Allowing access to the App Gateway

In order to create a MTD local action policy, you must grant Ivanti EPMM access to the App Gateway, so it can download threat definitions. See the following table for port information required for registering with the App Gateway.

Before you begin 

Be sure you have completed Adding Ivanti EPMM as your MDM server in MTD console

External and Internet rules

The following table outlines the firewall rules required for Internet/Outside access for:

  • MTD Ivanti EPMM Appliance (physical or virtual) - All ports (except UDP) should be 'bi-directional' to allow information / data exchange between systems.
  • Ivanti Sentry Appliance (physical or virtual, ActiveSync / AppTunnel) - the Ivanti Sentry must be able to resolve the Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added.

MTD Ivanti EPMM Appliance and the Ivanti Sentry Appliance items communicate with each other.

Table 3.  External and Internet rules
Requirement Description Port

Traffic from Internet/Outside to Ivanti EPMM - Ivanti EPMM is in the DMZ
Ivanti Mobile Threat Defense scanning on iOS

Voice network service (VNS) gateway URL:

Registration URL: https://appgw.mobileiron.com/api/v1/gateway/vns/organization
Configuration URL: https://appgw.mobileiron.com/api/v1/gateway/vns/configuration

HTTPS 443

Traffic from Ivanti EPMM to Internet/Outside - Ivanti EPMM is in the DMZ

Apple APNS and MDM Services

Open ports 443 (HTTPS) and 2195, 2196, 2197 (TCP) between Ivanti EPMM and Apple’s Apple Push Notification Service (APNS) network (17.0.0.0/8) for support of APNS for iOS devices. If you are not using iOS MDM, then this port is not required.

HTTPS 443: api.push.apple.com

TCP 2195:gateway.push.apple.com

TCP 2196: feedback.push.apple.com

TCP 2197: api.push.apple.com (optional, alternative for HTTPS 443)

HTTPS 443, TCP 2195, 2196, 2197
Ivanti EPMM
Gateway

support.mobileiron.com (199.127.90.0/23 ) for software update repository and upload of showtech log.

Open HTTPS 443 (199.127.90.0/23) for location/number lookup data, in-app registration, APNS/FCM/GCM messaging, licensing, and support for sending SMS.a.mobileiron.net for anonymized statistics collection.

  • appgw.mobileiron.com
  • coresms.mobileiron.com
  • coreapns.mobileiron.com
  • clm.mobileiron.com
  • api.push.apple.com
  • supportcdn.mobileiron.com
  • coregcm.mobileiron.com
  • corefcm.mobileiron.com

As the IP range for CDN sites (supportcdn.mobileiron.com, for example) may change from time to time, whitelist the domain name instead of the IP in the firewall if there is an option to do so. Otherwise, use support.mobileiron.com to download the updates instead of supportcdn.mobileiron.com.

HTTPS 443
AppConfig
Community Repository 		https://appconfig.cdn.mobileiron.com HTTPS 443

Additional Firewall Rules

The following table outlines additional firewall rules from the internal corporate network to the Internet.

  • Organizations with local network-connected Wi-Fi must mirror the external firewall port configuration on their local DMZ firewall in order for Wi-Fi-connected devices to register and function day to day.
  • Ivanti Sentry does not support connection pooling via load balancer. Turn off your load balancer’s connection pooling before deploying.
Table 4.  Additional Firewall Rules
Requirement Description Port
iOS (Wi‑Fi only) Devices

Open TCP 5223 to open 17.0.0.0/8 and allow iOS devices using corporate Wi-Fi to access the Apple APNS service. If you are not using iOS MDM, then this port is not required.

For devices on closed networks:

  • ax.init.itunes.apple.com: Current file-size limit for downloading apps over the cellular network.
  • ocsp.apple.com: Status of the distribution certificate used to sign the provisioning profile.

TCP 5223
Android devices

To allow access to Google's FCM or GCM service: open TCP ports 5228, 5229, and 5230. FCM/GCM typically only uses TCP 5228, but it sometimes uses TCP 5229 and TCP 5230. FCM/GCM does not provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169. For older devices, consider open HTTPS 443, as well.

For Android Enterprise: https://www.googleapis.com/androidenterprise https://accounts.google.com/o/oauth2/token

For Help@Work for Android: In general, TeamViewer will always work if Internet access is possible. As an alternative to HTTP 80, HTTPS 443 is also checked. It is also possible to open only TCP 5938 (required for mobile connections).

TCP 5228
TCP 5229
TCP 5230
HTTPS 443

For the full list of ports, see the On-Premise Installation Guide for Ivanti EPMM and Enterprise Connector.

When registering MTD for the first time, an Updating Configuration message displays prompting the device user: "Do you agree to allow your company to collect the list of apps on this device to report to the Ivanti Mobile Threat Defense service in order to protect your company's data?" The device user must tap Agree. If not, the Ivanti Mobile@Work registration will not work and the device user will need to re-register and agree.