Persuading Apple Airplay to Play Nice With the SonicWALL TZ200W
I’ve spent a good part of the last couple of days persuading Apple Airplay to play nice with the SonicWALL TZ200W. I was simply trying to watch the Curiosity landing over NASA TV streamed from my iPad onto our Apple TV. What started out as a simple goal turned into a major adventure. Interested parties should archive this post somewhere. You might also want to subscribe, as I plan to add to it if/when additional details are forthcoming from either Apple or Dell SonicWALL.
Update (already): I began writing this on August 7, 2012. Today is August 10. Even though the piece remains unfinished, I have a setup that seems to work. Sometimes. Read on for the gruesome details.
11 Aug 2012 11:13 -7 I added a link in the documentation download section to the MobileConnect user guide. I found it once on the SonicWALL site, but can’t seem to locate it, so I’ve posted it on my site.
17 Feb 2013 12:05 -8: Per comment from Adrian Cunanan I have included the relevant links here. SonicWALL now has a procedure much simpler than mine. No more VPN, saints be praised!
Updated, Simplified Instructions from Sonicwall
For Sonicwall Gen 4 appliances (see list below): http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=9059&SearchType=advanced&referrer=&gpn=&CustID=&bUseEditor=&keyword=airplay&rfield=&sortmethod=rel&usertype=&gpv=&catID2=&formaction=search&catID1=&IncludeHTML=&logsearch=False&catID3=&TotalResults=5491&sct=KB&submitbutton=Go&match=and
For Sonicwall Gen 5 appliances (see list below): http://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=10132
If you want to only allow the AirPlay/Bonjour ports, use this list: http://bowersandwilkins.custhelp.com/app/answers/detail/a_id/55/~/firewall-ports-utilised-by-airplay
Finally, enable Interface Trust on the Wireless Interface (Network > Zones).
Gen 4 appliances:
Gen4: PRO series: PRO 5060, PRO 4100, PRO 4060,PRO 3060, PRO 2040, PRO 1260
Gen4: TZ series: TZ 190, TZ 190 W, TZ 180, TZ 180 W, TZ 170, TZ 170 W, TZ 170 SP, TZ 170 SP Wireless
Gen 5 and 6 appliances:
Gen6: NSA E10800, NSA E10400, NSA E10200, NSA E10100
Gen5: NSA E8510, E8500, NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400 MX, NSA 240, NSA 220, NSA 220 /W. NSA 250M, NSA 250M /W.
Gen5 TZ Series: TZ 100, TZ 100 Wireless, TZ 200, TZ 200 W, TZ 210, TZ 210 W, TZ 215, TZ 215 W. TZ 105, TZ 105 W, TZ 205, TZ 205 W
About five years ago we acquired a SonicWALL TZ180W security router. SonicWALL makes an entire line of internet security appliances with built-in antivirus, antispyware, intrusion prevention, and a bunch of other features. A few years later, with the 180 nearing the end of its product life cycle, we upgraded to the TZ200W. I can’t honestly say that we haven’t had problems, but I can assure you that the annual renewal of our service contract (about $350) is never questioned. In fact, most of our problems occur when, for one reason or another, we temporarily bypass the TZ200W or allow someone access to our network with a computer that has been infected. (As an added precaution, my wife and I mainly use our Macs these days, powering up our Windows computers only when absolutely necessary. We have also enabled MAC filtering on the WiFi for a bit of added security.)
The TZ200W is a wonderful device, but it can also be a pain when it decides I am trying to do something dangerous. On a few occasions I have been delighted with this feature because, after the fact, I realized I actually was about to do something dangerous. On other occasions, the SonicWALL’s default “do not allow” behavior turns into a pain.
Our network setup is complicated by the “upgrade” to AT&T UVerse. This was forced on us about three months ago. Our experience with UVerse has run the gamut from very bad to nightmare. Among other things, we were forced to use an AT&T router that is notoriously bad at maintaining its link to DNS servers. The Motorola NVG510 has been OEM’ed by AT&T to make it even less useful than usual. A major feature in the NVG510 that has been removed by AT&T is access to a command-line interface (clearly documented in the Motorola manual). Which means you’re limited to whatever AT&T decided to put in the menu system. I’ll save you the trouble of looking: it’s diddly-squat.
