SCEP issue

Sean_M_Harper
Contributor

Hey everyone!

My Network team recently rebuilt the firewall and decided to block everything possible, and open things as they fail. Great fun I tell you! Anyhow, I currently use a profile via Configurator to register iPad's with Casper. The profile calls this address (edited):
https://jss.mydistrict:8443//CA/SCEP

This comes back with a fail, even when I run it by hand. I am concerned its a port being blocked on the firewall side. Can anyone who might know what port this is try and shed some light on this subject for me? All help is appreciated!

5 REPLIES 5

mm2270
Legendary Contributor III

Take a look at this KB:
https://jamfnation.jamfsoftware.com/article.html?id=34

In particular, pay attention to the last 3 ports in the second chart. I'm pretty certain those all need to be open for MDM stuff to work, so I'd start there. There may be other ones though. In the case of SCEP and Configurator, I'm unclear how that all communicates, so it may be something other than those.

Unfortunately, this process of "block it all until people start b*tching" is all too common with networking teams. They are a particularly paranoid bunch and need to get out of their dark cubicles every once in a while. :)

Sean_M_Harper
Contributor

This is great info, but it does not list which port the SCEP server request would be using. Still looking to see if anyone knows the exact port. Thank you @mm2270 for the info though.

cgraber
New Contributor

According to Cisco, SCEP uses port 80 in most cases.

The use of the network-based approach has the chief benefit of improving scalability and limiting operational overhead. SCEP enables an endpoint to request a certificate or other certificate-related functions (revocation checking, and so on) remotely. SCEP runs on TCP port 80; however, it can also run on a nonstandard TCP port. SCEP-based enrollment is configured in trustpoint mode. TCP port 80 is the default port used for SCEP and is configurable using the enrollment command. If a nonstandard port is used, make sure the http server configuration on the CA matches the nonstandard port.

If you'd like to read the Cisco article I grabbed this from, you can read it here: http://www.ciscopress.com/articles/article.asp?p=1684781

Be nice to your network teams. They are usually at the whim of the security team. :-)

sgrall-pfg
Contributor

Apple's OS X Server Profile Manager requires 1640 for SCEP, according to the documentation, so I'd try that port. Reference: http://training.apple.com/pdf/wp_osx_configuration_profiles.pdf

pickerin
Contributor II

Just stating the obvious, because that often gets overlooked:

In order to reach the following URL: https://jss.mydistrict:8443//CA/SCEP

Port 8443/TCP will have to be open.