External and Internet rules

The following table outlines the firewall rules required for external and internet access for:

  • Core Appliance (physical or virtual)

    All ports (except UDP) should be 'bi-directional' to allow information / data exchange between systems.

  • Sentry Appliance (physical or virtual, ActiveSync / AppTunnel)

    The Sentry must be able to resolve the Core hostname (via DNS lookup) or a hostfile entry must be added.

  • Access

Core Appliance and the Sentry Appliance items communicate with each other.

Table 10.   External and Internet rules

Requirement

Description

Port

Traffic from Internet/Outside to Core

Core is in the DMZ

iOS end-user devices

Open HTTPS 443 for iOS device access to the Core to support MDM. If you are not using iOS MDM, then this port is not required.

HTTPS 443

End-user devices

Open HTTPS 443 or HTTP 8080 from the internet to the Core appliance (for client provisioning traffic)

Using HTTPS 443 for provisioning requires signed certificates. Using HTTP 8080 is recommended only for evaluations, and not for production systems.

HTTPS 443 HTTP 8080 (evals only)

End-user devices

Open TCP 9997 from the internet to the Core appliance (for TLS secured client sync traffic)

TCP 9997

MTD Threat Management Console

Open port 8883 inbound from MTD Threat Management Console to Core.

Port 8883

Traffic from Core to Internet/Outside

Core is in the DMZ

Access

access-na1.mobileiron.com

access-eu1.mobileiron.com

HTTPS 443

Android Enterprise

https://accounts.google.com/o/oauth2/token https://www.googleapis.com/androidenterprise

HTTPS 443

Core Gateway and Apple APNS (HTTPS)
  • support.mobileiron.com:
    For software update repository and upload of Showtech log, open access to these IP addresses:
    • 52.53.85.126
    • 54.151.9.59

    We also recommend, but do not require that you open these addresses, as well:

    • 54.176.117.219
    • 54.176.235.82
    • 54.193.230.188
    • 54.241.222.178
    • 54.241.114.195
    • 54.177.110.251
    • 50.18.43.125

  • Open HTTPS 443 to:

    • appgw.mobileiron.com,
    • coresms.mobileiron.com,
    • coreapns.mobileiron.com,
    • clm.mobileiron.com,
    • api.push.apple.com,
    • coregcm.mobileiron.com
    • corefcm.mobileiron.com (199.127.90.0/23)

    for location/number lookup data, in-app registration, APNS/FCM/GCM messaging, licensing, and support for sending SMS.

  • a.mobileiron.net for anonymized statistics collection. As the IP range for CDN sites (for example: supportcdn.mobileiron.com) may change from time to time, whitelist the domain name instead of the IP in the firewall if there is an option to do so. Otherwise, use support.mobileiron.com to download the updates instead of supportcdn.mobileiron.com.
  • api.push.apple.com to use APNSv2.

HTTPS 443

Apple APNS and MDM Services

Open ports and 2195, 2196, 2197 (TCP) between Core and Apple’s APNS network (17.0.0.0/8) for support of APNS for iOS devices. If you are not using iOS MDM, then this port is not required.

  • TCP 2195:gateway.push.apple.com
  • TCP 2196: feedback.push.apple.com
  • TCP 2197: api.push.apple.com (optional, alternative for HTTPS 443)

HTTPS 443

TCP 2195, 2196, 2197

iOS VPP and Windows notification / check‑ins

Open HTTPS 443 for the following access: https://vpp.itunes.apple.com

(Known to be redirected to: www.apple.com, securemetrix.apple.com)

*.wns.windows.com, *.notify.windows.com

HTTPS 443

iTunes, Maps/Location, Windows 10, Windows 8.1 RT/Pro Apps

Open HTTPS 443 or HTTP 80 for the following access:

  • itunes.apple.com, *.phobos.apple.com, and *.mzstatic.com for performing iTunes App Store lookups.
  • https://storeedgefd.dsx.mp.microsoft.com for Windows 10 app store lookups.
  • http://marketplaceedgeservice.windowsphone.com, http://cdn.marketplaceimages.windowsphone.com for performing Windows 8.1 store lookups,Windows 8.1 store search, app images and services.
  • https://api.mqcdn.com for locating devices (IP addresses vary. Perform an nslookup to determine the necessary IP addresses.)
  • http://store-images.microsoft.com/image/apps http://developer.mapquest.com
    http://store-images.s-microsoft.com/image/apps for downloading Windows apps and graphics
  • http://hoedus.mobileiron.com/v1/api/ for doing Google Play Store lookups.

HTTPS 443

HTTP 80

Traffic from Internet/Outside to Standalone Sentry

Standalone Sentry is in the DMZ

End user devices to access email via Sentry or to Access backend resources via AppTunnel or Tunnel

Open HTTPS 443 or HTTP 80 from the internet for ActiveSync client traffic or open HTTPS 443 for AppTunnel or Tunnel traffic

For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Core hostname (via DNS lookup) or a hostfile entry must be added.

HTTPS 443 or HTTP 80

Traffic from Standalone Sentry to Internet/Outside

Standalone Sentry is in the DMZ

Core software upgrades

support.mobileiron.com (199.127.90.0/23) for software update repository and SFTP upload of showtech log

For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Core hostname (via DNS lookup) or a hostfile entry must be added.

HTTPS 443

Related topics