HT202487: Ports used by Profile Manager in macOS Server

Learn about Ports used by Profile Manager in macOS Server

ALEX-IT

Level 1 (0 points)

Q: How can you change the MDM Ports ?

How can you change the MDM Ports ? Especially port 443, which is needed for Exchange Activesync - you can't push via mdm and have the exchange running, which settings are to be pushed.

Posted on Feb 19, 2016 11:47 AM

I have this question too

Q: How can you change the MDM Ports ?

All replies

Helpful answers

by chattphotos,

chattphotos Feb 21, 2016 3:56 PM in response to ALEX-IT
Level 4 (2,442 points)

Desktops

Feb 21, 2016 3:56 PM in response to ALEX-IT

What email server are you running on the server?

Can you share a screenshot of the error message Server is alerting?

Also, some apps can share ports...
Reply options

Link to this post

by John Lockwood,

John Lockwood Feb 22, 2016 2:27 AM in response to ALEX-IT
Level 6 (9,379 points)

Servers Enterprise

Feb 22, 2016 2:27 AM in response to ALEX-IT

You cannot change the MDM ports.

It is more typical to have different servers acting as the MDM system and the Mail server system. In a more complex setup it might be possible to have both host names e.g. mdm.domain.com and activesync.domain.com go to the same public IP address and on that have a reverse proxy server which forwards them to the individual servers.
Reply options

Link to this post

by ALEX-IT,

ALEX-IT Feb 23, 2016 4:01 AM in response to John Lockwood
Level 1 (0 points)

Feb 23, 2016 4:01 AM in response to John Lockwood

Sadly you cannot NAT mdm, it forces itself to be on port 443 - so that won't work.

Both 443 servers are behind the same global IP (in the company). How could a reverse proxy help here ?

I can bind exchange.domain.com to global IP + bind mdm.domain.com to the same global IP - but it won't work via proxy:

<VirtualHost *:443>

ServerName mdm.domain.tld

ServerAlias mdm.domain.tld

SSLProxyEngine On

ProxyPass / https://mdm.company.local/

ProxyPassReverse / https://mdm.company.local/

SSLEngine on

SSLCertificateFile /etc/myssl/public.pem

SSLCertificateKeyFile /etc/myssl/privkey.pem

SSLCertificateChainFile /etc/myssl/chain-class2.pem

</VirtualHost>

John Lockwood wrote:

You cannot change the MDM ports.

It is more typical to have different servers acting as the MDM system and the Mail server system. In a more complex setup it might be possible to have both host names e.g. mdm.domain.com and activesync.domain.com go to the same public IP address and on that have a reverse proxy server which forwards them to the individual servers.
Reply options

Link to this post

by ALEX-IT,

ALEX-IT Feb 23, 2016 4:06 AM in response to ALEX-IT
Level 1 (0 points)

Feb 23, 2016 4:06 AM in response to ALEX-IT

Let's say I have locally:

exchange.domain.local:443
mdm.domain.local:443

an a linux.domain.local:543 (reverse proxy) to mdm.domain.local:443 it's still the port 543 to be used for mdm.domain.com (pointing to global ip) ...
Reply options

Link to this post

by Strontium90,

Strontium90 Feb 23, 2016 5:04 AM in response to ALEX-IT
Level 5 (4,087 points)

Servers Enterprise

Feb 23, 2016 5:04 AM in response to ALEX-IT

Get a second ethernet adaptor or multi home the existing port. What server hardware are you on? A Mac mini? Allow Profile Manager to claim the primary port and host name for your domain. Then put your mail solution on the second adaptor or address. Now you can run two services requiring 443 on the same machine as the port will bind to unique addresses. Are you running Kerio? Communigate? Either will let you bind to a network address.

Reid
Apple Consultants Network
Author - "El Capitan Server – Foundation Services"
Author - "El Capitan Server – Control & Collaboration"
Author - "El Capitan Server – Advanced Services"
:: Exclusively available in Apple's iBooks Store
Reply options

Link to this post