External and Internet rules

The following table outlines the firewall rules required for external and internet access for:

  • Ivanti EPMM Appliance (physical or virtual)

    All ports (except UDP) should be 'bi-directional' to allow information / data exchange between systems.

  • Sentry Appliance (physical or virtual, ActiveSync / AppTunnel)

    The Sentry must be able to resolve the Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added.

  • Access

Ivanti EPMM Appliance and the Sentry Appliance items communicate with each other.

Table 9.   External and Internet rules

Requirement

Description

Port

Traffic from Internet/Outside of Ivanti EPMM

Ivanti EPMM is in the DMZ

iOS end-user devices

Open HTTPS 443 for iOS device access to the Ivanti EPMM to support MDM. If you are not using iOS MDM, then this port is not required.

HTTPS 443

End-user devices

Open HTTPS 443 from the internet to the Ivanti EPMM appliance (for client provisioning traffic)

Using HTTPS 443 for provisioning requires signed certificates.

HTTPS 443 (evals only)

End-user devices

Open TCP 9997 from the internet to the Ivanti EPMM appliance (for TLS secured client sync traffic)

TCP 9997

MTD Threat Management Console

Open port 8883 inbound from MTD Threat Management Console to Ivanti EPMM.

Port 8883

Traffic from Ivanti EPMM to Internet/Outside

Ivanti EPMM is in the DMZ

Access

access-na1.mobileiron.com

access-eu1.mobileiron.com

HTTPS 443

Android Enterprise

https://accounts.google.com/o/oauth2/token https://www.googleapis.com/androidenterprise

HTTPS 443

Ivanti EPMM Gateway and Apple APNS (HTTPS)

  • support.mobileiron.com:
    For software update repository and upload of Showtech log, open access to these IP addresses:
    • 52.53.85.126
    • 54.151.9.59

    Ivanti recommends that you also open the following addresses, which will be used for future cloud deployment of the Application Gateway services:

    • 54.176.117.219
    • 54.176.235.82
    • 54.193.230.188
    • 54.241.222.178
    • 54.241.114.195
    • 54.177.110.251
    • 50.18.43.125
  • Open HTTPS 443 (for location/number lookup data, in-app registration, APNS/FCM/GCM messaging, licensing, and support for sending SMS) to:

    • coresms.mobileiron.com
    • coreapns.mobileiron.com
    • api.push.apple.com
    • coregcm.mobileiron.com
    • corefcm.mobileiron.com
      (current address: 199.127.90.0/23)
    • appgw.mobileiron.com
      (current address: 199.127.90.0/23)

    Action required if you use Application Gateway (appgw.mobileiron.com) with explicit firewall rules: Due to scheduled Ivanti network maintenance, you must append these IP addresses to your existing firewall rules by December 16, 2022, to ensure no disruption of services:

    • 34.227.203.115
    • 34.231.78.119
    • 35.168.168.163
    • 18.207.62.107
    • 18.209.150.213
    • 23.21.143.22
  • Note: Allow traffic to both the current and new IP addresses prior to December 16, 2022, until further notice. You will receive a customer communication email with more information about the maintenance window when it is confirmed.

    Note: See also: Urgent Ivanti Endpoint Manager Mobile Gateway Update.

  • a.mobileiron.net for anonymized statistics collection. As the IP range for CDN sites (for example: supportcdn.mobileiron.com) may change from time to time, whitelist the domain name instead of the IP in the firewall if there is an option to do so. Otherwise, use support.mobileiron.com to download the updates instead of supportcdn.mobileiron.com.
  • api.push.apple.com to use APNSv2.

HTTPS 443

Apple APNS and MDM Services

Open ports are 2195, 2197 (TCP) between Ivanti EPMM and Apple’s APNS network (17.0.0.0/8) for support of APNS for iOS devices. If you are not using iOS MDM, then this port is not required.

  • TCP 2195: gateway.push.apple.com
  • TCP 2197: api.push.apple.com (optional, alternative for HTTPS 443)

HTTPS 443

TCP 2195, 2197

iOS VPP and Windows notification / check‑ins

Open HTTPS 443 for the following access: https://vpp.itunes.apple.com

(Known to be redirected to: www.apple.com, securemetrix.apple.com)

*.wns.windows.com, *.notify.windows.com

HTTPS 443

iTunes, Maps/Location, Windows 10, Windows 8.1 RT/Pro Apps

Open HTTPS 443 or HTTP 80 for the following access:

  • itunes.apple.com, *.phobos.apple.com, and *.mzstatic.com for performing iTunes App Store lookups.
  • https://storeedgefd.dsx.mp.microsoft.com for Windows 10 app store lookups.
  • http://marketplaceedgeservice.windowsphone.com, http://cdn.marketplaceimages.windowsphone.com for performing Windows 8.1 store lookups,Windows 8.1 store search, app images and services.
  • https://api.mqcdn.com for locating devices (IP addresses vary. Perform an nslookup to determine the necessary IP addresses.)
  • http://store-images.microsoft.com/image/apps http://developer.mapquest.com
    http://store-images.s-microsoft.com/image/apps for downloading Windows apps and graphics

HTTPS 443

HTTP 80

Google

Administrators must whitelist the following six IP addresses to ensure that end users can still get messages when Google migrates from Google Cloud Messaging (GMC) to Firebase Cloud Messaging (FCM):

18.207.169.70
34.206.49.117
52.20.247.99
52.22.230.26
52.45.189.15
107.22.86.228

 

Traffic from Internet/Outside to Standalone Sentry

Standalone Sentry is in the DMZ

End user devices to access email via Sentry or to Access backend resources via AppTunnel or Tunnel

Open HTTPS 443 or HTTP 80 from the internet for ActiveSync client traffic or open HTTPS 443 for AppTunnel or Tunnel traffic

For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added.

HTTPS 443 or HTTP 80

Traffic from Standalone Sentry to Internet/Outside

Standalone Sentry is in the DMZ

Ivanti EPMM software upgrades

support.mobileiron.com (199.127.90.0/23) for software update repository and SFTP upload of showtech log

For the Sentry Appliance (physical or virtual ActiveSync/AppTunnel), the Sentry must be able to resolve Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added.

HTTPS 443