External and Internet rules
The following table outlines the firewall rules required for external and internet access for:
-
MobileIron Core Appliance (physical or virtual)
NOTE: All ports (except UDP) should be 'bi-directional' to allow information / data exchange between systems. -
Sentry Appliance (physical or virtual, ActiveSync / AppTunnel)
NOTE: The Sentry must be able to resolve the Core hostname (via DNS lookup) or a hostfile entry must be added. - MobileIron Access
MobileIron Core Appliance and the Sentry Appliance items communicate with each other.
Requirement |
Description |
Port |
|||
Traffic from Internet/Outside to MobileIron Core MobileIron Core is in the DMZ |
|||||
iOS end-user devices |
Open HTTPS 443 for iOS device access to the MobileIron Core to support MDM. If you are not using iOS MDM, then this port is not required. |
HTTPS 443 |
|||
End-user devices |
Open HTTPS 443 or HTTP 8080 from the internet to the MobileIron Core appliance (for client provisioning traffic)
|
HTTPS 443 HTTP 8080 (evals only) |
|||
End-user devices |
Open TCP 9997 from the internet to the MobileIron Core appliance (for TLS secured client sync traffic) |
TCP 9997 |
|||
Traffic from MobileIron Core to Internet/Outside MobileIron Core is in the DMZ |
|||||
MobileIron Access |
access-na1.mobileiron.com access-eu1.mobileiron.com |
HTTPS 443 |
|||
Android enterprise |
https://accounts.google.com/o/oauth2/token https://www.googleapis.com/androidenterprise |
HTTPS 443 |
|||
MobileIron Gateway and Apple APNS (HTTPS) |
|
HTTPS 443 |
|||
Apple APNS and MDM Services |
Open ports and 2195, 2196, 2197 (TCP) between Core and Appleās APNS network (17.0.0.0/8) for support of APNS for iOS devices. If you are not using iOS MDM, then this port is not required.
|
HTTPS 443 TCP 2195, 2196, 2197 |
|||
iOS VPP and Windows notification / check‑ins |
Open HTTPS 443 for the following access: https://vpp.itunes.apple.com (Known to be redirected to: www.apple.com, securemetrix.apple.com) *.wns.windows.com, *.notify.windows.com |
HTTPS 443 | |||
iTunes, Maps/Location, Windows 10, Windows 8.1 RT/Pro Apps |
Open HTTPS 443 or HTTP 80 for the following access:
|
HTTPS 443 HTTP 80 |
|||
Traffic from Internet/Outside to Standalone Sentry Standalone Sentry is in the DMZ |
|||||
End user devices to access email via MobileIron Sentry or to Access backend resources via AppTunnel or Tunnel |
Open HTTPS 443 or HTTP 80 from the internet for ActiveSync client traffic or open HTTPS 443 for AppTunnel or Tunnel traffic
|
HTTPS 443 or HTTP 80 |
|||
Traffic from Standalone Sentry to Internet/Outside Standalone Sentry is in the DMZ |
|||||
MobileIron software upgrades |
support.mobileiron.com (199.127.90.0/23) for software update repository and SFTP upload of showtech log
|
HTTPS 443 |
-
For firewall rules required for the internal corporate network, see Internal Corporate Network Rules.
-
For additional firewall rules, see Additional Firewall Rules.