External and Internet rules
The following table outlines the firewall rules required for external and internet access for:
-
Ivanti EPMM Appliance (physical or virtual)
All ports (except UDP) should be 'bi-directional' to allow information / data exchange between systems.
-
Sentry Appliance (physical or virtual, ActiveSync / AppTunnel)
The Sentry must be able to resolve the Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added.
- Access
Ivanti EPMM Appliance and the Sentry Appliance items communicate with each other.
Requirement |
Description |
Port |
Traffic from Internet/Outside of Ivanti EPMM Ivanti EPMM is in the DMZ |
||
iOS end-user devices |
Open HTTPS 443 for iOS device access to the Ivanti EPMM to support MDM. If you are not using iOS MDM, then this port is not required. |
HTTPS 443 |
End-user devices |
Open HTTPS 443 or HTTP 8080 from the internet to the Ivanti EPMM appliance (for client provisioning traffic) Using HTTPS 443 for provisioning requires signed certificates. Using HTTP 8080 is recommended only for evaluations, and not for production systems. |
HTTPS 443 HTTP 8080 (evals only) |
End-user devices |
Open TCP 9997 from the internet to the Ivanti EPMM appliance (for TLS secured client sync traffic) |
TCP 9997 |
MTD Threat Management Console |
Open port 8883 inbound from MTD Threat Management Console to Ivanti EPMM. |
Port 8883 |
Traffic from Ivanti EPMM to Internet/Outside Ivanti EPMM is in the DMZ |
||
Access |
access-na1.mobileiron.com access-eu1.mobileiron.com |
HTTPS 443 |
Android Enterprise |
https://accounts.google.com/o/oauth2/token https://www.googleapis.com/androidenterprise |
HTTPS 443 |
Ivanti EPMM Gateway and Apple APNS (HTTPS) |
Note: Allow traffic to both the current and new IP addresses prior to December 16, 2022, until further notice. You will receive a customer communication email with more information about the maintenance window when it is confirmed. Note: See also: Urgent Ivanti Endpoint Manager Mobile (MobileIron Core) Gateway Update. |
HTTPS 443 |
Apple APNS and MDM Services |
Open ports and 2195, 2196, 2197 (TCP) between Ivanti EPMM and Apple’s APNS network (17.0.0.0/8) for support of APNS for iOS devices. If you are not using iOS MDM, then this port is not required.
|
HTTPS 443 TCP 2195, 2196, 2197 |
iOS VPP and Windows notification / check‑ins |
Open HTTPS 443 for the following access: https://vpp.itunes.apple.com (Known to be redirected to: www.apple.com, securemetrix.apple.com) *.wns.windows.com, *.notify.windows.com |
HTTPS 443 |
iTunes, Maps/Location, Windows 10, Windows 8.1 RT/Pro Apps |
Open HTTPS 443 or HTTP 80 for the following access:
|
HTTPS 443 HTTP 80 |
|
Administrators must whitelist the following six IP addresses to ensure that end users can still get messages when Google migrates from Google Cloud Messaging (GMC) to Firebase Cloud Messaging (FCM): 18.207.169.70
|
|
Traffic from Internet/Outside to Standalone Sentry Standalone Sentry is in the DMZ |
||
End user devices to access email via Sentry or to Access backend resources via AppTunnel or Tunnel |
Open HTTPS 443 or HTTP 80 from the internet for ActiveSync client traffic or open HTTPS 443 for AppTunnel or Tunnel traffic For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added. |
HTTPS 443 or HTTP 80 |
Traffic from Standalone Sentry to Internet/Outside Standalone Sentry is in the DMZ |
||
Ivanti EPMM software upgrades |
support.mobileiron.com (199.127.90.0/23) for software update repository and SFTP upload of showtech log For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added. |
HTTPS 443 |
- For firewall rules required for the internal corporate network, see Internal corporate network rules.
- For additional firewall rules, see Additional firewall rules.