1

Mavericks OS X Server - Profile Manager - Do Profile Manager ports have to be mapped on the Router for full functionality?

I noticed that Server asks if I want Profile Manager ports to be available. I checked the settings it adds to the Router and it maps tcp ports 80, 443, and 1640 for the Server.

Port 80 is just the apache web server, so it adds that so you can access web interface. Port 443 is again the ssl apache web server for the same reason as above.

What about port 1640?

The truth is I don't want profile manager to be accessible from the outside (via the web interface), but I do want it to function normally. Should I leave this tcp 1620 in there or can I safely remove all of them and Profile Manager will keep on working?

PS. Also found this document on Apple's support site http://support.apple.com/kb/HT5302 It seems to add more ports to the mix, ports that don't seem to appear anywhere in the automatic configuration.

2195, 2196 Used by Profile Manager to send push notifications

5223 Used to maintain a persistent connection to APNs and receive push notifications

80/443 Provides access to the web interface for Profile Manager admin

1640 Enrollment access to the Certificate Authority

unom
  • 281
  • 5
  • 13

1 Answers1

1

Ports 2195, 2196, and 5223 do not need to be mapped, because they are used for outgoing connections to Apple's push notification servers. Unless you're doing egress filtering, you don't have to do anything about these. If you are doing egress filtering, make sure connections to Apple's 17.0.0.0/8 network block are allowed on these ports.

Port 1640 is used for the Secure Configuration Enrollment Protocol (SCEP). I haven't tested, but I think this only needs to be mapped if you want to enroll new devices when they aren't on the LAN. If you do all enrollments from inside the firewall, I think you can unmap this one.

Ports 80 and 443 are used for the web interfaces ("Profile Manager" for admins and "User Portal" for users), and for devices to download profiles. Push notifications are used to tell the devices about new/updated profiles, but not to send the actual profiles; for that, the devices contact the server on port 443 (assuming you have SSL set up) to download the profile itself. If you leave these unmapped, your devices will not receive any new/updated profiles until they're on the private network.

Net result: you don't actually need to map any ports, but if you don't your client devices will have limited capabilities when they're off the private network.

BTW, essentially the same limitations apply if you use a local or private hostname for your server (e.g. server.local or server.private) -- in these cases, the clients will not be able to resolve the server's address from outside the private network, and thus will not be able to enroll or download new profiles.

Gordon Davisson
  • 11,216
  • 4
  • 28
  • 33
  • My domain is server.private so from what I understand, once I enroll the device on my private network I don't need any ports to be mapped to control, upload apps or otherwise wipe it? – unom Jun 09 '14 at 10:35
  • In that case, you will not be able to control the client computers when they aren't on the private network (or VPNned in) anyway, so port mapping is irrelevant. I'm not sure about remote wipe, though -- that *might* work when the device isn't on the private network. – Gordon Davisson Jun 09 '14 at 18:06
  • Hmmm... even if the server.private has access to the internet, but just passthrough a router? I'm looking for best of both worlds. – unom Jun 09 '14 at 19:38
  • With a .private domain name, you can't really get the best of both worlds -- the server won't be addressable from the internet (just the private network), so there are intrinsically going to be things you can't do with clients outside the private net. – Gordon Davisson Jun 12 '14 at 00:50