I've set up an OS X Server, and I'm now trying to make its services available from outside my local network. From inside the LAN, the iCal service works fine when I add an 'OS X Server Account' via 'Internet Accounts' in System Preferences.
When I attempt to connect from the outside, it tells me it is Unable to verify user credentials. The server is behind a firewall, so I've forwarded numerous ports in an attempt to get it to work. Initially I only added 8008 and 8443, as they are used for the iCal services, but as that did not work I attempted to forward other ports that might be relevant (based on their description in this list). This has not let me to any success, however.
What ports do I need to forward for the OS X Server Accounts to be available? The server is running Open Directory, so I'm assuming that the services rely on Kerberos for authentication? Is Bonjour relevant for this scenario, since I already know the IP I'll be connecting to?
Note: I'm not talking about Network Accounts, and have no intentions of logging in to network accounts remotely.
Best Answer
This is a partial answer, but it perhaps contains valuable information to whoever is reading this.
As I was able to add an 'Internet account' from inside the LAN, I decided to set Wireshark to work and try to figure out the port that way. I found out that the initial authentication and selection of services is done via port 443.
After forwarding port 443, I was able to add the internet account from outside the network. This pretty much answers the question, but does not resolve the issue for the full 100% yet, so I figured I'd still keep this open for a bit.
At this point I'm stuck at creating an agenda in the iCal account, however, running into a rather generic error message:
This is a work in progress, and any pointers on that error are appreciated.
EDIT: Further network sniffing let to no more information. Once logged in, the rest of the traffic is conducted over port 8443, which is duly forwarded. However, it still won't work outside the network. The fact that it does not work via VPN as well strikes me as odd, and makes me suspect a different issue than the TCP layer.