So, connected to all this are two Macs, two Windows computers (one XP, one Win 7), and a couple of iPads (versions 2 and 3, I get the previous version when my lovely wife decides it’s time to upgrade). There’s also an Apple TV (version 2) connected by Ethernet and WiFi. Yes, the Apple TV’s MAC address is in the WiFi allowed group.
Apple Airplay allows wireless streaming from your iPad (and, I believe, iPhone) to Apple TV. This feature is only available for the iPad 2 and 3. I’m not sure about iPhone versions. Naturally you need a reasonably up to date version of iOs. In theory the setup is easy. In fact, you really don’t have to do much of anything. The only restriction is that the Apple TV and the iPad must be on the same WiFi network.
Before you go any further, consider a much simple alternative. Apple’s latest OS release for the Mac, Mountain Lion, includes built-in streaming from the screen to Apple TV. Anything that’s on the screen can be on the TV too. In our case, the main inconvenience is having the computer and the flatscreen in separate rooms, making it awkward to pause the streaming. But other than that, it’s easy and seamless. And the SonicWALL is transparent to the traffic. At least I’m pretty sure it is. We didn’t try Mountain Lion streaming until I had completed most of the setup below. Caveat emptor.
And Away We Go
Be sure the Apple TV has Airplay switched on (Settings/Airplay/On). If you want to set up a password, go ahead. You’ll have to enter this password in the iPad before you can connect. On the iPad, it’s a good idea to turn Bluetooth off, and maybe your 3G or 4G cellular connection. Once you’ve done that, double-click the iPad’s Home button and swipe the taskbar to the right until you see the audio controls. Between the fast-forward button and the volume control you’ll see a strange icon:
When you tap that icon you’ll see this:
Leave mirroring turned on. Some sites will override this automatically (notably NASA TV).
When you get back to the home screen, look carefully at the top bar of the iPad. You should notice two things. First, the bar is now blue. And second, there’s a new icon:
Give it a try. I recommend starting by streaming a slideshow from the iPad photo album. That seems to put the least strain on Airplay and will let you know if you have problems. After that, try Youtube (assuming it still exists on your iPad) or some other video. If it works, you can stop reading now. If not, read on … and on … and on.
OK, so nothing streamed. You probably got a dialog box saying something like “unable to connect to WiFi network.” Take a deep breath, this is not going to be much fun.
Going Hand-to-Hand With the SonicWALL
DISCLAIMER: Much of what follows is drawn from numerous sources. I may have included extraneous steps. It’s almost certain that your network setup doesn’t match mine. Some hacking with trial-and-error may be required. I strongly urge you to back up your router’s settings as well as your iPad before going any further. And this advice is worth what you paid for it, namely zero. There is no warranty, express or implied, with this material.
Wow. I promise I’ve never been to law school. The following instructions should at least get you close to enabling Airplay. You might read them through first to decide whether it’s really worth the trouble. I spent the better part of two days on this and am still not entirely convinced I did things correctly. I’m almost certain that my technique is totally inefficient. The setup includes opening a number of ports, enabling MultiCast almost everywhere, adding a relay protocol to the IP Helper section, setting up SSL VPN, and downloading and installing a couple of pieces of software from SonicWALL. If that sounds daunting, don’t do it. Find someone who is reasonably proficient, has a lot of patience, and proceeds carefully, making frequent backups. Determined to forge ahead? OK, read on.
Before you begin, visit these three SonicWALL knowledgebase entries and print them. Keep them very handy:
UTM SSL-VPN: How DNS name resolution works when using SonicWALL Mobile Connect software with Apple iOS (4.2 and above)
UTM/SMB SSL-VPN: How to create a connection in SonicWALL Mobile Connect (iOS 4.2 and above)
UTM: Configuring Multicast DNS (Bonjour) on Gen 4 SonicWALL Appliances
Quick guide: SSL VPN technical primer
SonicWALL MobileConnect User Guide:
Check your SonicWALL’s Firmware
Log in to the SonicWALL administration panel and go to System/Settings. Get the number of the SonicWALL firmware that’s currently installed. For my TZ200, the firmware was out of date (problem 1), so I updated to 220.127.116.11-4o. Visit the SonicWALL website and hunt around for support for your particular model. Ideally, you will use my.sonicwall.com — you have registered your firewall, haven’t you?
If the currently available firmware is a higher version than yours, download and install it. (If you don’t know how to update the firmware, please don’t go any further in these instructions. Call for help.)
