  Problems never ends.

    At home I have decommissioned the XG105 and put it on Ebay.  I was exhausted with that non sens baby sitting.

    I'm running now a Checkpoint 600 or a Check point 1490.  Problems solved.

     

    Paul Jr 

  • I had this issue with 17.9 MR. No streaming services had problems except Amazon Prime Video. With new videows that are 4k UHD it was hit or miss with Amazon Prime via my ATV4k. Most of the time I would get the Prime spinning wheel and then the error playing this content.

    I suspected it had to be the FW so I decided to add a full exception for my ATV4k in my Sophos Home XG FW. I specified the IP address of the ATV4k and told it zero blocking of anything and voila, everything as expected. I'm not terribly concerned about the ATV4k not being 'protected' since its a pretty closed device and the exception is outbound only. I came upon this decision by noticing denied messages in the FW log for the ATV4K when attempting to hit one of Amazon Prime's servers.  Only deny that was occurring was for Prime Video. All other services on my ATV4k worked flawlessly.

    So in short, put in an outbound exception for your ATV4k?

  • Hi,

    thank you for the details. I am not quite clear where you put your exception? If it is in web exceptions then that applies to all traffic because to setup a connection you must call the far end and then the returning traffic is scanned or bypassed in your case.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I did it in the Firewall section, take a look. And no, it hasn't opened the entire Internet to my devices behind the FW.

  • That's what I did too.

     

    First I defined a new IP Host entry for the Apple-TV and it's LAN IP address, then used that as the source in Firewall rule like  

    Works great and no problems since.