External and Internet rules

The following table outlines the firewall rules required for external and internet access for:

  • MobileIron Core Appliance (physical or virtual)

    NOTE: All ports (except UDP) should be 'bi-directional' to allow information / data exchange between systems.

  • Sentry Appliance (physical or virtual, ActiveSync / AppTunnel)

    NOTE: The Sentry must be able to resolve the Core hostname (via DNS lookup) or a hostfile entry must be added.
  • MobileIron Access

MobileIron Core Appliance and the Sentry Appliance items communicate with each other.

table 1. External and Internet Rules

Requirement

Description

Port

Traffic from Internet/Outside to MobileIron Core

MobileIron Core is in the DMZ

iOS end-user devices

Open HTTPS 443 for iOS device access to the MobileIron Core to support MDM. If you are not using iOS MDM, then this port is not required.

HTTPS 443

End-user devices

Open HTTPS 443 or HTTP 8080 from the internet to the MobileIron Core appliance (for client provisioning traffic)

NOTE: Using HTTPS 443 for provisioning requires signed certificates. Using HTTP 8080 is recommended only for evaluations, and not for production systems.

HTTPS 443 HTTP 8080 (evals only)

End-user devices

Open TCP 9997 from the internet to the MobileIron Core appliance (for TLS secured client sync traffic)

TCP 9997

Traffic from MobileIron Core to Internet/Outside

MobileIron Core is in the DMZ

MobileIron Access

access-na1.mobileiron.com

access-eu1.mobileiron.com

HTTPS 443

Android enterprise

https://accounts.google.com/o/oauth2/token https://www.googleapis.com/androidenterprise

HTTPS 443

MobileIron Gateway and Apple APNS (HTTPS)
  • support.mobileiron.com (199.127.90.0/23 ) for software update repository and upload of showtech log.

  • Open HTTPS 443 to:

    • appgw.mobileiron.com,
    • coresms.mobileiron.com,
    • coreapns.mobileiron.com,
    • clm.mobileiron.com,
    • api.push.apple.com,
    • supportcdn.mobileiron.com,
    • coregcm.mobileiron.com
    • corefcm.mobileiron.com (199.127.90.0/23)

    for location/number lookup data, in-app registration, APNS/FCM/GCM messaging, licensing, and support for sending SMS.

  • a.mobileiron.net for anonymized statistics collection. As the IP range for CDN sites (for example: supportcdn.mobileiron.com) may change from time to time, whitelist the domain name instead of the IP in the firewall if there is an option to do so. Otherwise, use support.mobileiron.com to download the updates instead of supportcdn.mobileiron.com.
  • api.push.apple.com to use APNSv2.

HTTPS 443

Apple APNS and MDM Services

Open ports and 2195, 2196, 2197 (TCP) between Core and Appleā€™s APNS network (17.0.0.0/8) for support of APNS for iOS devices. If you are not using iOS MDM, then this port is not required.

  • TCP 2195:gateway.push.apple.com
  • TCP 2196: feedback.push.apple.com
  • TCP 2197: api.push.apple.com (optional, alternative for HTTPS 443)

HTTPS 443

TCP 2195, 2196, 2197

iOS VPP and Windows notification / check‑ins

Open HTTPS 443 for the following access: https://vpp.itunes.apple.com

(Known to be redirected to: www.apple.com, securemetrix.apple.com)

*.wns.windows.com, *.notify.windows.com

HTTPS 443

iTunes, Maps/Location, Windows 10, Windows 8.1 RT/Pro Apps

Open HTTPS 443 or HTTP 80 for the following access:

  • itunes.apple.com, *.phobos.apple.com, and *.mzstatic.com for performing iTunes App Store lookups.
  • https://storeedgefd.dsx.mp.microsoft.com for Windows 10 app store lookups.
  • http://marketplaceedgeservice.windowsphone.com, http://cdn.marketplaceimages.windowsphone.com for performing Windows 8.1 store lookups,Windows 8.1 store search, app images and services.
  • https://api.mqcdn.com for locating devices (IP addresses vary. Perform an nslookup to determine the necessary IP addresses.)
  • http://store-images.microsoft.com/image/apps http://developer.mapquest.com
    http://store-images.s-microsoft.com/image/apps for downloading Windows apps and graphics
  • http://hoedus.mobileiron.com/v1/api/ for doing Google Play Store lookups.

HTTPS 443

HTTP 80

Traffic from Internet/Outside to Standalone Sentry

Standalone Sentry is in the DMZ

End user devices to access email via MobileIron Sentry or to Access backend resources via AppTunnel or Tunnel

Open HTTPS 443 or HTTP 80 from the internet for ActiveSync client traffic or open HTTPS 443 for AppTunnel or Tunnel traffic

NOTE: For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Core hostname (via DNS lookup) or a hostfile entry must be added.

HTTPS 443 or HTTP 80

Traffic from Standalone Sentry to Internet/Outside

Standalone Sentry is in the DMZ

MobileIron software upgrades

support.mobileiron.com (199.127.90.0/23) for software update repository and SFTP upload of showtech log

NOTE: For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Core hostname (via DNS lookup) or a hostfile entry must be added.

HTTPS 443

 

Related topics