Allowing access to the App Gateway

In order to create a MTD local action policy, you must grant MobileIron Core access to the App Gateway, so it can download threat definitions. See the following table for port information required for registering with the App Gateway.

Before you begin 

Be sure you have completed Adding Core as your MDM server in Threat Management Console

External and Internet rules

The following table outlines the firewall rules required for Internet/Outside access for:

  • MobileIron Core Appliance (physical or virtual) - All ports (except UDP) should be 'bi-directional' to allow information / data exchange between systems.
  • Sentry Appliance (physical or virtual, ActiveSync / AppTunnel) - the Sentry must be able to resolve the Core hostname (via DNS lookup) or a hostfile entry must be added.

MobileIron Core Appliance and the Sentry Appliance items communicate with each other.

Table 1. External and Internet rules

Requirement

Description

Port

Traffic from Internet/Outside to MobileIron Core

MobileIron Core is in the DMZ

MobileIron Threat Defense scanning on iOS

Voice network service (VNS) gateway URL:

Registration URL: https://appgw.mobileiron.com/api/v1/gateway/vns/organization
Configuration URL: https://appgw.mobileiron.com/api/v1/gateway/vns/configuration

HTTPS 443

Traffic from MobileIron Core to Internet/Outside

MobileIron Core is in the DMZ

Apple APNS and MDM Services

Open ports 443 (HTTPS) and 2195, 2196, 2197 (TCP) between Core and Apple’s Apple Push Notification Service (APNS) network (17.0.0.0/8) for support of APNS for iOS devices. If you are not using iOS MDM, then this port is not required.

HTTPS 443: api.push.apple.com

TCP 2195:gateway.push.apple.com

TCP 2196: feedback.push.apple.com

TCP 2197: api.push.apple.com (optional, alternative for HTTPS 443)

HTTPS 443

TCP 2195, 2196, 2197

MobileIron
Gateway

support.mobileiron.com (199.127.90.0/23 ) for software update repository and upload of showtech log. Open HTTPS 443 to appgw.mobileiron.com, coresms.mobileiron.com, coreapns.mobileiron.com, clm.mobileiron.com, api.push.apple.com, supportcdn.mobileiron.com, coregcm.mobileiron.com, and corefcm.mobileiron.com (199.127.90.0/23) for location/number lookup data, in-app registration, APNS/FCM/GCM messaging, licensing, and support for sending SMS. a.mobileiron.net for anonymized statistics collection. As the IP range for CDN sites (for example: supportcdn.mobileiron.com) may change from time to time, whitelist the domain name instead of the IP in the firewall if there is an option to do so. Otherwise, use support.mobileiron.com to download the updates instead of supportcdn.mobileiron.com.

HTTPS 443
AppConfig
Community Repository
https://appconfig.cdn.mobileiron.com HTTPS 443

Additional Firewall Rules

The following table outlines additional firewall rules from the internal corporate network to the Internet.

  • Organizations with local network-connected Wi-Fi must mirror the external firewall port configuration on their local DMZ firewall in order for Wi-Fi-connected devices to register and function day to day.
  • MobileIron Sentry does not support connection pooling via load balancer. Turn off your load balancer’s connection pooling before deploying.
Table 2. Additional Firewall Rules

Requirement

Description

Port

iOS (Wi‑Fi only) Devices

Open TCP 5223 to open 17.0.0.0/8 and allow iOS devices using corporate Wi-Fi to access the Apple APNS service. If you are not using iOS MDM, then this port is not required.

For devices on closed networks:

ax.init.itunes.apple.com: Current file-size limit for downloading apps over the cellular network.

ocsp.apple.com: Status of the distribution certificate used to sign the provisioning profile.

TCP 5223

Android devices

To allow access to Google's FCM or GCM service: open TCP ports 5228, 5229, and 5230. FCM/GCM typically only uses TCP 5228, but it sometimes uses TCP 5229 and TCP 5230. FCM/GCM does not provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169. For older devices, consider open HTTPS 443, as well.

For Android Enterprise: https://www.googleapis.com/androidenterprise https://accounts.google.com/o/oauth2/token

For Help@Work for Android: In general, TeamViewer will always work if Internet access is possible. As an alternative to HTTP 80, HTTPS 443 is also checked. It is also possible to open only TCP 5938 (required for mobile connections).

TCP 5228
TCP 5229
TCP 5230
HTTPS 443

For the full list of ports, see the MobileIron Core On-Premise Installation Guide.

NOTE: When registering MTD for the first time, an Updating Configuration message displays prompting the device user: "Do you agree to allow your company to collect the list of apps on this device to report to the MobileIron Threat Defense service in order to protect your company's data?" The device user must tap Agree. If not, the Mobile@Work registration will not work and the device user will need to re-register and agree.