3 Replies Latest reply: Sep 9, 2013 10:29 AM by PatrickFist
Grandeco Level 1 Level 1 (0 points)

Hi,

 

I'm setting up a server to manage our Mac Pro's. For this I have two machines in a test environment at my disposal.

 

Mac Pro's, mid 2012, 6core, 12Gb Ram, ...

Server: Mac OS X 10.8, fully updated OS and the lastest Server version.

Client: Mac OS X 10.7, fully updated

 

Both machines are a clean install of the OS, besides installing a few aps nothing has happend with them.

Both macs have a static IP from the DHCP server, I configured a forward and reverse record in our DNS to the OS X server.

The server has full access to the internet (normally everyone is behind a firewall / proxy (websense).

The client has access to internet through the proxy, local domain are excluded.

In our internal network NO traffic is blocked.

Both machines can ping eachother, DNS resolution works.

No firewall is enabled on the machines.

 

 

Server:

I installed the Server app, created a certificate, setup Open Directory, enabled the website and activated the Profile Manager.

I also enrolled the Server into our AD, so I can use the user groups to manage the settings.

In profile manager the groups show up as expected.

 

Client:

I can connect to the website of the server and install the machine certificate (self signed).

But when I try to "sign up" the machine, it installs the certificate without any problems but the machine is not "enrolled" nor does it show up in the devices on the server side.

 

 

I tried;

removing all certificates from the client, rebooting, reinstaling the certificates, ...

requesting a new certificate on the server.

removing the proxy settings from the client, so all trafic has to go through our internal network.

using a different account to install the certificates.

reinstalling both OS's (reloaded an image i took) and tried again.

adding the server machine to be managed by the server app, this works without any problems !! (the server shows up on the "mydevices" website)

 

Still have to try;

Allowing the client full access to the internet (so not behind a proxy) => not something we are keen on !!!

 

 

Am I missing something?

How can I test if all requirements are met?

Is there a way to test where the problem lies?

 

 

Thank you !!

Domien De Clercq


Mac Pro (Mid 2012), OS X Mountain Lion (10.8.3)
  • Grandeco Level 1 Level 1 (0 points)

    Anyone?

  • Grandeco Level 1 Level 1 (0 points)

    Ok... despite the overwhelming response on this forum I contacted Apple support to found the solution.

     

    All mac's need internet access to send and receive the Apple Push Notifications. Even if the server is on the same network....

     

    For those behind a firewall / proxy and not quite keen on letting clients have full access; all apple servers are on the 17.0.0.0/8 range.

     

    For thosel looking to restrict even more (http://support.apple.com/kb/HT5302)

    2195, 2196TCPUsed by Profile Manager to send push notifications
    5223TCPUsed to maintain a persistent connection to APNs and receive push notifications
    80/443TCPProvides access to the web interface for Profile Manager admin
    1640TCPEnrollment access to the Certificate Authority

     

     

    Kind regards,

    Domien

  • PatrickFist Level 1 Level 1 (0 points)

    Hey Grandeco,

     

    this is fine. But do you know which Ports are incoming and which are outgoing?

     

    Thx,

    Grandeco wrote:

     

    Ok... despite the overwhelming response on this forum I contacted Apple support to found the solution.

     

    All mac's need internet access to send and receive the Apple Push Notifications. Even if the server is on the same network....

     

    For those behind a firewall / proxy and not quite keen on letting clients have full access; all apple servers are on the 17.0.0.0/8 range.

     

    For thosel looking to restrict even more (http://support.apple.com/kb/HT5302)

    2195, 2196TCPUsed by Profile Manager to send push notifications
    5223TCPUsed to maintain a persistent connection to APNs and receive push notifications
    80/443TCPProvides access to the web interface for Profile Manager admin
    1640TCPEnrollment access to the Certificate Authority

     

     

    Kind regards,

    Domien