shcaerp
Level 1 (59 points)
Servers Enterprise

Q: Reachability ports

Does anyone know what the ports are for reachability?  The problem is that my server has a public address but is protected by a firewall.  I have opened ports so all my services are accessible through the firewall but reachability says no services are available.  If i turn off the firewall - without any other changes - the server shows all services available through reachability.  Does anyone know what gives with this?  And I don't even want to get started on the WHOLE reachability mess!!!

Posted on Oct 26, 2015 4:59 PM

by jayv.,Solvedanswer
jayv. jayv.
Level 4 (1,290 points)
A:

IP Address Range Used by the Push Service

Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to allow inbound and outbound TCP packets over port 2195. To reach the feedback service, you will need to allow inbound and outbound TCP packets over port 2196. Devices and computers connecting to the push service over Wi-Fi will need to allow inbound and outbound TCP packets over port 5223.

The IP address range for the push service is subject to change; the expectation is that providers will connect by hostname rather than IP address. The push service uses a load balancing scheme that yields a different IP address for the same hostname. However, the entire 17.0.0.0/8 address block is assigned to Apple, so you can specify that range in your firewall rules.

 

The reachability check might use the same feedback service so try those ports first.

Source: https://developer.apple.com/library/ios/technotes/tn2265/_index.html

Posted on Oct 28, 2015 8:08 PM

Close
shcaerp

Q: Reachability ports

  • All replies
  • Helpful answers

  • by shcaerp,

    shcaerp shcaerp Oct 27, 2015 8:19 AM in response to shcaerp
    Level 1 (59 points)
    Servers Enterprise
    Oct 27, 2015 8:19 AM in response to shcaerp

    Nobody knows??? Really????

  • by Linc Davis,

    Linc Davis Linc Davis Oct 27, 2015 5:58 PM in response to shcaerp
    Level 10 (207,963 points)
    Applications
    Oct 27, 2015 5:58 PM in response to shcaerp

    TCP and UDP ports used by Apple software products - Apple Support

  • by shcaerp,

    shcaerp shcaerp Oct 27, 2015 8:12 PM in response to Linc Davis
    Level 1 (59 points)
    Servers Enterprise
    Oct 27, 2015 8:12 PM in response to Linc Davis

    Thanks for your response.  I had already gone over that list several times and there is no indication of which port/ports are used for reachability.  Maybe when I have some spare time I can go through the list and test as many as possible against the firewall.  But for now it's a "needle in a haystack" situation.

     

    I have all the needed ports for services open through the firewall and they work fine.  The reachability on the server says there are "no services available" therefore it uses the .local name for all services.  There should be a way to set that without the goofy reachability piece!

  • by Linc Davis,Helpful

    Linc Davis Linc Davis Oct 28, 2015 7:23 AM in response to shcaerp
    Level 10 (207,963 points)
    Applications
    Oct 28, 2015 7:23 AM in response to shcaerp

    I had already gone over that list several times and there is no indication of which port/ports are used for reachability.

    Those are the ports, some of them anyway. "Reachability" means reachable from the Internet. An Apple host checks to see whether the ports are open. You can turn off reachability checking in the server settings if it's causing a problem for you.

  • by shcaerp,

    shcaerp shcaerp Oct 28, 2015 7:10 AM in response to Linc Davis
    Level 1 (59 points)
    Servers Enterprise
    Oct 28, 2015 7:10 AM in response to Linc Davis

    Thanks Linc for your response.  I may just turn it off - and would have already - but the FQDN does not show on the service unless reachability has determined it's status!  That said, the ports are opened and the services are available and "reachable" so I will just turn it off.

     

    The thing I can't figure out though is that if I open all ports on the firewall, reachability works on 10.11 server.  If I simply open just the ports I need (from that list) it doesn't!  Oh well too much time messing with it...........

