Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Profile Manager-Router Ports

Just finished installing Lion. Need to know what specific ports are required to open on a firewall to support external access for Profile Manager for provisioning IPhone/Ipad?

iPad, iOS 4.3.3

Posted on Jul 27, 2011 5:27 PM

Reply
33 replies

Aug 4, 2011 12:50 AM in response to YLEECoyote

Credit to Arek Dreyer for these


If you need to access your MDM server from the "outside world" you need the following ports, all TCP

Web SSL: 443

APNS: 5223

SCEP: 1640


Alternatively, if you don't need access from outside world to your MDM server you only need:

APNS: 5223


Without access to APNS, the whole profile pushing etc won't work.

Aug 9, 2011 8:11 AM in response to hjlinde

Just for my clarification, please... For external access, must the Internet router have a static IP and those ports forwarded to the MDM server?


I was also wondering where in the process the device learns the external IP of the server to contact. I understand when there's an update/lock/wipe/etc. the server contacts the APNS, the APNS tells the device to contact the server, but how does the device know the address of the server?


Thanks for any additional info anyone can provide.

Aug 9, 2011 8:37 AM in response to kmarkevich

To answer your second question. I'd wager that it's during the enroll of the devices, that installs a profile on the device. From there it knows where it's MDM server is. With that in place, it simply receives push notifications which tell it, "oi! go fetch at the MDM". Haven't played around too much with it, but that's my guesstimate.


Re your first question. I'm about to actively play with it so then I'll probably know more, but in the meanwhile....

http://developer.apple.com/library/ios/#technotes/tn2265/_index.html


That should help you.

Aug 9, 2011 9:51 AM in response to hjlinde

Thanks. It's a pain without proper documentation. We did get Profile Manager working, although within a closed network. It's quite slick when it works.


However, we need to access the devices over the Internet and cell network, so was wondering what exactly is required. The Profile Manager Help doc states the MDM server must have a static Internet IP. And with those ports open I would believe. We're just looking at doing that in the most secure manner.

Sep 21, 2012 5:19 AM in response to iSumi

This is an old post but it comes up in Google searches now and it's important people don't make firewall mistakes.


Ports 5223, 2195 and 2196 are for outbound purposes only and are only for contact with Apple's 17.0.0.0/8 network. Firewalls should lock these down to 17.0.0.0/8. Devices do not talk to your server on these ports. So you should not open these ports inbound to your network. Neither do you need to forward them in a NAT'd environment. Your server is the only thing which needs 2195 and 2196. The devices and the server will use 5223. They create outbound persistent connections to these. The connection to these will never be initiated inbound to devices or the server.


Your devices do need to contact your server on 443 and 1640.

Oct 10, 2012 1:38 AM in response to MattRK

They don't regularly communicate on those ports by themselves without prompting from you. Any time you save changes to the configuration profile(s), the devices will will told to go get the profile(s) by the APNS. So your devices will need to be able to access those ports any time you change the profiles. Additionally other information pulls from the devices that you might trigger will also require those ports to be open so that the devices can deliver the requested info to your server.


Perhaps, though, if you think your profiles are settled and you won't require regularly info updates from the devices then you could close those ports until needed again. Even if you wanted to lock or remote wipe the devices outside of your network, that should still work without those ports being open. For locking or remote wiping the APNS will deliver those instructions to the device. It doesn't need to dial home first in those cases.

Apr 25, 2013 6:39 AM in response to Andrew-ACT-ACSA

Hi All

I have configured MDM with Mountain Lion , Server Tools 2.2.1 , worked fine with iOS device (checked with iPad) worked fine.

But when I push to OSX devices, it stuck , ... lot of search on Google and found some threads that people had the same issues.



http://serverfault.com/questions/102416/iptables-equivalent-for-mac-os-x/105736# 105736
https://discussions.apple.com/thread/4254271?start=0&tstart=0

https://discussions.apple.com/thread/4257714

http://krypted.com/iphone/managing-ios-devices-with-apple-configurator/


The solution was to open following ports:

o use Profile Manager, you should ensure that the following ports are open on your network.


Port TCP/UDP Description
2195, 2196 TCP Used by Profile Manager to send push notifications
5223 TCP Used to maintain a persistent connection to APNs and receive push notifications
80/443 TCP Provides access to the web interface for Profile Manager admin
1640 TCP Enrollment access to the Certificate Authority


But when I tried to open the ports (tried both text based and with ICE Flor)
sudo ipfw add 27860 allow tcp from any to any dst-port 2196
sudo ipfw add 27860 allow tcp from any to any dst-port 2195
add 78600 allow tcp from any to any dst-port 5223

When I use sudo lsof -i -P | grep -i "listen" , it didnot show me if the ports are open.

Apr 25, 2013 7:03 AM in response to iPad786

Do you have your OS X firewall switched on? OS X clients don't talk on 2195/2196.


Your OS X Server won't respond on ports 2195/2196 and neither do the OS X clients. That's Apple's PNS servers. Only they will respond. You should use Network Utility to port scan gateway.push.apple.com for those ports. If you get an open response then it means your network is allowing communication with those ports. These ports are only relevant to the OS X Server. You should not be allowing every address on your network to talk to those ports unnecessarily.


Your OS X Server should respond to 1640. Again I'd recommend keeping it simple and using Network Utility for this. It's hard to go wrong. Clients do not respond on that port. They contact the server on that port.


You test from the client to the server (or APNS). You don't scan the clients for these ports to be open. You scan the server (or APNS).


To test for the clients ability to receive PN's you need to port scan 1-courier.push.apple.com (1 can be changed to other integers) on port 5223.

Profile Manager-Router Ports

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.