Skip to main content

We are the organization that has the most restrict security policy. The Casper MDM Redhat Linux Server is not allowed to open port 2195 to extranet directly. APNs traffic has to be redirect to our Bluecoat proxy server. I am asking any one, who successfully sends APNs via proxy, to provide advice,
1) What type of http proxy are you using?
2) Does MDM server must have JAVA 7?
3) port 2195 on Proxy server must be bi-directional?
3) How do you configure the range of IP for gateway.push.apple.com? we currently only maps three IPs. Congiure the entire "17.0.0.0/8 address book"? Don't even think about it. That's 16 million IP address.

@spraguga : You're saying "anything added new" is not MDM capable and that you're seeing errors.




  1. Are you talking about newly added cluster instances, or newly added Macs?

  2. Do the Macs require the use of a proxy server to reach the Internet?

  3. Can your Macs reach your JSS'es outside the institutional network?

  4. Can you post some of the sample logs from the master? (please sanitize the logs and rename the server addresses)


@bradtchapman
1. Are you talking about newly added cluster instances, or newly added Macs? Macs
2. Do the Macs require the use of a proxy server to reach the Internet? Sort of, the connection is, LB to Web server to App server
3. Can your Macs reach your JSS'es outside the institutional network? Yes
4. Can you post some of the sample logs from the master? (please sanitize the logs and rename the server addresses)
[error] [at-http--33] [PushNotificationUtility ] - Unable to send push notification com.jamfsoftware.jss.pushnotification.notifications.AppleMDMCheckInNotification@3fa28d62. Unable to connect to APN server "gateway.push.apple.com:2195"
[error] [at-http--26] [APNSConnection ] - Exception (class java.net.UnknownHostException : gateway.push.apple.com) in getAPNSSocket (357838168)
java.net.UnknownHostException: gateway.push.apple.com



[error] [at-http--32] [APNSConnection ] - Unable to connect to APN server (550039706)
[error] [at-http--32] [APNSConnection ] - Exception in APNSConnection: Unable to connect to APN server "feedback.push.apple.com:2196" (550039706)
com.jamfsoftware.jss.pushnotification.connection.APNSConnectionException: Unable to connect to APN server "feedback.push.apple.com:2196"


Those log entries indicate that your servers are not able to connect to APNS anymore.



Run the following commands from your master:



nslookup gateway.push.apple.com
telnet [any returned IP] 2195
nslookup feedback.push.apple.com
telnet [any returned IP] 2196


If the DNS lookup portion succeeds, but the telnet fails, then you have to talk to your firewall admin.
If the DNS lookup fails, talk to your DNS admin or check the server DNS configuration.



For reference, on a system that has functioning MDM, the MDMCommandQueueMonitor subroutine on the JSS will send MDM commands every 5 minutes to the Apple Push Notification Service. The commands are queued by Apple for up to 7 days, or until they are delivered to the endpoint, which happens the instant that device makes a successful connection to APNS.


@bradtchapman As I stated in my other post I can ncat to APNS just fine over 2195/6 ports from the app server.


This year at JNUC, I'm giving a presentation on APNS — how it works, and why allowing communication with those IP addresses and those protocols is safe. My hope is that many jittery network admins will be less concerned about it afterwards, and those of you in 'high-security' environments will be sufficiently armed to answer your bosses' concerns.


Hi bradtchapman,



This thread is really helpful and clear on proxy requirements in a clustered & balanced environment.



I still have a point not crystal clear. Do the SSL must be terminated on the Load Balancer ?
Can it be re-encrypted to the JSS node ?


You shouldn’t do this because you add a serious amount of encryption overhead. Just pass unencrypted to the nodes.


Reply