Thanks! From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Osborne, Bruce W Sent: Friday, April 26, 2013 7:47 AM To: [email protected] Subject: Re: [WIRELESS-LAN] Google Marketplace / Play IP address range
Ryan, Don't forget the Amazon App Store for Kindle devices too. The IP address ranges will vary because Google & Amazon use CDNs (Content Distribution Networks) to distribute their load. We are currently controlling access by DNS capture any IP address ACL. I sometimes make the IP address ranges broad because we are restricting by DNS too. This minimizes needed changes if IP addresses change slightly within the same subnet. We use larger masks when many addresses are discovered in a close range. I do packet captures to get the needed information by using Shark for Root on our rooted Android test device. Here (I think) is what we allow for the Android devices to download XpressConnect. DNS Zones: Google Play Android.clients.google.com Android.l.google.com Ggpht.com Photos-ugc.l.google.com Amazon App Store Mst-ext.amazon.com Mas-ext.amazon.com Images-amazon.com Amzadsi-a.akamaihd.net Not sure if this next one is needed for this Dig0kk115kms0.cloudfront.net IP Subnets; (allow hhtp/https) Google Play 74.125.228.0/24 173.194.7.0/24 173.194.43.0/24 173.194.53.0/24 208.117.224.0/19 208.117.254.0/24 216.12.120.0/24 Amazon App Store 72.21.0.0/16 184.84.227.3/32 [host] 207.171.162.142/32 [host] 216.137.33.0/24 Bruce Osborne Network Engineer IT Network Services (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Turner, Ryan H [mailto:[email protected]] Sent: Thursday, April 25, 2013 1:49 PM Subject: Re: Google Marketplace / Play IP address range Yeah, I want to say we tried that a while ago, and users still had issues. I think that was the first thing I tried. I am only coming back to this after seeing our previous work was opening up too much and people were using our authenticated setup portal to do more than grab the config ;) Ryan From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Walter Reynolds Sent: Thursday, April 25, 2013 1:38 PM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Google Marketplace / Play IP address range Instead of address range, you could also just open the port. http://support.google.com/googleplay/bin/answer.py?hl=en&answer=1647495 ports required to use Google Play (TCP and UDP 5228). ------------------------ Walter Reynolds Principal Systems Security Development Engineer Information and Technology Services University of Michigan (734) 615-9438 On Thu, Apr 25, 2013 at 11:21 AM, Turner, Ryan H <[email protected]<mailto:[email protected]>> wrote: Thanks, Peppino! I will have to explore that option a little more. Ryan From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Muraca, Peppino P. Sent: Thursday, April 25, 2013 11:18 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Google Marketplace / Play IP address range It is actually pretty simple when they are directed to download the app the third option in the pull down is local download, and xpressconnect with walk them through enabling unknown source app install. We are currently using xpressconnect and do not allow them to get to anything but the xpressconnect server. We haven't run into many issues with android users other then student not reading what the page tells them, and that usually goes across all platforms. Pino Peppino Muraca Sr. Network Administrator Stonehill College 508-565-1193<tel:508-565-1193> [email protected]<mailto:[email protected]> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Turner, Ryan H Sent: Thursday, April 25, 2013 11:04 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Google Marketplace / Play IP address range Thanks. Unfortunately, I don't know how common that is (the option about trusting non google apps), or if it's worth having to get those users to follow more steps. I am not an android user, but for people that I have tested this on, they are required to go to Playstore. Ryan From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Muraca, Peppino P. Sent: Thursday, April 25, 2013 10:23 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] Google Marketplace / Play IP address range Ryan, you don't need to open up your ssid to the playstore, xpressconnect has the app locally on the server you have it running from. You should have three options to download the xpressconnect app from,playstore, amazon app store and locally. The devices will need to have allow apps from unknown sources to be checked off. Pino Peppino Muraca Sr. Network Administrator Stonehill College 508-565-1193<tel:508-565-1193> [email protected]<mailto:[email protected]> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Turner, Ryan H Sent: Thursday, April 25, 2013 10:15 AM To: [email protected]<mailto:[email protected]> Subject: [WIRELESS-LAN] Google Marketplace / Play IP address range We have a setup SSID that allows users to access Xpressconnect to configure for 802.1x. Android requires a connection to the Playstore in order to download a cloudpath applet to complete the profile. So, this setup SSID, which was restricted from external connections must be opened up so that these users can download from the Playstore. I have had difficulties in scoping an acceptable IP address range that allows Play connectivity without opening up too much Has someone else out there troubleshooted and configured a good scope for this application you can share? Thanks! Ryan Turner UNC Chapel Hill ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
