Currently there are three solutions to resolve this issue:
Add the following entries within the IE exceptions page via Tools > Internet Options > Connections > LAN Settings > Advanced
> Exceptions: *.apple.com;*.mzstatic.com;*.edgesuite.net;*.akadns.net;*.akamai.net;*.edgekey.net
This will allow you to use ITunes without an authentication login prompt being displayed. A bypass within the Client Site Proxy's squid.conf file will not work as ITunes is unable to authenticate with the CSP, s an authentication conflict occurs.
Warning: *.akamai.net is used in conjuction with Web Streaming sites such as the bbc.co.uk, as such we do not recommend they bypass this site if you wish to block such content, as any Web Streaming relating policy rules will not apply. As such Option 2 is recommended in this instance.
If Option 1 is either not acceptable, or does not work for you(as ITunes does regularly change their data sources). You need to point directly out to the trips from the browser, for example proxy1.eu.webscanningservice.com.
From testing conducted, iTunes ignores any PAC file that the IE settings are point to (please see https://discussions.apple.com/thread/2530700?start=0&tstart=0).
The last option is to apply an agent bypass into the squid.conf file. This should allow for the traffic to pass through to the CSP server and send the traffic out by listening to the agent requests.
The following line will need to be added into the squid.conf file:
acl Itunes browser regexp iTunes
http_access allow Itunes
always_direct allow Itunes
In addition the following URL's will need to be added the squid.conf file as a URL exception:
*.apple.com;*.mzstatic.com;*.edgesuite.net;*.akadns.net;*.akamai.net;*.edgekey.net as a domain bypass.
#Bypass for domain.com
acl customname dstdomain .apple.com .mzstatic.com .edgesuite.net .akadns.net.akamai.net .edgekey.net
#TAG: Bypass NTLM & Trip
http_access allow customname
always_direct allow customname