Local distribution point behind a firewall

ralvarezOES
Contributor

All,
I'd like to make my local distribution point available to users on the BYOD wifi. As far as I can tell from the documentation, clients use 443 to communicate with the local distribution point. I created a firewall rule to allow port 80 and 443 from the BYOD to the LAN, but the policies to install packages are failing. If I allow any/any on that same firewall rule to packages install fine.

What ports am I missing to make this happen?

1 ACCEPTED SOLUTION

talkingmoose
Moderator
Moderator

I suspect while you may have both SMB and HTTP enabled for your Distribution Points, that you're probably using SMB when your tests are successful.

With your firewall set to any/any, use a web browser to download a package. You'll need the full URL to the package along with the correct HTTP or HTTPS protocol. If that works, then Jamf should work.

Alternatively, you could also open port 139 (or 445, depending on what you used) for your Distribution Point and see if that works when the more restrictive rules are in place. If it does, then you're not utilizing the web service for download.

View solution in original post

4 REPLIES 4

garybidwell
Contributor III

Are you’re DP’s all set to use http? If not you have to allow smb/afp through your firewall to present to your network .
Far simpler from a security risk is to implement a cloud DP that sits outside

talkingmoose
Moderator
Moderator

I suspect while you may have both SMB and HTTP enabled for your Distribution Points, that you're probably using SMB when your tests are successful.

With your firewall set to any/any, use a web browser to download a package. You'll need the full URL to the package along with the correct HTTP or HTTPS protocol. If that works, then Jamf should work.

Alternatively, you could also open port 139 (or 445, depending on what you used) for your Distribution Point and see if that works when the more restrictive rules are in place. If it does, then you're not utilizing the web service for download.

ralvarezOES
Contributor

Thanks. I allowed SMB and it's working.

sdagley
Esteemed Contributor II

@ralvarezOES It'd be worth your while to figure out why HTTP/HTTPS from your Distribution Point didn't work as those protocols generally provide a much more performant experience than SMB. In addition to adding support for resumable downloads, they eliminates the need to mount and unmount the SMB volume to download whatever you're installing.