Overview
A fully operational MDM setup requires a set of CapaInstaller services that are deployed correctly in the company network infrastructure. Consult the illustration and tables below when setting up your network for CapaInstaller MDM.
Table of Contents | ||
---|---|---|
|
Network Ports Reference
The following illustration with referencing tables contains information about network ports used by CapaInstaller Mobile Device Management.
The referenced ports for CapaInstaller services are the default values. If the defaults are changed, refer to the port set in the service configuration.
If you have other isolated LAN zones, for example a separate WIFI zone, port openings for these zones should be the same as the LAN port openings
Service | Port Number | Data Type | Direction | Destination DNS URL if Outgoing | Description |
---|---|---|---|---|---|
cimdm | 443 (SSL) | TCP | PUBLIC -> DMZ | api.capaone.com | mobile devices get configurations and application |
cimdm | 443 (SSL) | TCP | DMZ | ||
cibackend | 5023 (CapaInstaller MDM default) | TCP | DMZ → LAN | cimdm get profiles and configurations | |
cifrontend | 5022 (CapaInstaller Public Frontend Default) | TCP | DMZ → LAN | cimdm used to authenticate users when enrolling phones | |
Devices
Services
Service | Port Number | Data Type | Direction | Origin DNS URL if Incoming | Destination DNS URL if Outgoing | Reference |
---|---|---|---|---|---|---|
cimdm | 443 (SSL) | TCP | Public -> DMZ | CapaInstaller DMZ server | 2 B | |
cimdm | 8443 (SSL) OMA DM Protocol | TCP | Public -> DMZ | CapaInstaller DMZ server | 2 B | |
SelfService | 9443 (CapaInstaller SelfService Portal) | TCP | Public -> DMZ | CapaInstaller DMZ server | 2 B | |
cibackend | 5023 (CapaInstaller MDM default) | TCP | DMZ -> LAN | CapaInstaller Backend server | 2 E | |
cifrontend | 5021 (CapaInstaller Frontend Default) | TCP | DMZ -> LAN | CapaInstaller Frontend server | 2 E | |
CapaSystems server | 7000 (CapaSystems server) | TCP | LAN -> Public | certservice.capainstaller.com | 5 D | |
CapaInstaller frontend service | 80 (HTTP) | TCP | LAN -> Public | download.capainstaller.com | 4 D | |
ciscep | 443 (HTTPS) | TCP | LAN -> Public | https://scep.capaone.com | ||
All devices | 443 (SSL) | TCP | LAN -> Public | * | G |
Service | Port Number | Data Type | Direction | Origin DNS URL if Incoming | Destination DNS URL if Outgoing | Reference |
---|---|---|---|---|---|---|
cimdm | 2195 (Apple server) | TCP | DMZ -> Public | 2 F | ||
cimdm | 2196 (Apple server) | TCP | DMZ -> Public | 2 F |
Service | Port Number | Data Type | Direction | Origin DNS URL if Incoming | Destination DNS URL if Outgoing | Reference |
---|---|---|---|---|---|---|
cimdm | 5228 (Google server) | TCP | DMZ -> Public | 2 F | ||
cimdm | 5229 (Google server) | TCP | DMZ -> Public | 2 F | ||
cimdm | 5230 (Google server) | TCP | DMZ -> Public | 2 F | ||
cimdm | 443 (Google server) | TCP | DMZ -> Public | 2 F |
Services | Port Number | Data Type | Direction | Origin DNS URL if Incoming | Destination DNS URL if Outgoing | Reference |
---|---|---|---|---|---|---|
cimdm | 443 (Microsoft server) | TCP | DMZ -> Public | 2 F | ||
cimdm | 7000 (Capasystems server) | TCP | DMZ -> Public | 5 2 C |
Devices
Devices | Port Number | Data Type | Direction | Origin DNS URL if Incoming | Destination DNS URL if Outgoing | Reference |
---|---|---|---|---|---|---|
All devices | 443 (SSL) | TCP | LAN -> Public | * | G | |
All devices | 8443 | TCP | LAN -> Public | * | G |
Devices | Port Number | Data Type | Direction | Origin DNS URL if Incoming | Destination DNS URL if Outgoing | Reference |
---|---|---|---|---|---|---|
Android devices | 5228 (Google server) | TCP | LAN -> Public | G | ||
Android devices | 5229 (Google server) | TCP | LAN -> Public | G | ||
Android devices | 5230 (Google server) | TCP | LAN -> Public | G | ||
