Mavericks OS X Server – Profile Manager – Do Profile Manager ports have to be mapped on the Router for full functionality?
I noticed that Server asks if I want Profile Manager ports to be available. I checked the settings it adds to the Router and it maps tcp ports 80, 443, and 1640 for the Server.
Port 80 is just the apache web server, so it adds that so you can access web interface.
Port 443 is again the ssl apache web server for the same reason as above.
What about port 1640?
The truth is I don't want profile manager to be accessible from the outside (via the web interface), but I do want it to function normally. Should I leave this tcp 1620 in there or can I safely remove all of them and Profile Manager will keep on working?
PS. Also found this document on Apple's support site http://support.apple.com/kb/HT5302
It seems to add more ports to the mix, ports that don't seem to appear anywhere in the automatic configuration.
2195, 2196 Used by Profile Manager to send push notifications
5223 Used to maintain a persistent connection to APNs and receive push notifications
80/443 Provides access to the web interface for Profile Manager admin
1640 Enrollment access to the Certificate Authority
Best Answer
Ports 2195, 2196, and 5223 do not need to be mapped, because they are used for outgoing connections to Apple's push notification servers. Unless you're doing egress filtering, you don't have to do anything about these. If you are doing egress filtering, make sure connections to Apple's 17.0.0.0/8 network block are allowed on these ports.
Port 1640 is used for the Secure Configuration Enrollment Protocol (SCEP). I haven't tested, but I think this only needs to be mapped if you want to enroll new devices when they aren't on the LAN. If you do all enrollments from inside the firewall, I think you can unmap this one.
Ports 80 and 443 are used for the web interfaces ("Profile Manager" for admins and "User Portal" for users), and for devices to download profiles. Push notifications are used to tell the devices about new/updated profiles, but not to send the actual profiles; for that, the devices contact the server on port 443 (assuming you have SSL set up) to download the profile itself. If you leave these unmapped, your devices will not receive any new/updated profiles until they're on the private network.
Net result: you don't actually need to map any ports, but if you don't your client devices will have limited capabilities when they're off the private network.
BTW, essentially the same limitations apply if you use a local or private hostname for your server (e.g. server.local or server.private) -- in these cases, the clients will not be able to resolve the server's address from outside the private network, and thus will not be able to enroll or download new profiles.