Internal corporate network rules
The following table outlines the firewall rules required for internal corporate network access for:
- Ivanti EPMM Appliance (physical or virtual) - All ports (except UDP) should be bi-directional to allow information / data exchange between systems.
- Ivanti Sentry Appliance (physical or virtual, ActiveSync / Ivanti Tunnel) - Ivanti Sentry must be able to resolve the Ivanti EPMM hostname (via DNS lookup) or a hostfile entry must be added.
Ivanti EPMM Appliance and the Ivanti Sentry Appliance items communicate with each other.
Requirement |
Description |
Port |
Traffic from Internal Corporate Network to .Ivanti EPMM Ivanti EPMM is in the DMZ |
||
Ivanti EPMM administrator access (System Manager) |
Open HTTPS 8443 from the corporate network to the Ivanti EPMM appliance |
HTTPS 8443 |
Ivanti EPMM administrator access | Open HTTPS 443 and SSH 22 from the corporate network to the Ivanti EPMM appliance | HTTPS 443, SSH 22 |
Ivanti EPMM Enterprise Connector (Optional LDAP Proxy) |
Open HTTPS 443 from Enterprise Connector to Ivanti EPMM | HTTPS 443 |
Ivanti EPMM Reporting Database (Optional) | Ensure that HTTPS 7443 from the Reporting Database to Ivanti EPMM is open. It is open by default. | HTTPS 7443 |
Self-service user portal | Open HTTPS 443 from the corporate network to the Ivanti EPMM appliance | HTTPS 443 |
Traffic from Ivanti EPMM to Internal Corporate Network Ivanti EPMM is in the DMZ |
||
LDAP / Active Directory | LDAP User Lookup and Authentication | TCP 636 (secure) -or- TCP 389 |
SMTP Relay for SMS and Email Notifications | Open TCP 25 (if not in DMZ) and define the SMTP relay server | TCP 25 |
DNS Lookup Open |
Open UDP 53 (if not in DMZ) and define DNS server(s) TCP is needed in case of large DNS Queries |
UDP 53 |
NTP Time Synchronization Service | Open UDP 123 (if not in DMZ) and define NTP server(s) | UDP 123 |
Certificate / SCEP Server | SCEP Proxy Configuration | HTTP 443 |
Ivanti EPMM access to Ivanti Sentry | Open HTTPS 9090 (primary access) and HTTPS 443 (view of Ivanti Sentry certificate) to the Ivanti Sentry appliance | HTTPS 9090 and HTTPS 443 |
Sentry access to Ivanti EPMM | Open HTTPS 8443 to the Ivanti EPMM appliance (HTTPS 8443 is the default, but HTTPS 443 is also supported.) | HTTPS 8443 |
Traffic from Internal Corporate Network to Standalone Sentry Standalone Sentry is in the DMZ |
||
Ivanti EPMM administrator access | Open HTTPS 8443 from the corporate network to Ivanti Sentry(System Manager access) | HTTPS 8443 |
Ivanti EPMM administrator access | Open SSH 22 from the corporate network to Ivanti Sentry | SSH 22 |
Traffic from Standalone Sentry to Internal Corporate Network Standalone Sentry is in the DMZ |
||
CIFS-based Content Server | Open TCP 445 if using Ivanti Docs@Work with CIFS-based content servers | TCP 445 |
Certificate / SCEP Server | SCEP Server/CA Access (for CRL verification only) | HTTP 80 or HTTPS 443 |
App Server for AppTunnel | Open HTTP 80 or HTTPS 443 to the app/content server if configuring this Ivanti Sentry for AppTunnel | HTTP 80 or HTTPS 443 (typically) |
Exchange ActiveSync | Open HTTP 80 or HTTPS 443 to the ActiveSync server if configuring this Ivanti Sentry for email service | HTTP 80 or HTTPS 443 |
DNS Lookup | Open UDP 53 (if not in DMZ) and define DNS server(s) | UDP 53 |
NTP Time Synchronization | Open UDP 123 (if not in DMZ) and define NTP server(s) | UDP 123 |
LDAP / Active Directory | Open TCP/UDP 389 Kerberos LDAP ping (optional for Kerberos-constrained delegation) | TCP/UDP 389 |
SMTP Relay for Sentry Console Email Notifications | Open TCP 25 (if not in DMZ) and define SMTP relay server | TCP 25 |
Kerberos Server | Open TCP 88 (for Kerberos-constrained delegation) | TCP 88 |
- For firewall rules required for Internal rules/outside rules, see External and Internet rules.
- For additional firewall rules, see Additional firewall rules.