External and Internet rules
The following table outlines the firewall rules required for external and internet access for:
-
Ivanti EPMM Appliance (physical or virtual)
All ports (except UDP) should be 'bi-directional' to allow information / data exchange between systems.
-
Sentry Appliance (physical or virtual, ActiveSync / AppTunnel)
The Sentry must be able to resolve the Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added.
- Access
Ivanti EPMM Appliance and the Sentry Appliance items communicate with each other.
Requirement |
Description |
Port |
Traffic from Internet/Outside of Ivanti EPMM Ivanti EPMM is in the DMZ |
||
iOS end-user devices |
Open HTTPS 443 for iOS device access to the Ivanti EPMM to support MDM. If you are not using iOS MDM, then this port is not required. |
HTTPS 443 |
End-user devices |
Open HTTPS 443 from the internet to the Ivanti EPMM appliance (for client provisioning traffic) Using HTTPS 443 for provisioning requires signed certificates. |
HTTPS 443 (evals only) |
End-user devices |
Open TCP 9997 from the internet to the Ivanti EPMM appliance (for TLS secured client sync traffic) |
TCP 9997 |
MTD Threat Management Console |
Open port 8883 inbound from MTD Threat Management Console to Ivanti EPMM. |
Port 8883 |
Traffic from Ivanti EPMM to Internet/Outside Ivanti EPMM is in the DMZ |
||
Access |
access-na1.mobileiron.com access-eu1.mobileiron.com |
HTTPS 443 |
Android Enterprise |
https://accounts.google.com/o/oauth2/token https://www.googleapis.com/androidenterprise |
HTTPS 443 |
Ivanti EPMM Gateway and Apple APNS (HTTPS) |
Note: Allow traffic to both the current and new IP addresses prior to December 16, 2022, until further notice. You will receive a customer communication email with more information about the maintenance window when it is confirmed. Note: See also: Urgent Ivanti Endpoint Manager Mobile Gateway Update. |
HTTPS 443 |
Apple APNS and MDM Services |
Open ports are 2195, 2197 (TCP) between Ivanti EPMM and Apple’s APNS network (17.0.0.0/8) for support of APNS for iOS devices. If you are not using iOS MDM, then this port is not required.
|
HTTPS 443 TCP 2195, 2197 |
iOS VPP and Windows notification / check‑ins |
Open HTTPS 443 for the following access: https://vpp.itunes.apple.com (Known to be redirected to: www.apple.com, securemetrix.apple.com) *.wns.windows.com, *.notify.windows.com |
HTTPS 443 |
iTunes, Maps/Location, Windows 10, Windows 8.1 RT/Pro Apps |
Open HTTPS 443 or HTTP 80 for the following access:
|
HTTPS 443 HTTP 80 |
|
Administrators must whitelist the following six IP addresses to ensure that end users can still get messages when Google migrates from Google Cloud Messaging (GMC) to Firebase Cloud Messaging (FCM): 18.207.169.70
|
|
Traffic from Internet/Outside to Standalone Sentry Standalone Sentry is in the DMZ |
||
End user devices to access email via Sentry or to Access backend resources via AppTunnel or Tunnel |
Open HTTPS 443 or HTTP 80 from the internet for ActiveSync client traffic or open HTTPS 443 for AppTunnel or Tunnel traffic For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added. |
HTTPS 443 or HTTP 80 |
Traffic from Standalone Sentry to Internet/Outside Standalone Sentry is in the DMZ |
||
Ivanti EPMM software upgrades |
support.mobileiron.com (199.127.90.0/23) for software update repository and SFTP upload of showtech log For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added. |
HTTPS 443 |
- For firewall rules required for the internal corporate network, see Internal corporate network rules.
- For additional firewall rules, see Additional firewall rules.