Help

Local distribution point behind a firewall

Go to solution
ralvarezOES
Contributor

Posted on ‎09-11-2019 10:46 AM

All,
I'd like to make my local distribution point available to users on the BYOD wifi. As far as I can tell from the documentation, clients use 443 to communicate with the local distribution point. I created a firewall rule to allow port 80 and 443 from the BYOD to the LAN, but the policies to install packages are failing. If I allow any/any on that same firewall rule to packages install fine.

What ports am I missing to make this happen?

0 Kudos
Reply
1 ACCEPTED SOLUTION

Go to solution
talkingmoose
Moderator
Moderator

Posted on ‎09-11-2019 08:45 PM

I suspect while you may have both SMB and HTTP enabled for your Distribution Points, that you're probably using SMB when your tests are successful.

With your firewall set to any/any, use a web browser to download a package. You'll need the full URL to the package along with the correct HTTP or HTTPS protocol. If that works, then Jamf should work.

Alternatively, you could also open port 139 (or 445, depending on what you used) for your Distribution Point and see if that works when the more restrictive rules are in place. If it does, then you're not utilizing the web service for download.

View solution in original post

0 Kudos
Reply
4 REPLIES 4

Go to solution
garybidwell
Contributor III

Posted on ‎09-11-2019 01:19 PM

Are you’re DP’s all set to use http? If not you have to allow smb/afp through your firewall to present to your network .
Far simpler from a security risk is to implement a cloud DP that sits outside

0 Kudos
Reply

Go to solution
talkingmoose
Moderator
Moderator

Posted on ‎09-11-2019 08:45 PM

I suspect while you may have both SMB and HTTP enabled for your Distribution Points, that you're probably using SMB when your tests are successful.

With your firewall set to any/any, use a web browser to download a package. You'll need the full URL to the package along with the correct HTTP or HTTPS protocol. If that works, then Jamf should work.

Alternatively, you could also open port 139 (or 445, depending on what you used) for your Distribution Point and see if that works when the more restrictive rules are in place. If it does, then you're not utilizing the web service for download.

0 Kudos
Reply

Go to solution
ralvarezOES
Contributor

Posted on ‎09-12-2019 03:12 PM

Thanks. I allowed SMB and it's working.

0 Kudos
Reply

Go to solution
sdagley
Esteemed Contributor II

Posted on ‎09-13-2019 10:28 AM

@ralvarezOES It'd be worth your while to figure out why HTTP/HTTPS from your Distribution Point didn't work as those protocols generally provide a much more performant experience than SMB. In addition to adding support for resumable downloads, they eliminates the need to mount and unmount the SMB volume to download whatever you're installing.

0 Kudos
Reply