Profile Manager-Router Ports
Just finished installing Lion. Need to know what specific ports are required to open on a firewall to support external access for Profile Manager for provisioning IPhone/Ipad?
iPad, iOS 4.3.3
Just finished installing Lion. Need to know what specific ports are required to open on a firewall to support external access for Profile Manager for provisioning IPhone/Ipad?
iPad, iOS 4.3.3
Most of the items are accessible via 443 (HTTPS) for the enrollment web interface, but I also had to open port 1640 for SCEP in order to enroll any machines outside the firewall.
Is this why when I try to enroll, I am getting Certificate Error?
No, for that you'll need to either have a trusted SSL certificate to tun on profile signing and install the trust profile before enrolling. I hear that works, though I have a CA-signed ssl cert so I'm not 100% sure
Credit to Arek Dreyer for these
If you need to access your MDM server from the "outside world" you need the following ports, all TCP
Web SSL: 443
APNS: 5223
SCEP: 1640
Alternatively, if you don't need access from outside world to your MDM server you only need:
APNS: 5223
Without access to APNS, the whole profile pushing etc won't work.
Just for my clarification, please... For external access, must the Internet router have a static IP and those ports forwarded to the MDM server?
I was also wondering where in the process the device learns the external IP of the server to contact. I understand when there's an update/lock/wipe/etc. the server contacts the APNS, the APNS tells the device to contact the server, but how does the device know the address of the server?
Thanks for any additional info anyone can provide.
To answer your second question. I'd wager that it's during the enroll of the devices, that installs a profile on the device. From there it knows where it's MDM server is. With that in place, it simply receives push notifications which tell it, "oi! go fetch at the MDM". Haven't played around too much with it, but that's my guesstimate.
Re your first question. I'm about to actively play with it so then I'll probably know more, but in the meanwhile....
http://developer.apple.com/library/ios/#technotes/tn2265/_index.html
That should help you.
http://itunes.apple.com/us/book/managing-ios-devices-mac-os/id455014665?mt=11
Finally, documentation that spells a lot of stuff out. Worth the $4.99.
Ports:80/443/1640/5223
Watch out when creating SSL certificate. Testing the PM now.
SUCCESS! Heads up, do not try to enroll 2 devices at the same time. Iphone worked flawless. Ipad initially had issues (worked 2nd time). Thanks to Jerry Miles @ Apple.
Thanks. It's a pain without proper documentation. We did get Profile Manager working, although within a closed network. It's quite slick when it works.
However, we need to access the devices over the Internet and cell network, so was wondering what exactly is required. The Profile Manager Help doc states the MDM server must have a static Internet IP. And with those ports open I would believe. We're just looking at doing that in the most secure manner.
Look here:
http://support.apple.com/kb/ts1629
http://developer.apple.com/library/ios/#technotes/tn2265/_index.html
For Profile Manager I opened/forwared these ports:
Port TCP 443 (https)
Port TCP 1640 (SCEP)
Port TCP 5223 (APNS)
Port TCP 2195 (APNS)
Port TCP 2196 (APNS)
This is an old post but it comes up in Google searches now and it's important people don't make firewall mistakes.
Ports 5223, 2195 and 2196 are for outbound purposes only and are only for contact with Apple's 17.0.0.0/8 network. Firewalls should lock these down to 17.0.0.0/8. Devices do not talk to your server on these ports. So you should not open these ports inbound to your network. Neither do you need to forward them in a NAT'd environment. Your server is the only thing which needs 2195 and 2196. The devices and the server will use 5223. They create outbound persistent connections to these. The connection to these will never be initiated inbound to devices or the server.
Your devices do need to contact your server on 443 and 1640.
Andrew,
Are those two ports only used for enrollment or do the devices regularly communicate with server on those ports when they are outside of the network. (On 3G/4G for example) I'm just wondering if i need to open those ports if i'm doing the enrollment from within my network.
Thanks!
They don't regularly communicate on those ports by themselves without prompting from you. Any time you save changes to the configuration profile(s), the devices will will told to go get the profile(s) by the APNS. So your devices will need to be able to access those ports any time you change the profiles. Additionally other information pulls from the devices that you might trigger will also require those ports to be open so that the devices can deliver the requested info to your server.
Perhaps, though, if you think your profiles are settled and you won't require regularly info updates from the devices then you could close those ports until needed again. Even if you wanted to lock or remote wipe the devices outside of your network, that should still work without those ports being open. For locking or remote wiping the APNS will deliver those instructions to the device. It doesn't need to dial home first in those cases.
Hi All
I have configured MDM with Mountain Lion , Server Tools 2.2.1 , worked fine with iOS device (checked with iPad) worked fine.
But when I push to OSX devices, it stuck , ... lot of search on Google and found some threads that people had the same issues.
http://serverfault.com/questions/102416/iptables-equivalent-for-mac-os-x/105736# 105736
https://discussions.apple.com/thread/4254271?start=0&tstart=0
https://discussions.apple.com/thread/4257714
http://krypted.com/iphone/managing-ios-devices-with-apple-configurator/
The solution was to open following ports:
o use Profile Manager, you should ensure that the following ports are open on your network.
Port | TCP/UDP | Description |
2195, 2196 | TCP | Used by Profile Manager to send push notifications |
5223 | TCP | Used to maintain a persistent connection to APNs and receive push notifications |
80/443 | TCP | Provides access to the web interface for Profile Manager admin |
1640 | TCP | Enrollment access to the Certificate Authority |
But when I tried to open the ports (tried both text based and with ICE Flor)
sudo ipfw add 27860 allow tcp from any to any dst-port 2196
sudo ipfw add 27860 allow tcp from any to any dst-port 2195
add 78600 allow tcp from any to any dst-port 5223
When I use sudo lsof -i -P | grep -i "listen" , it didnot show me if the ports are open.
Do you have your OS X firewall switched on? OS X clients don't talk on 2195/2196.
Your OS X Server won't respond on ports 2195/2196 and neither do the OS X clients. That's Apple's PNS servers. Only they will respond. You should use Network Utility to port scan gateway.push.apple.com for those ports. If you get an open response then it means your network is allowing communication with those ports. These ports are only relevant to the OS X Server. You should not be allowing every address on your network to talk to those ports unnecessarily.
Your OS X Server should respond to 1640. Again I'd recommend keeping it simple and using Network Utility for this. It's hard to go wrong. Clients do not respond on that port. They contact the server on that port.
You test from the client to the server (or APNS). You don't scan the clients for these ports to be open. You scan the server (or APNS).
To test for the clients ability to receive PN's you need to port scan 1-courier.push.apple.com (1 can be changed to other integers) on port 5223.
Profile Manager-Router Ports