Posted on 02-14-2013 11:17 AM
Hey everyone!
I have been working with configuration profiles lately, and I know that you have to open up ports 2195/TCP, 2196/TCP, and 5223/TCP for the APNS to work and send the config profile to the computers.
Understandably so, my networking guys are concerned about opening up our LAN to an external source - could potentially be bad. Are there any best practices out there that anyone is using? Or any ideas on how to get configuration profiles to work without opening up these ports?
Thanks!
Solved! Go to Solution.
Posted on 02-14-2013 02:48 PM
Those ports should be outbound only, not inbound. It sounds counterintuitive, but Apple designed it specifically this way; the server initiates the connection with Apple, and then Apple sends the data back to the server over that connection. It works the same way with the iOS and Mac managed clients, but via port 443. I've seen a lot of documentation that was inconclusive, but we don't have any of those ports open internally, and our environment works fine, and receives push notifications rather quickly.
Posted on 02-14-2013 02:48 PM
Those ports should be outbound only, not inbound. It sounds counterintuitive, but Apple designed it specifically this way; the server initiates the connection with Apple, and then Apple sends the data back to the server over that connection. It works the same way with the iOS and Mac managed clients, but via port 443. I've seen a lot of documentation that was inconclusive, but we don't have any of those ports open internally, and our environment works fine, and receives push notifications rather quickly.
Posted on 02-16-2013 04:05 AM
We had similar concerns at first, but the ports can be further locked down to only talk to Apple's servers. I forget the IP's, but it's 17.x.x.x. I'm sure your account rep can give you the address you need to limit the ports to.