I'm having an issue where I can't run updates on new computers running High Sierra - not on our corp network anyway. We had it set up so the Apple 17/8 range was allowed, but I'm noticing in Wireshark that when running "softwareupdate" it instead tries going to 18.104.22.168 direct, bypassing any proxy info, which is an Akamai address (I'd imagine this is regional).
I can't find this documented anywhere. Has anyone else noticed that software updates are now going to a non 17/8 address? Is there some documentation buried somewhere that would list this? I had a hell of a time getting the Apple netblock whitelisted, I'm not sure I can get Akamai addresses whitelisted.
Does, uh... anyone have any info on this? My searches are showing up not a whole lot.
@Asnyder Was there a range you had to whitelist, or just the one address? I noticed that the IP I got resolved to a name with "static" in it. I haven't done enough testing to see if this is the only address.
Also it looks like now that even though we've made exceptions to allow Apple addresses to go through the Proxy unauthenticated (which has worked fine up until now), in High Sierra it doesn't even attempt to adhere to proxy settings and just tries to connect direct. I've confirmed this by comparing Wireshark logs in Sierra and High Sierra.
Any info would be greatly appreciated, as I need to raise this with SecOps.
HI @Aaron, I know we had some big problems with AKAMI, try whitelisting:
there might be some more which are needed
we had the network team monitor any software updates and add them one by one until finally the traffic was successful.
Can you run from terminal softwareupdate -l to get a list of available updates?
So I've been working closely with the networks team to try and work this out. With our current setup, we cannot whitelist against a wildcard (ie: *.apple.com).
Looking around, I've found this: https://www.richard-purves.com/2016/09/10/apple-services/
Which lists a large number of Apple services and their DNS entries. It seems pretty comprehensive, but does anyone have any other documentation that can be added to this?