  • by MrHoffman,Helpful

    MrHoffman MrHoffman Oct 28, 2015 6:26 PM in response to shcaerp
    Level 6 (15,627 points)
    Mac OS X
    Oct 28, 2015 6:26 PM in response to shcaerp

    See if it's ping.  That's not a port, but it's a very common test.

     

    What Apple uses, donno.  Check your firewall logs for network traffic arriving from 17/8-land.

     

    Here's the general doc for the associated API.

  • by shcaerp,

    shcaerp shcaerp Oct 28, 2015 9:49 AM in response to MrHoffman
    Level 1 (59 points)
    Servers Enterprise
    Oct 28, 2015 9:49 AM in response to MrHoffman

    Well you may be on to something!  I could not ping the server so I allowed it in the firewall.  The server has a public IP but it is protected by a firewall.  I made sure I could ping and then reinstated my port restricted list and reachability reported "no services available".

     

    I will continue to play with this as I have time to see if I can find an answer.

  • by MrHoffman,

    MrHoffman MrHoffman Oct 28, 2015 10:15 AM in response to shcaerp
    Level 6 (15,627 points)
    Mac OS X
    Oct 28, 2015 10:15 AM in response to shcaerp

    shcaerp wrote:

     

    Well you may be on to something!  I could not ping the server so I allowed it in the firewall.  The server has a public IP but it is protected by a firewall.

     

    Since servers are usually serving something and since open ports are trivially detectable, disabling ICMP/ping at the firewall generally makes little sense for servers.

     

    "Stealth" might make some sense for hiding network-connected clients (and those clients that don't otherwise have ports open), but makes rather less sense for folks with open ports and for most servers — running a full scan of the active blocks of the entire IPv4 address space takes under four minutes for folks (q.v. the massscan tool), and the botnets are faster at scanning the address space than even that.

  • by shcaerp,

    shcaerp shcaerp Oct 28, 2015 6:26 PM in response to MrHoffman
    Level 1 (59 points)
    Servers Enterprise
    Oct 28, 2015 6:26 PM in response to MrHoffman

    I have a new Linux router that disables ICMP by default.  Didn't notice until I pinged from the outside to my gateway.  However, after enabling ICMP the OS X Server still says there are no reachable services if I only open the specific ports I want to use.  If I open consecutive ports from 80-65535, reachability works.  I suppose I could take the time to narrow it down until reachability quit working but that is too time consuming.  If I ever figure it out, I will report it to the forum.

  • by jayv.,Solvedanswer

    jayv. jayv. Oct 28, 2015 8:08 PM in response to shcaerp
    Level 4 (1,290 points)
    Oct 28, 2015 8:08 PM in response to shcaerp

    IP Address Range Used by the Push Service

    Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to allow inbound and outbound TCP packets over port 2195. To reach the feedback service, you will need to allow inbound and outbound TCP packets over port 2196. Devices and computers connecting to the push service over Wi-Fi will need to allow inbound and outbound TCP packets over port 5223.

    The IP address range for the push service is subject to change; the expectation is that providers will connect by hostname rather than IP address. The push service uses a load balancing scheme that yields a different IP address for the same hostname. However, the entire 17.0.0.0/8 address block is assigned to Apple, so you can specify that range in your firewall rules.

     

    The reachability check might use the same feedback service so try those ports first.

    Source: https://developer.apple.com/library/ios/technotes/tn2265/_index.html

  • by shcaerp,

    shcaerp shcaerp Oct 29, 2015 7:04 AM in response to jayv.
    Level 1 (59 points)
    Servers Enterprise
    Oct 29, 2015 7:04 AM in response to jayv.

    Unbelievable!!!! You da man!  Thanks for that find - I had been searching for days.

     

    The ports were already open that the article mentions, however what did the trick was to allow Apple's address space to have full access to my network servers.  Now they are acting like a starving nursing child that just found it's mother!  I guess we trust the fruit company enough to allow access like this - but at least it works.