External and Internet rules
The following table outlines the firewall rules required for external and internet access for:
-
Core Appliance (physical or virtual)
All ports (except UDP) should be 'bi-directional' to allow information / data exchange between systems.
-
Sentry Appliance (physical or virtual, ActiveSync / AppTunnel)
The Sentry must be able to resolve the Core hostname (via DNS lookup) or a hostfile entry must be added.
- Access
Core Appliance and the Sentry Appliance items communicate with each other.
Requirement |
Description |
Port |
Traffic from Internet/Outside to Core Core is in the DMZ |
||
iOS end-user devices |
Open HTTPS 443 for iOS device access to the Core to support MDM. If you are not using iOS MDM, then this port is not required. |
HTTPS 443 |
End-user devices |
Open HTTPS 443 or HTTP 8080 from the internet to the Core appliance (for client provisioning traffic) Using HTTPS 443 for provisioning requires signed certificates. Using HTTP 8080 is recommended only for evaluations, and not for production systems. |
HTTPS 443 HTTP 8080 (evals only) |
End-user devices |
Open TCP 9997 from the internet to the Core appliance (for TLS secured client sync traffic) |
TCP 9997 |
MTD Threat Management Console |
Open port 8883 inbound from MTD Threat Management Console to Core. |
Port 8883 |
Traffic from Core to Internet/Outside Core is in the DMZ |
||
Access |
access-na1.mobileiron.com access-eu1.mobileiron.com |
HTTPS 443 |
Android Enterprise |
https://accounts.google.com/o/oauth2/token https://www.googleapis.com/androidenterprise |
HTTPS 443 |
Core Gateway and Apple APNS (HTTPS) |
|
HTTPS 443 |
Apple APNS and MDM Services |
Open ports and 2195, 2196, 2197 (TCP) between Core and Apple’s APNS network (17.0.0.0/8) for support of APNS for iOS devices. If you are not using iOS MDM, then this port is not required.
|
HTTPS 443 TCP 2195, 2196, 2197 |
iOS VPP and Windows notification / check‑ins |
Open HTTPS 443 for the following access: https://vpp.itunes.apple.com (Known to be redirected to: www.apple.com, securemetrix.apple.com) *.wns.windows.com, *.notify.windows.com |
HTTPS 443 |
iTunes, Maps/Location, Windows 10, Windows 8.1 RT/Pro Apps |
Open HTTPS 443 or HTTP 80 for the following access:
|
HTTPS 443 HTTP 80 |
Traffic from Internet/Outside to Standalone Sentry Standalone Sentry is in the DMZ |
||
End user devices to access email via Sentry or to Access backend resources via AppTunnel or Tunnel |
Open HTTPS 443 or HTTP 80 from the internet for ActiveSync client traffic or open HTTPS 443 for AppTunnel or Tunnel traffic For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Core hostname (via DNS lookup) or a hostfile entry must be added. |
HTTPS 443 or HTTP 80 |
Traffic from Standalone Sentry to Internet/Outside Standalone Sentry is in the DMZ |
||
Core software upgrades |
support.mobileiron.com (199.127.90.0/23) for software update repository and SFTP upload of showtech log For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Core hostname (via DNS lookup) or a hostfile entry must be added. |
HTTPS 443 |
- For firewall rules required for the internal corporate network, see Internal corporate network rules.
- For additional firewall rules, see Additional firewall rules.