Enable Multicast Everywhere
The easiest way to start is to enable multicast in about as many places as you can find it. Here are some places to look:
- Network/Interface/Configure each interface. On the “Advanced” tab check the Multicast checkbox.
- Firewall Settings/Multicast/Check the enable multicast box and the radio button for Enable reception of all multicast addresses.
Don’t worry, you’ll have plenty of other opportunities to enable Multicast along the way.
You may have found Network/Zones/Multicast which is set to untrusted. I didn’t change that and it didn’t seem to cause any problems.
Let’s get to the ports issue. The best source for this that I found was the Bowers and Wilkins support site. Ports are opened under Firewall/Service Objects. Scroll down to the Services section, then click Add for each port (or port range) you want to open. Give each a meaningful name, including the protocol and at least the starting port number. The figure below shows my port openings. (Some of these are probably not necessary. And note that there will be a number of entries between the header and the actual listing for the Apple ports.)
Rather than try to do better than them, I’ll simply show you some of the settings:
There are a couple of issues. First, when the table says “TCP/UDP” I opened the port for both TCP and UDP. Second, RTSP is a pretty standard protocol. DAAP is Apple’s proprietary Digital Audio Access Protocol. I never did figure out how to enable this on the SonicWALL — or even whether it was possible (or a good idea).
During my struggles, I spent a lot of quality time with the SonicWALL log file. I noticed the SSLVPN trying to access a number of UDP ports near the high end. I decided to open all UDP ports between 49000 and 65535 (entry 175 in the screen capture above). I also decided to open both TCP and UDP ports 4433 because SonicWALL documentation seems to suggest that’s the preferred port for SSLVPN.
The last two items are the mDNS entries. Let’s deal with those now.
Go to Network/IP Helper, then click Add in the Relay Protocols section. The name is MDNS, Port 1 is 5353, Port 2 is 0, the Timeout is 30, and check both Allow Source IP translation and Raw Mode. The dialog box should look like this:
Set Up VPN and SSL VPN
Create a User Account for VPN
Go to Users/Local Users and click Add. Remember that user names and passwords are likely to be case-sensitive. You only need to set up the Settings, Groups, and VPN access. Fill in the three screens like this:
The VPN Access tab only requires that you select SSLVPN IP pool. The rest of the address objects are filled in automatically.
IMPORTANT NOTE: Whenever you edit a local user you should re-enter the password. For whatever reason, the SonicWALL seems to lose track of this particular password.
Next, open Users/Local Groups and click Add Group. The name of the group should be SSLVPN Services. Add the user you just set up as the only member. Once again add the SSLVPN IP Pool on the VPN Access tab:
Set Up VPN
Under VPN/Settings there should already be two groups: WAN GroupVPN and WLAN GroupVPN. If those two exist, just make sure the General and Advanced tabs look like the following figures.
Note that for WAN GroupVPN only NetBIOS, Multicast and HTTP are checked on the advanced tab. This is important for security reasons. The General, Advanced, and Client tabs should look like this:
For the WLAN GroupVPN security is considerably more open. For whatever reason, I did not enable NetBIOS, but Multicast, HTTP, HTTPS, and SSH are all enabled. The three screens are here:
If you need to set up either the WAN GroupVPN or the WLAN GroupVPN, here are my best guesses at the settings. (These were already set up on my SonicWALL, although I believe I did have to check Multicast.) Click the Add button on the VPN/Settings/VPN Policies, then fill in the screens as shown below. The boxes you check on the Advanced tab will differ depending on whether you’re setting up the WAN or WLAN group. Refer to the six figures before this to get some idea of how to fill all this in.
Next click the VPN/Advanced link. The screen should look like this:
Set Up SSL VPN
Go to the Server Settings and click the red radio button next to LAN. The default SSLVPN port is 433. Several SonicWALL documents recommend changing this to 4433. I have no idea why. So just make sure the SSL VPN Server Settings are as shown:
Next click the Portal Settings. The only thing you need to do here is check the “Launch NetExtender after login” box. (More on NetExtender soon.)
