Port Settings

Use the Settings > Port Settings > Port Configuration options to change settings for the following Ivanti services:

  • Sync TLS
  • MIFS Admin
  • Sentry Service
  • Apps@Work
  • Local CA Certificate Revocation List

Port setting considerations

  • If you enable client mutual certificate authentication, you must change the Apps@Work Port setting if you are using iOS devices with the Apps@Work web clip using certificate authentication.
  • Other changes to the default port settings are seldom necessary.
  • Making changes to these settings sometimes requires that you re-register devices, so use caution when making changes.

Changing port settings

Procedure 

  1. Log into System Manager.
  2. Go to Settings > Port Setting to open the Port Configuration window.
  3. Edit the fields, as necessary.

  4. Refer to the Port Configuration window table for details.

    The port and protocol default values for newly-issued Local CA Certificate Revocation List (CRL) distribution points (CDP) have changed. Beginning with the 10.4 Ivanti EPMM release, new Local CDPs will use port 8080 and protocol HTTP by default. You don't need to generate a new CSR or replace the old certificates. Local CDPs that were configured to use HTTPS through port 443 will still be reachable.

Changing the default CRL protocol and port configuration

Use the Settings > Port Settings > CRL (Certificate Revocation List) protocol and port configuration options to change the default protocol and port for all local certificate authorities (CA).

For new installations, the default value for the certification revocation list (CRL) is protocol HTTP and port 8080. The need to change the default port is rare. However, if you do modify the CRL port, verify that no other Ivanti EPMM service is using that port. For example, port 9997 is the default value for Sync TLS, and using the same port for CRL will result in service disruptions.

Procedure 

  1. Log into System Manager.
  2. Go to Settings > Port Settings to open the Port Configuration window.
  3. Scroll down to the CRL (Certificate Revocation List) protocol and port configuration section.

  4. Select the default CRL protocol.

    • CRL Protocol: HTTPS or HTTP

    • CRL Port: defaults to the port supporting the selected protocol. If you choose HTTP, you can leave the default (8080), or modify the CRL port number.

      When the CRL port and protocol changes, verify that the old port is open on the network firewall. Otherwise, Apps (such as Apps@Work) using certificates from before the port change will timeout during the certificate revocation verification check.

  5. Click Apply.
  6. Click Save (in the top-right of the page) to globally save your choices when the system is rebooted.

Verifying Sentry connectivity

Procedure 

To verify that Standalone Sentry is successfully connecting with Ivanti EPMM:

  1. Log into System Manager for the Standalone Sentry.
  2. Go to Troubleshooting > Service Diagnosis.
  3. For EMM service, click Verify.
  4. The Status for the EMM service should show Success.

Port Configuration window

The following table summarizes fields and descriptions in the Port Configuration window:

Table 17.  Fields and descriptions of the Port Configuration window

Fields

Description

Sync TLS Port

Enter the port. However, changing this port from the default port 9997 is rare. This port cannot be the same as any other ports specified in the Port Configuration section.

This port is used for Mobile@Work for iOS and Android registration and device check-ins and AppConnect check-ins when mutual authentication is not enabled.

Select Disable to close this port only if all of the following are true:

  • This Ivanti EPMM is a new installation, not an upgrade.
  • You enable mutual authentication before any devices register.
  • iOS devices are using only Mobile@Work 9.8 for iOS through the most recently released version as supported by Ivanti.

For more information, see “Mutual authentication between devices and Ivanti EPMM” in the Ivanti EPMM Device Management Guide.

MIFS Admin Port

You can change the MIFS Admin port from port 443 (the default) to port 8443. Using port 443 enhances the security of communications across the port because port 8443 can be blocked.

Sentry Service Port

The Standalone Sentry is called the Sentry service port. Standalone Sentry communicates with Ivanti EPMM over port 8443 to get device information. The default Sentry service port is port 8443.

Using port 8443 as the Sentry service port adds an additional layer of security. Typically, port 8443 is not accessible on the public Internet. Using port 8443 helps ensure that the Sentry service port is protected against unauthorized external access.

Ivanti recommends that port 8443 is used as the Sentry service port. If your firewall rules do not allow connections to the Sentry service port on 8443, you can configure 443 as the Sentry service port.

If the Sentry service port is 8443, Ivanti EPMM will only respond to requests on port 8443. Requests to 443 will be redirected to 8443. If the Sentry service port is 443, Ivanti EPMM will only respond to requests on port 443. Requests to 8443 will be redirected to 443.

If the Sentry service port is 443, it is important that you define a Portal ACL for the Sentry connection.

Apps@Work Port

This port is used by Apps@Work on iOS, Android, and macOS devices to communicate with Ivanti EPMM. By default, it is port 443.

Change the port in these cases:

  • If both of the following are true:

    • You enabled client mutual certification authentication on the Admin Portal at Settings > Security > Certificate Authentication.
    • You are using iOS devices with the Apps@Work web clip using certificate authentication.

  • If identity certificates with the root CA “CN=DigiCert Assured ID Root CA” are issued to iOS devices.

    For example, you might use identity certificates with this root CA in the Exchange, VPN, or Wi-Fi settings that you apply to iOS devices.

If you change the port, Ivanti recommends port 7443. However, you can use any port except the port that the MIFS Admin Port uses, which is either 443 or 8443.

Atlas Port

Atlas is a legacy product of Ivanti EPMM versions prior to Ivanti EPMM 10.2.0.0. This feature is an Ivanti service which aggregates data from multiple Ivanti EPMMs, extending reporting and management services.

The port is 443 by default, but you have the option to change it when enabled.

Other port services not configurable from the UI include:

  • Sync service port – Default port is 9999 and cannot be changed.
  • Provisioning protocol – Default protocol is HTTPS and cannot be changed.
  • Provisioning port – Default port is 443 cannot be changed