FW Security Issues for inbound 2196 is this really required?

mikethompsett
New Contributor III

Hi All,

What are the security issues by opening inbound port 2196 to our JSS server only? We are using MDM configuration profile for Mac 10.9 client only! (With no IOS devices or WIFI) So is this really required to push policies etc...? Our Info Sec department seem to think we will be at a great risk by opening such ports?

Any information would be greatly received.

Thank you.
Mike

11 REPLIES 11

Kaltsas
Contributor III

Your network folks can limit access to 17.x.x.x (Apple owns the whole block). This should alleviate any security concerns. For MDM to work the JSS has to be able to communicate with the Apple Push Notification Service.

mikethompsett
New Contributor III

Hi Kaltsas,

Thanks for the info, I believe port 2195 is open for outbound, but they will not allow inbound 2196 is this a show stopper?

Kaltsas
Contributor III

I believe it only has to be outbound but we have it open bi-directionally from the JSS to the 17.x.x.x block so I couldn't confirm for you.

lisacherie
Contributor II

I think 2196 is needed for status updates after attempted pushes to devices.

Without inbound from this port I don't think you will see profile push fail/success. Take a look here at the section on the feedback service:
https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificati...

There is also a good write up about the ports here:
https://jamfnation.jamfsoftware.com/discussion.html?id=10836#responseChild61483

Hope this helps.

Was in a similar situation recently, after working with the security teams was able to have 2196 opened up via net scalars which was a solution they were comfortable with too. Seems to be working well so far.

kitzy
Contributor III

Hi @mikethompsett][/url,

TCP ports 2195 and 2196 both need to be open outbound from your JSS to 17.0.0.0/8 (Apple owns that entire block). There is no need to open the ports inbound.

For more information, you can reference this article: https://jamfnation.jamfsoftware.com/article.html?id=34

Let us know if you have any additional questions.

lisacherie
Contributor II

@johnkitzmiller

Can you please clarify/discuss the changes.

This contradicts the post previously provided by @amanda.wulff

Thank you :)

kitzy
Contributor III

Hi @lisacherie,

Can you link me to the post that you're referring to?

Thanks!

lisacherie
Contributor II

from Apple:
https://developer.apple.com/library/ios/technotes/tn2265/_index.html

*"IP Address Range Used by the Push Service
Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to allow inbound and outbound TCP packets over port 2195. To reach the feedback service, you will need to allow inbound and outbound TCP packets over port 2196. Devices and computers connecting to the push service over Wi-Fi will need to allow inbound and outbound TCP packets over port 5223.

The IP address range for the push service is subject to change; the expectation is that providers will connect by hostname rather than IP address. The push service uses a load balancing scheme that yields a different IP address for the same hostname. However, the entire 17.0.0.0/8 address block is assigned to Apple, so you can specify that range in your firewall rules."*

From Amanda
https://jamfnation.jamfsoftware.com/discussion.html?id=10836#responseChild61483

Would like to close up the ports if we no longer need them.

Thank you!

were_wulff
Valued Contributor II

@lisacherie][/url][/url

I chatted with @johnkitzmiller][/url][/url about this, and it looks like our KB may need a little updating for clarity on the directions needed to be open. Currently, the wording could be a bit confusing, and we need to get that fixed.
I've nearly got an e-mail finished to send off to the people who update JAMF Nation articles so we can get our KB clarified a bit, as it does need to match what Apple states its requirements to use the APNs are.

I've seen many cases where just having outbound open works, but I've seen just as many where it causes issues with timeouts, blank tokens, feedback errors, etc...if it's only open outbound as well, so I go with Apple's documented requirements, (which you've quoted) from the start to avoid running into that.

When in doubt on APN port specifics, it's best to default back to what Apple says its own requirements are for the APNs to function, as the APNs is, after all, an Apple provided service.

Edit to add: It's also worth noting that if 2196 is blocked we not only fail to receive what could be valuable feedback in the event of push related problems, but it will fill up your JAMFSoftwareServer.log with errors about being unable to contact the feedback service. This can make unrelated troubleshooting more difficult as it can be tricky to find other errors in the JAMFSoftwareServer.log file due to the constant stream of "problem connecting to the feedback service" errors.

Sorry for the confusion!

Thanks!
Amanda Wulff
JAMF Software Support

lisacherie
Contributor II

Thanks for the clarification! And quick replies!

were_wulff
Valued Contributor II

@lisacherie

No problem! Nice catch on the discrepancy, we always want to get those cleared up ASAP, especially when the dreaded 'ports' topic comes up. :)

Thanks again!
Amanda Wulff
JAMF Software Support