Just finished installing Lion. Need to know what specific ports are required to open on a firewall to support external access for Profile Manager for provisioning IPhone/Ipad?
iPad, iOS 4.3.3
Hi Andrew!
I have no firewall (firewall is OFF). I have mac pro mountain lion installed and has Admin Tools.
You can see in my last post that what I have tried to open the ports but no luck.
From your last post I got the impression you were running firewall commands on your OS X system. Unless that's your gateway to the Internet, that's not what needs ports opened. It's your Internet gateway's firewall that needs port rules setup for this. What is your Internet gateway? A router? A Cisco ASA Firewall? Who admins the firewall between your OS X systems and the Internet connection?
You shouldn't need to run any firewall commands on your OS X systems if you are not using the built-in firewall on them. They have nothing to do with accessing those services through your Internet gateway.
Having said all that... it doesn't make sense that your iOS devices are working fine and OS X isn't. If the iOS devices work then it suggests the firewall (if there) between your iOS devices and the Internet is allowing the right signals through. If your OS X clients are on the same network as the iOS devices then there is no sense in them not working. Lion and Mountain Lion use the same stuff as iOS for push notifications and profile retrieval.
Hi Again,
My internet gatways is router and NO Restriction or firewall rule is configured on it.
I am also confused about OSX, it worked on the unit when I install profile manually bu failed with Remote Management.
When you are trying to get the OS X clients to receive profile changes are they on the same network as the OS X Server or are they outside of your network? If they are outside of your network, you need to enable port forwarding between TCP ports 80, 443 and 1640 to the private IP address of your OS X Server. The OS X Server also needs to have a public DNS name that points to the public address of your router. If you do not have a static public IP address on your router, you will need one or you will need a dynamic DNS service. You should be able to port scan your public address from outside of your network and detect that ports 80, 443 and 1640 respond. You should not be getting a response from 5223, 2195 and 2195.
Everything should just work inside your private network.
Thanks Andrew for reply!
When you are trying to get the OS X clients to receive profile changes are they on the same network as the OS X Server or are they outside of your network?
Yes, its on same network.
I have iPads on same network as well and changes /push notifications are accepted by iPads, not OSX machine (I tried with Mac Book Pro, Mac Book Air and Mac Book White having Lion and Mountain Lion installed).
Hi Andrew /all,
I am just new trying to use Os X Server.
I have a big confusion on which are the ports that needs to be opened / fordwarded.
What I see is that ports:
Port TCP 443 (https)
Port TCP 1640 (SCEP)
Port TCP 5223 (APNS)
Port TCP 2195 (APNS)
Port TCP 2196 (APNS)
needs to opened. Opened means fordwarded to the local ip of the machine which is running OS X Server?
Thanks for the clarification, I am little bit lost with this
Thanks
Ports 5223, 2195 and 2196 are all outbound which means they should not be opened from the public side of your firewall. Your firewall just has to allow your internal devices to go outbound on these ports. Only the Server needs to go out on 2195 and 2196. All Apple devices need to go out on 5223.
From the outside world (as well as inside your network) the server needs to be contactable on 443 and 1640. So you would open 443 and 1640 for inbound requests from the public.
Hey! thanks for your very quick answer!
I don't have a firewall, just a DSL router from the telco company.
So, If I have understood correctly (not sure...)
On the router, I have to open the ports 443 and 1640 and fordward them to the local IP of the server
Regarding ports 5223, 2195 and 2196, do nothing?
Sorry, I am a little bit lost with this
Thanks a lot for your help
Yes that sounds about right. Normally standard routers allow all types of traffic outbound. Open and forward 443 and 1640.
BTW, you'll also need to have public DNS that is the same inside as it is outside of your network. Your clients will attempt to talk to the server using its DNS hostname. This will need to work on the public Internet.
Excellent, I'll try this today when I arrive home
Thanks a lot!!!!!!!
Hey Andrew,
just to say thanks again for your help. It worked absolutely fine in the way you describe
Thanks a lot!
If do not want my Profile Manager administrative web interface available on the Internet (I only want it accessible from the internal network) - do I need to allow 443 in from the Internet? Will 1640 be enough to ensure remote devices can connect back in response to APNS pushes?
If you are working internally only then you do not need to allow any inbound access. Your clients just need access to TCP 5223 outbound. The server only needs TCP 2195 and 2196 outbound.
Your internal network should allow 443 and 1640 from the internal clients. If you do not put a firewall between server and clients then you have nothing to do internally.
Thank you for the reply Andrew. I do want external (Internet) devices to be able to receive and respond to pushed profile changes, I just don't ever want the profile manager adminstrative interface - or any other interface not essential to service the remote devices to be available from the Internet. Devices will be enrolled while on the internal network and then given to the users to go off network.
So I think I still have the same question, will 1640 open from the Internet to the Profile Manager server be enough to ensure remote devices can connect back in response to APNS pushes?
Profile Manager-Router Ports
