Internal corporate network rules
The following table outlines the firewall rules required for internal corporate network access for:
-
MobileIron Core Appliance (physical or virtual) - All ports (except UDP) should be bi-directional to allow information / data exchange between systems.
-
Sentry Appliance (physical or virtual, ActiveSync / AppTunnel) - the Sentry must be able to resolve the Core hostname (via DNS lookup) or a hostfile entry must be added.
MobileIron Core Appliance and the Sentry Appliance items communicate with each other.
|
Requirement |
Description |
Port |
|||
|
Traffic from Internal Corporate Network to MobileIron Core MobileIron Core is in the DMZ |
|||||
|
MobileIron administrator access (System Manager) |
Open HTTPS 8443 from the corporate network to the MobileIron Core appliance |
HTTPS 8443 |
|||
| MobileIron administrator access | Open HTTPS 443 and SSH 22 from the corporate network to the MobileIron Core appliance | HTTPS 443, SSH 22 | |||
|
MobileIron Enterprise Connector (Optional LDAP Proxy) |
Open HTTPS 443 from Enterprise Connector to MobileIron Core | HTTPS 443 | |||
| MobileIron Reporting Database (Optional) | Ensure that HTTPS 7443 from the MobileIron Reporting Database to MobileIron Core is open. It is open by default. | HTTPS 7443 | |||
| Self-service user portal | Open HTTPS 443 from the corporate network to the MobileIron Core appliance | HTTPS 443 | |||
|
Traffic from MobileIron Core to Internal Corporate Network MobileIron Core is in the DMZ |
|||||
| LDAP / Active Directory | LDAP User Lookup and Authentication | TCP 636 (secure) -or- TCP 389 | |||
| SMTP Relay for SMS and Email Notifications | Open TCP 25 (if not in DMZ) and define the SMTP relay server | TCP 25 | |||
| DNS Lookup Open |
Open UDP 53 (if not in DMZ) and define DNS server(s)
|
UDP 53 | |||
| NTP Time Synchronization Service | Open UDP 123 (if not in DMZ) and define NTP server(s) | UDP 123 | |||
| Certificate / SCEP Server | SCEP Proxy Configuration | HTTP 443 | |||
| MobileIron Core access to MobileIron Sentry | Open HTTPS 9090 (primary access) and HTTPS 443 (view of Sentry certificate) to the MobileIron Sentry appliance | HTTPS 9090 and HTTPS 443 | |||
| MobileIron Sentry access to MobileIron Core | Open HTTPS 8443 to the MobileIron Core appliance (HTTPS 8443 is the default, but HTTPS 443 is also supported.) | HTTPS 8443 | |||
|
Traffic from Internal Corporate Network to MobileIron Standalone Sentry Standalone Sentry is in the DMZ |
|||||
| MobileIron administrator access | Open HTTPS 8443 from the corporate network to Sentry (System Manager access) | HTTPS 8443 | |||
| MobileIron administrator access | Open SSH 22 from the corporate network to Sentry | SSH 22 | |||
|
Traffic from MobileIron Standalone Sentry to Internal Corporate Network Standalone Sentry is in the DMZ |
|||||
| CIFS-based Content Server | Open TCP 445 if using Docs@Work with CIFS-based content servers | TCP 445 | |||
| Certificate / SCEP Server | SCEP Server/CA Access (for CRL verification only) | HTTP 80 or HTTPS 443 | |||
| App Server for AppTunnel | Open HTTP 80 or HTTPS 443 to the app/content server if configuring this Sentry for AppTunnel | HTTP 80 or HTTPS 443 (typically) | |||
| Exchange ActiveSync | Open HTTP 80 or HTTPS 443 to the ActiveSync server if configuring this Sentry for email service | HTTP 80 or HTTPS 443 | |||
| DNS Lookup | Open UDP 53 (if not in DMZ) and define DNS server(s) | UDP 53 | |||
| NTP Time Synchronization | Open UDP 123 (if not in DMZ) and define NTP server(s) | UDP 123 | |||
| LDAP / Active Directory | Open TCP/UDP 389 Kerberos LDAP ping (optional for Kerberos-constrained delegation) | TCP/UDP 389 | |||
| SMTP Relay for Sentry Console Email Notifications | Open TCP 25 (if not in DMZ) and define SMTP relay server | TCP 25 | |||
| Kerberos Server | Open TCP 88 (for Kerberos-constrained delegation) | TCP 88 | |||
-
For firewall rules required for Internal rules/outside rules, see External and Internet Rules.
-
For additional firewall rules, see Additional Firewall Rules.