Here is what I appear to have. It is tricky trying to strip out access for other things, especially for DNS. IP Addresses may vary somewhat by ISP. The only good way the check Amazon App Store access is with a Kindle Fire device.
Google Play: android.l.google.com ggpht.com photos-ugc.l.google.com googleusercontent.com play.google-apis.com googleapis.l.google.com Amazon App Store mst-ext.amazon.com mas-ext.amazon.com mas-sdk.amazon.com mas-ssr.amazon.com applab-sdk.amazon.com images-amazon.com ssl-images-amazon.com amzndsi-a.akamaihd.net cloudfront.net (?) There may be some CDN domains that I missed too. If in doubt, packet captures are your friend. You can do a Wireshark capture on a rooted Android device with Shark for Root. https://play.google.com/store/apps/details?id=lv.n3o.shark&hl=en Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Osborne, Bruce W (Network Services) [mailto:[email protected]] Sent: Saturday, May 30, 2015 7:45 AM Subject: Re: google play ACL You do not need all of amazon.com. Kindle tablets need access to the Amazon App Store and they access it differently than other Android devices. We restrict by DNS & ip ranges. I thought I remembered some YouTube access needed for Google Play Store too for graphics & videos. I will need to post our setup later, after I gather the data. Bruce Osborne Wireless Engineer IT Infrastructure & Media Solutions (434) 592-4229 LIBERTY UNIVERSITY Training Champions for Christ since 1971 From: Coehoorn, Joel [mailto:[email protected]] Sent: Friday, May 29, 2015 2:40 PM Subject: Re: google play ACL Wow. All of Amazon, too? I'm sitting on the outside of this process looking in, hoping to do something like this before the end of the summer, and that ACL is depressing. [Image removed by sender.] Joel Coehoorn Director of Information Technology 402.363.5603 [email protected]<mailto:[email protected]> The mission of York College is to transform lives through Christ-centered education and to equip students for lifelong service to God, family, and society On Fri, May 29, 2015 at 1:37 PM, Turner, Ryan H <[email protected]<mailto:[email protected]>> wrote: Thank you, Jacob. Looks like I may have to go this route as well. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113<tel:%2B1%20919%20445%200113> Office +1 919 274 7926<tel:%2B1%20919%20274%207926> Mobile From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Jacob Bennefield Sent: Friday, May 29, 2015 10:26 AM To: [email protected]<mailto:[email protected]> Subject: Re: [WIRELESS-LAN] google play ACL We have been working with Ruckus and Cloudpath on this issue as well. These are the web addresses we allow to make google play and a few other things accessible. You basically have to open up everything to google but google.com<http://google.com> 2 ocsp.digicert.com<http://ocsp.digicert.com> EditClone 3 crl3.digicert.com<http://crl3.digicert.com> EditClone 4 crl4.digicert.com<http://crl4.digicert.com> EditClone 5 *.play.google.com<http://play.google.com> EditClone 6 *.ssl.gstatic.com<http://ssl.gstatic.com> EditClone 7 *.android.clients.google.com<http://android.clients.google.com> EditClone 8 *.googleusercontent.com<http://googleusercontent.com> EditClone 9 *.ggpht.com<http://ggpht.com> EditClone 10 *.geotrust.com<http://geotrust.com> EditClone 11 *.appengine.google.com<http://appengine.google.com> EditClone 12 *.settings.crashlytics.com<http://settings.crashlytics.com> EditClone 13 *.googleapis.com<http://googleapis.com> EditClone 14 *.cloud.google.com<http://cloud.google.com> EditClone 15 *.gvt1.com<http://gvt1.com> EditClone 16 *.android.com<http://android.com> EditClone 17 passwordreset.lamar.edu<http://passwordreset.lamar.edu> EditClone 18 *.amazon.com<http://amazon.com> EditClone Jacob Bennefield, BBA Manager of Network Services Lamar University [email protected]<mailto:[email protected]> Phone: 409-880-7997<tel:409-880-7997> From: The EDUCAUSE Wireless Issues Constituent Group Listserv [mailto:[email protected]] On Behalf Of Turner, Ryan H Sent: Friday, May 29, 2015 9:01 AM To: [email protected]<mailto:[email protected]> Subject: [WIRELESS-LAN] google play ACL Hello all, I’ve asked this question in the past, got some answers, attempted to implement some solutions, and have ultimately been disappointed with the results… Our problem: We have a limited access onboarding SSID. Currently, users must download the cloudpath agent directly from OUR server, requiring them to configure their devices to allow non google market place applications. I am attempting to streamline the onboarding process by allowing access to google play directly to download the onboarding application, but am failing miserably… I have put up the white flag and opened up most of google, but now I am finding that through a combination of cache servers, and Samsung devices that appear to query for their own app store first, my results work only half the time. Has anyone else figured out a way to solve this madness? We are not going to open up the SSID to everything, because people would just use it and not the proper wireless. Ryan H Turner Senior Network Engineer The University of North Carolina at Chapel Hill CB 1150 Chapel Hill, NC 27599 +1 919 445 0113<tel:%2B1%20919%20445%200113> Office +1 919 274 7926<tel:%2B1%20919%20274%207926> Mobile ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. CONFIDENTIALITY: Any information contained in this e-mail (including attachments) is the property of The State of Texas and unauthorized disclosure or use is prohibited. Sending, receiving or forwarding of confidential, proprietary and privileged information is prohibited under Lamar Policy. If you received this e-mail in error, please notify the sender and delete this e-mail from your system. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
