On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector 11.4.0.0 - 11.12.0.0

External and Internet rules

The following table outlines the firewall rules required for external and internet access for:

Ivanti EPMM Appliance (physical or virtual)

All ports (except UDP) should be 'bi-directional' to allow information / data exchange between systems.
Sentry Appliance (physical or virtual, ActiveSync / AppTunnel)

The Sentry must be able to resolve the Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added.
Access

Ivanti EPMM Appliance and the Sentry Appliance items communicate with each other.

**Table 9.** External and Internet rules
Requirement	Description	Port
Traffic from Internet/Outside of Ivanti EPMM Ivanti EPMM is in the DMZ
iOS end-user devices	Open HTTPS 443 for iOS device access to the Ivanti EPMM to support MDM. If you are not using iOS MDM, then this port is not required.	HTTPS 443
End-user devices	Open HTTPS 443 from the internet to the Ivanti EPMM appliance (for client provisioning traffic) Using HTTPS 443 for provisioning requires signed certificates.	HTTPS 443 (evals only)
End-user devices	Open TCP 9997 from the internet to the Ivanti EPMM appliance (for TLS secured client sync traffic)	TCP 9997
MTD Threat Management Console	Open port 8883 inbound from MTD Threat Management Console to Ivanti EPMM.	Port 8883
Traffic from Ivanti EPMM to Internet/Outside Ivanti EPMM is in the DMZ
Access	access-na1.mobileiron.com access-eu1.mobileiron.com	HTTPS 443
Android Enterprise	https://accounts.google.com/o/oauth2/token https://www.googleapis.com/androidenterprise	HTTPS 443
Ivanti EPMM Gateway and Apple APNS (HTTPS)	support.mobileiron.com: For software update repository and upload of Showtech log, open access to these IP addresses: 52.53.85.126 54.151.9.59 Ivanti recommends that you also open the following addresses, which will be used for future cloud deployment of the Application Gateway services: 54.176.117.219 54.176.235.82 54.193.230.188 54.241.222.178 54.241.114.195 54.177.110.251 50.18.43.125 Open HTTPS 443 (for location/number lookup data, in-app registration, APNS/FCM/GCM messaging, licensing, and support for sending SMS) to: coresms.mobileiron.com coreapns.mobileiron.com api.push.apple.com coregcm.mobileiron.com corefcm.mobileiron.com (current address: 199.127.90.0/23) appgw.mobileiron.com (current address: 199.127.90.0/23) Action required if you use Application Gateway (appgw.mobileiron.com) with explicit firewall rules: Due to scheduled Ivanti network maintenance, you must append these IP addresses to your existing firewall rules by December 16, 2022, to ensure no disruption of services: 34.227.203.115 34.231.78.119 35.168.168.163 18.207.62.107 18.209.150.213 23.21.143.22 Note: Allow traffic to both the current and new IP addresses prior to December 16, 2022, until further notice. You will receive a customer communication email with more information about the maintenance window when it is confirmed. Note: See also: Urgent Ivanti Endpoint Manager Mobile Gateway Update. a.mobileiron.net for anonymized statistics collection. As the IP range for CDN sites (for example: supportcdn.mobileiron.com) may change from time to time, whitelist the domain name instead of the IP in the firewall if there is an option to do so. Otherwise, use support.mobileiron.com to download the updates instead of supportcdn.mobileiron.com. api.push.apple.com to use APNSv2.	HTTPS 443
Apple APNS and MDM Services	Open ports are 2195, 2197 (TCP) between Ivanti EPMM and Apple’s APNS network (17.0.0.0/8) for support of APNS for iOS devices. If you are not using iOS MDM, then this port is not required. TCP 2195: gateway.push.apple.com TCP 2197: api.push.apple.com (optional, alternative for HTTPS 443)	HTTPS 443 TCP 2195, 2197
iOS VPP and Windows notification / check‑ins	Open HTTPS 443 for the following access: https://vpp.itunes.apple.com (Known to be redirected to: www.apple.com, securemetrix.apple.com) .wns.windows.com, .notify.windows.com	HTTPS 443
iTunes, Maps/Location, Windows 10, Windows 8.1 RT/Pro Apps	Open HTTPS 443 or HTTP 80 for the following access: *itunes.apple.com, .phobos.apple.com,** and .mzstatic.com for performing iTunes App Store lookups. https://storeedgefd.dsx.mp.microsoft.com for Windows 10 app store lookups. http://marketplaceedgeservice.windowsphone.com, http://cdn.marketplaceimages.windowsphone.com for performing Windows 8.1 store lookups,Windows 8.1 store search, app images and services. https://api.mqcdn.com* for locating devices (IP addresses vary. Perform an nslookup to determine the necessary IP addresses.) http://store-images.microsoft.com/image/apps http://developer.mapquest.com http://store-images.s-microsoft.com/image/apps for downloading Windows apps and graphics	HTTPS 443 HTTP 80
Google	Administrators must whitelist the following six IP addresses to ensure that end users can still get messages when Google migrates from Google Cloud Messaging (GMC) to Firebase Cloud Messaging (FCM): 18.207.169.70 34.206.49.117 52.20.247.99 52.22.230.26 52.45.189.15 107.22.86.228
Traffic from Internet/Outside to Standalone Sentry Standalone Sentry is in the DMZ
End user devices to access email via Sentry or to Access backend resources via AppTunnel or Tunnel	Open HTTPS 443 or HTTP 80 from the internet for ActiveSync client traffic or open HTTPS 443 for AppTunnel or Tunnel traffic For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added.	HTTPS 443 or HTTP 80
Traffic from Standalone Sentry to Internet/Outside Standalone Sentry is in the DMZ
Ivanti EPMM software upgrades	support.mobileiron.com (199.127.90.0/23) for software update repository and SFTP upload of showtech log For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added.	HTTPS 443