[MacTUG] Profile Manager and Firewalls

Thu Mar 14 13:01:39 EDT 2013

Well Mike, I have to agree with you -- if that is what is required it kind of sucks. That is why I am throwing it out there to see if I am interpreting this correctly.

There are some apple reps who listen in on this from time to time, so maybe they might make some comments about APN and firewalls ;-)

All I know is that Apple Push Notifications are required to keep Mac clients in sync with their servers, and it is my understanding that APNs are coming from the mothership on 17.0.0.0/8

I do have my test environment up and running and I do have icefloor controlling my pf firewall, so I will tell 17.0.0.0/8 to leave me and my server alone for a while and see what the implications are. I should be able to determine this quickly as I will rebuid a machine and start monkeying around with the settings in profile manager, generating APNs. I will let y'all know what it does...

Any comments from others on their understanding of this?

don
------------------------------------
Donald Duff-McCracken
Technical Services Manager
Mapping, Analysis & Design
Faculty of Environment
University of Waterloo
(519) 888-4567 x32151
http://www.environment.uwaterloo.ca/computing/people/don.html
------------
To request help from MAD please us "Request Tracker". For info see: http://www.fes.uwaterloo.ca/computing/faculty_staff/
------------
This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.
________________________________________
From: Mike Patterson [mike.patterson at uwaterloo.ca]
Sent: Thursday, March 14, 2013 12:16 PM
To: Donald Duff-McCracken
Cc: MacTUG
Subject: Re: [MacTUG] Profile Manager and Firewalls

I talked with Bruce Campbell a bit shortly after I sent my note to you this morning, Don, and we agree that if Apple actually does require MacOS clients of a 10.8 server to be available on public networks and to allow 17.0.0.0/8 access to them, that's an amazingly hostile move on Apple's part. For one, that would mean that if Waterloo's network was like most corporate networks, and was almost all private IP addresses internally with NAT for external access - like wireless is already, say - you couldn't use Macs in a managed environment.

That doesn't seem right at all.

Reading:
http://support.apple.com/kb/TS4264?viewlocale=en_US

It seems that they're only talking about iOS devices, so that shouldn't make a difference in your environment. And I believe they're talking about allowing those ports outbound, not inbound, although it's not particularly clear on some of the rules they suggest.

http://support.apple.com/kb/HT5302
seems to suggest you need the same ports for your lab, but I wonder if what they're talking about is your clients need to be able to talk to your server on those ports?

That's the only way it makes sense - surely Apple can't be telling people "oh, you've got a NAT? tough, can't run our software then."

Mike

--
Nothing is more dangerous than an idea when it is the only one
you have.  - √âmile Chartier

On 2013-03-14, at 12:05 PM, Donald Duff-McCracken <dsmccrac at uwaterloo.ca> wrote:

> So I have been thinking a bit about the implication that firewalls will have on mac management.
>
> A Mike P, as you are no doubt reading, I think it is a good thing that we are finally getting a campus firewall, I just want to make sure any critical ports are available. :-)
>
> A campus firewall will have much more of an implication than it would have a few years ago when we were using the Golden-Triangle and all the issues of authenticating  a lab or office Macintosh were happening within the UW network. As that point, we could have ran a Mac system authenticating with AD/OD and not have any outside contact. This has changed a bit with Profile Manager and Apple Push Notifications (APN). APN is the real issue. At any rate, this is what I have determined and we should have mull this over and I would certainly appreciate it I am wrong on any of my thoughts about this…
>
> Briefly (as I understand it as I have only been playing with Mountain Lion Server for a bit over month), the server and the clients are subscribed to apple push notification service and this is the way that the clients understand that there are any changes made to their 'profile' (client settings, what membership the device is in, etc). These ports need to be open and talk to apple which is 17.0.0.0/8
>
> I found these pages to be informative...
>
> PORTS USED BY PROFILE MANAGER http://support.apple.com/kb/HT5302
>
> UNABLE TO USE APPLE PUSH NOTIFICATIONS:
> http://support.apple.com/kb/TS4264?viewlocale=en_US
>
> Consequently, while I am currently letting the lab subnet have access any ports on my server*, I am limiting the rest of the world to 17.0.0.0/8 (which is Apple) having access to 1640 2195 2196 5223 on tcp. The rest of the world gets zilch. (Mike, in a previous conversation I had those ports open on UDP too but they do not appear to be needed to be open). The APN doc says that port may need 443 to be open in certain situations, but how could it not — similarly, within the campus we need the client macs to talk to the server on ports 80 and 443, but these are likely not an issue ;-)
>
> To break down these ports:
>
>  *   1640 is a tcp port used for enrollment access to the Certificate Authority
>  *   2165 and 2196 are TCP ports used by Profile Manager to send push notifications
>  *   5223 is a tcp port used to maintain a persistent connection to APNs and receive push notifications
>  *   443 is a tcp port used as a fallback on Wi-fi only, when devices are unable to communicate to APNs on port 5223
>
> So this is all something we should chew over :-)
>
> *I will lock this down later, but as I am going from a no-firewall state of letting the world have access to the server, to just letting one subnet have access, I am feeling this is a good first step. I have clear ideas which ports they need when I start locking it down more, I just do not want to do it yet as this is my first deploy of 10.8 and use of Profile Manager, so I want to take the firewall deployment in baby steps.
>
> -------------------------
>
> Donald Duff-McCracken
> Technical Services Manager
> Mapping, Analysis & Design
> Faculty of Environment
> University of Waterloo
> (519) 888-4567 x32151
> https://uwaterloo.ca/environment-computing/about/people/donald-duff-mccracken
>
> ------------
> To request help from MAD please use Request Tracker. For info see:
> https://rt.uwaterloo.ca/~wwwrt/cgi-bin/rtuser.pl
>
> ------------
> This email communication is intended as a private communication for the sole use of the primary addressee and those individuals listed for copies in the original message. The information contained in this email is private and confidential and If you are not an intended recipient you are hereby notified that copying, forwarding or other dissemination or distribution of this communication by any means is prohibited.  If you are not specifically authorized to receive this email and if you believe that you received it in error please notify the original sender immediately.
> _______________________________________________
> MacTUG mailing list
> MacTUG at lists.uwaterloo.ca
> https://lists.uwaterloo.ca/mailman/listinfo/mactug