Apple push notifications don't work in Meraki mobile device management

Article #:

Product

Castle

1783

Guardian

All

Summary

Apple Push notifications in Meraki Mobile Device Management Software do not work

Problem

This software does not fully support the use of a proxy; you will need to add some domains and IPs to Guardian.

The issue is not with the Meraki software, but rather with Apple push notifications:

The applepushserviced first does a DNS TXT query for push.apple.com[ nslookup -query=txt push.apple.com]
This will return count=50 or some other number (n). The daemon then creates a name using a number between 1...n and creates DNS name n-courier.push.apple.com.
This DNS name is then handled by Akamai DNS to return an IP address in the 17.n netblock that belongs to Apple.

The Smoothwall is seeing in the URL request: courier.push.apple.com not, for example, 34-courier.push.apple.com. The certificate presented by https://34-courier.push.apple.com does not have a wildcard certificate and the certificate says it's only valid for courier.push.apple.com.

Solution

To make the Meraki software work:

Firewall Rules

Ports that need to be open for outgoing traffic:

  • TCP and UDP 2196 for all IPs
  • TCP and UDP 5223 for all IPs
  • TCP and UDP 49321 to 49335 for all IPs
  • TCP 443 to 17.0.0.0/8
  • TCP 80 to 17.0.0.0/8

Guardian Policies

  1. Go to Web proxy » Web proxy » Automatic configuration
  2. Add the following to the built-in exceptions:
push.apple.com
17.0.0.0/8
  1. Add the following to Guardian > Web filter > Exceptions > Manage destination exceptions:
17.0.0.0/8
  1. Add the following categories to Web proxy > Authentication > Exceptions:
iTunes
SSL / CRL
  1. Create a whitelist web filter policy for the iTunes category.
  2. Create a whitelist web filter policy for the SSL / CRL category.
  3. Move both policies to the top of the Web filter policies table.

Note: You may also need to do the above for the meraki.com domain.

Attribution:

Last updated:

Author:

Contributions by:

30 August 2016

 

DMT

 

Copyright © 2000-2016 Smoothwall All rights reserved.