5 Replies Latest reply on Mar 10, 2012 5:10 AM by mat.kordell

    Ports required for EMM v9.7 (Dual Mode)

      Hi all,


      Getting some mixed results with the ports required for McAfee EMM.


      Article 1: https://kc.mcafee.com/corporate/index?page=content&id=KB70052&cat=CORP_ENTERPRIS E_MOBILITY_MANAGEMENT&actp=LIST


      Article 2: https://kc.mcafee.com/corporate/index?page=content&id=KB70276&actp=LIST



      Can anyone confirm if the lists above do work for v9.7 or required more?


      My list was:


      Any devices to proxy on 443

      Proxy to Hub on 443

      Hub to Proxy on 443

      Proxy to ActiveSync on 443

      Hub to Proxy on 2195/2196 - I would've assumed the PushNotifier on the proxy would be doing this over 443?

      Does the Hub require any access out to 2195/2196 to Apple/Google?


      Any help appreciated.




        • 1. Re: Ports required for EMM v9.7 (Dual Mode)

          You have your rules for 2195 and 2196 a little off.  You need those ports open from the Push Notifier out to the specified URLs.  Push Notifier is installed on the Proxy for a fresh install and on the Hub for an upgrade from 9.5.  Here are the rules as I've always sent them to customers prior to installing (for a fresh install of 9.7).


          Firewall Rules:

          TCP 443 inbound fromInternet to DMZ Server

          TCP 443 inbound fromDMZ Server to ActiveSync

          TCP 443 inbound fromDMZ Server to Hub Server

          TCP 2195 outboundfrom DMZ Server to gateway.push.apple.com and gateway.sandbox.push.apple.com(for Apple Push Notification)

          TCP 2196 outboundfrom DMZ Server to feedback.push.apple.com (for Apple Push Notification)

          TCP 5222 outboundfrom WiFi to Internet (for Android Push Notification)

          TCP 5223 outboundfrom the WiFi to allow Apple devices not on 3G to receive push notifications(not needed if devices will not use WiFi)

          • 2. Re: Ports required for EMM v9.7 (Dual Mode)

            One thing we found out which is not documented anywhere ( at least we have not found it) ist that the DMZ Server also needs to be able to check CRL lists from the certificate you are using. It does work also without nevertheless when connecting over the MDM app form the phone/pad (e.g. update configuratoin) you hit quite often a timeout .


            all the best



            • 3. Re: Ports required for EMM v9.7 (Dual Mode)

              So currently on a test environment without DNS, it works fine. I've enabled DNS for resolution of host names and have picked up that the DMZ server is trying outbound requests to check the CRL lists from Verisign.


              Denenkel: Did you end up allowing to visit the CRL site over port 80 in the end? If so did the time outs get resolved?

              • 4. Re: Ports required for EMM v9.7 (Dual Mode)

                Yes, everyhting works fine with our environment now! Activations are fast and no timeouts occure anymore.

                • 5. Re: Ports required for EMM v9.7 (Dual Mode)

                  You should mark this as answered.