Now you need to set up the Client Settings. Click the obvious selection. You’re going to need an address range for your WiFi (W0). If you have assigned fixed IP addresses to one or more of your wireless devices, make sure the NetExtender start and end IP addresses do not overlap the fixed IP address. Of course, you can always change the fixed IP address. Your call. Try to use a narrow range since you won’t have to use many addresses. Your DNS server IP will also be different. (My DNS Server 1 is inherited from the UVerse router which explains the goofy-looking Server 1 and 2 addresses.) You need a name for the DNS domain. This is used internally. Make it myvpn.local or something easy like that. I enabled nearly everything in the NetExtender Client Settings just because it seemed like that would cause fewest problems. Here’s my setup. Yours should look considerably different.
[Figure 27SSLVPNwithDomain here]
Next click the Client Routes link. Enable Tunnel All mode and select WLAN RemoteAccess Networks from the Add Client Routes pulldown. Then select DNS server 1 and DNS server 2:
Bored yet? The real fun is about to begin.
Login to My.Sonicwall.com and select Downloads/Free Downloads. From the pull-down menu, select NetExtender. You’ll see this:
Ignore the “Add to My Downloads” button. When you click the link, you get the file. You want NetExtender for the Mac. Download and install it on your Mac. The first time you launch the app, you’ll be asked for some basic (if not so obvious) information. Using your SSL VPN username and password, fill in the NetExtender screen like this:
NetExtender has a few settings. These are all you have to worry about:
Go to the App Store on your iPad and search for SonicWALL. You want SonicWALL MobileConnect. Download and install it. You’ll be asked to create a new connection. Start the process. The first screen asks for your name and server. As far as I can tell the user name must be FIREWALL. Again, don’t ask me why. The server is 172.16.31.1 (assuming you’re using the SonicWALL standard WiFi address). You’ll need your password and domain (most likely LocalDomain). Make sure you have turned off Bluetooth and/or 3/4G on your iPad before you try to connect. Also launch NetExtender on your Mac and click “Connect.”
Tap “Add new connection.” You’ll see this:
Fill in this screen:
Now it gets tricky. Tap the Next button in the upper right corner. You’ll probably see this:
Believe it or not you’re probably actually connected to Apple TV at this point. Double-click the iPad home button and swipe the Taskbar from left to right until you see this:
Tap the Airplay icon and select Apple TV. (If you don’t see Apple TV, go to the Apple TV setup and make sure Airplay is turned on — that’s Setup/General/Airplay.) You should (eventually) see this:
Look at the screen connected to your Apple TV. You should see the figure immediately above this. If not, my advice is to experiment with the MobileConnect connection. I had some luck at different times using these servers: 18.104.22.168:433 and 22.214.171.124:4433. If none of those work, make sure all your settings match in three places: the SonicWALL appliance, NetExtender, and the MobileConnect app.
If you’re connected, there are two things to notice. First, the bar at the top of the iPad has turned blue. Second there is an additional icon:
If you have actually succeeded in getting the Apple TV to mirror what’s on your iPad, it’s time for the first test. Swipe the Taskbar from left to right until you find the photo icon. Tap the icon and run a slideshow. See if the slideshow appears on the Apple TV screen.
Still images are easy. Video, however, uses more ports. Find the Youtube app in the Taskbar and try to play a video. If you can do that, you’re pretty much done.
One more thing about the MobileConnect “Verifying…” screen. As far as I can tell it doesn’t matter. In fact, I have connected to Apple TV from the main MobileConnect screen when the Status is “Disconnected.”
Once you’ve gone through all this, here are the steps you should follow in the future:
- On your iPad, turn off Bluetooth and 3G/4G. Make sure WiFi is on and connected.
- Make sure the computer that has NetExtender installed is switched on. NetExtender is supposed to launch automatically when the iPad tries to connect. When something goes wrong, the first thing you should try is launching NetExtender manually.
- On the Apple TV, unplug the Ethernet cable. This forces Apple TV to connect using WiFi. From the Apple TV menus make sure WiFi is connected and that Airplay is on. I personally don’t use an Airplay password.
- On the iPad launch MobileConnect. Click the “Connect” button. If that works, find. If not, click the arrow at the right end of the Connection bar, followed by the right arrow at the end of the Saved Connection bar. Make a change to the connection setup. For example, you might change 172.16.31.1 to 172.16.31.1:4433. The point is to activate the Next button in the upper right corner of the window.
- Double-click the home button on the iPad, swipe the Taskbar to the right until you see the output selection icon. Tap it and select Apple TV. Turn mirroring on.
You’re welcome. If you have comments, criticisms, or suggestions, please post them in the Comments section of my blog. I will try to periodically update this entry including a changelog.