You have your rules for 2195 and 2196 a little off. You need those ports open from the Push Notifier out to the specified URLs. Push Notifier is installed on the Proxy for a fresh install and on the Hub for an upgrade from 9.5. Here are the rules as I've always sent them to customers prior to installing (for a fresh install of 9.7).
TCP 443 inbound fromInternet to DMZ Server
TCP 443 inbound fromDMZ Server to ActiveSync
TCP 443 inbound fromDMZ Server to Hub Server
TCP 2195 outboundfrom DMZ Server to gateway.push.apple.com and gateway.sandbox.push.apple.com(for Apple Push Notification)
TCP 2196 outboundfrom DMZ Server to feedback.push.apple.com (for Apple Push Notification)
TCP 5222 outboundfrom WiFi to Internet (for Android Push Notification)
TCP 5223 outboundfrom the WiFi to allow Apple devices not on 3G to receive push notifications(not needed if devices will not use WiFi)
One thing we found out which is not documented anywhere ( at least we have not found it) ist that the DMZ Server also needs to be able to check CRL lists from the certificate you are using. It does work also without nevertheless when connecting over the MDM app form the phone/pad (e.g. update configuratoin) you hit quite often a timeout .
all the best
So currently on a test environment without DNS, it works fine. I've enabled DNS for resolution of host names and have picked up that the DMZ server is trying outbound requests to check the CRL lists from Verisign.
Denenkel: Did you end up allowing to visit the CRL site over port 80 in the end? If so did the time outs get resolved?
Yes, everyhting works fine with our environment now! Activations are fast and no timeouts occure anymore.
You should mark this as answered.