Configuring WebMarshal to allow streaming media


This article applies to:

  • WebMarshal 6.X and 7.X

Question:

  • How do I configure WebMarshal to allow real time streaming?
  • Allowing Internet radio through WebMarshal
  • Allowing Quicktime, Windows Media Player, or Real Media through WebMarshal
  • Allowing BBC iPlayer through WebMarshal

Information:

WebMarshal 6.0 and above provides functionality to help control streaming media, including real time streaming. This functionality includes:

  • Immediate delivery (with no hold-back for content scanning)
  • Identification of streaming protocols within rule conditions

Available functionality and procedures differ depending on the version of WebMarshal.

In all cases WebMarshal only controls content delivered over HTTP or HTTPS. To block streaming media you must configure your firewall to stop other delivery methods. For information about ports used by these other methods, see Trustwave Knowledgebase article Q12021.

Where content is delivered over HTTPS, you must enable HTTPS Inspection and you must configure rules to inspect the sites that serve the content. For example, YouTube video is always served over HTTPS. You must enable inspection for the sites that serve the video streams. These sites may change from time to time.

WebMarshal 6.1 and above

WebMarshal 6.1 introduces Connection Rules, designed to allow full rule-based control of common streaming applications.

To allow streaming in WebMarshal 6.1, create a Connection Rule that allows a user to access streaming media applications. By default in new installations of WebMarshal 6.1 and above, any user included in the Standard Users group is allowed to access streaming media.

When streaming media use is allowed by a Connection Rule, the content is delivered immediately with no hold-back for scanning.

You can select from a number of streaming protocols, and you can add URL or user restrictions to a rule.

  • Note: Some streaming services, such as the BBC iPlayer service, use Flash Media Server. You may find that content from these services is blocked by Content Analysis rules even though you have allowed streaming media in Connection Rules. You can allow this content by ensuring that content type application/x-fcs is allowed.
    • In WebMarshal Console, view Active Sessions to determine the blocked content and the rule that is blocking it.
    • Modify the rule and add a condition Except where the MIME content type is application/x-fcs
    • Save the rule, and commit configuration.

WebMarshal 6.0

WebMarshal 6.0 and above provides the ability to configure a list of streaming content types. You can add MIME types to this list. Content of the types included on the list will not be held back for scanning.

To add types to this list, run the Proxy Server Wizard and add types on the Streaming Content Types window of the wizard. For more information, see Help for this window.

If you configure Connection Rules (in WebMarshal 6.1 or above), you do not need to add Streaming Content Types for the applications that are controlled by the Rules. In these versions you can use the Streaming Content Types functionality if you need to allow streamed content from applications that WebMarshal does not recognize.

Notes:

Some common MIME types used for streaming are:

  • video/x-ms-asf
  • application/vnd.ms.wms-hdr.asfv1
  • application/x-mms-framed
  • application/x-fcs

To determine the MIME types used by a particular site, enable "full logging" for the WebMarshal proxy service, make a request to the site, and examine the Content-Type information in the proxy service text log. For more information about logging, see the documentation for your version of WebMarshal.

Be aware that most sites use more than one MIME type, and the main content delivery is typically not through the first type that is used.

  • Only enable full logging briefly, because full logging consumes significant disk space and reduces WebMarshal performance.
  • Some streaming media clients cannot communicate through HTTP proxy servers. If you do not see media requests in the WebMarshal proxy logs, to allow access you may need to open additional ports in your firewall.

For additional information about connection methods used by streaming media applications, see Trustwave Knowledgebase article Q12021.


Last Modified 1/4/2017.
https://support.trustwave.com/kb/KnowledgebaseArticle12241.aspx