Android devices | 443 (Google server) | TCP | LAN -> Public | G |
Devices | Port Number | Data Type | Direction | Origin DNS URL if Incoming | Destination DNS URL if Outgoing | Reference |
---|---|---|---|---|---|---|
Apple devices | 2195 (Apple server) | TCP | LAN -> Public | G | ||
Apple devices | 2196 (Apple server) | TCP | LAN -> Public | G | ||
Apple devices | 5223 (Apple server) | TCP | LAN -> Public | G |
Devices | Port Number | Data Type | Direction | Origin DNS URL if Incoming | Destination DNS URL if Outgoing | Reference |
---|---|---|---|---|---|---|
Windows Phone devices | 443 (Microsoft server) | TCP | LAN -> Public | G |
https://capawiki.capasystems.com/display/CI64DOC/MDM+Network+Ports
Services and Clients
Description of the components from the illustration and reference tables
Services
Expand |
---|
SCEP Service Simple Certificate Enrollment Protocol http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol The administrator must allow access through the firewall from the DMZ to the CapaInstaller Backend Service. The URL can be found from the Backend service configuration (http://ciserver.example.com:xx/cibackend). During enrollment the device will communicate with the SCEP service, so it needs to be accessible at the configured port (eg. port =1640). MDM Service (Mobile Device Management) The administrator must allow access through the firewall from the DMZ to the CapaInstaller Backend Service. The URL can be found from the Backend service configuration (http://ciserver.example.com:xx/cibackend). The MDM service uses the DMZ Front-end Service. The Url can be found from the Frontend service configuration (http://mdm.example.com:xx/cifrontend). The MDM service depends on two certificates (Apple certificate and SSL certificate) that are stored in the server's local certificate store (not the user store). The MDM service hosts an enrollment homepage at URL: https://mdm.example.com/cimdm. The MDM service communicates with the Apple Push Network Service (APNS). http://support.apple.com/kb/TS4264 The MDM service communicates with Google Cloud Messaging. http://en.wikipedia.org/wiki/Google_Cloud_Messaging
DMZ Frontend Service The administrator must allow access through the firewall from the DMZ to the CapaInstaller internal Front-end Service. The URL can be found from the Frontend service configuration (http://ciserver.example.com:xx/cifrontend). Back-end service The Backend service communicates with the Active Directory, so it needs access to this, especially if AD lookup is required. The Backend service communicates with the CapaInstaller database. |
Clients
Expand |
---|
Mobile Devices on public network The mobile devices communicate with the MDM service through the main URL: https://mdm.example.com/cimdm The mobile devices communicate with the SCEP service through the main URL: http://mdm.example.com:5024/ The mobile devices communicate with the Apple Push Network Service (APNS). http://support.apple.com/kb/TS4264 The mobile devices communicate with Google Cloud Messaging. http://en.wikipedia.org/wiki/Google_Cloud_Messaging The mobile devices communicate with the MDM service through the OMA URL: http://mdm.example.com:8443/ [Open Mobile Alliance (OMA) Device Management (DM) server (https://en.wikipedia.org/wiki/OMA_Device_Management)] Computers on public network The computers communicate with the DMZ Front-end service http://mdm.example.com:xx/cifrontend LAN Mobile Devices The devices will communicate just like the Mobile Devices on Public networks (see above). LAN Computers The computers communicate with the Internal Front-end service http://ciserver.example.com:xx/cifrontend Unless the internal WiFi allows connection to the Internal Front-end service, computers that use WiFi may connect to the DMZ Front-end through the Public network |
Third party services
Expand |
---|
Apple Push Network Service(APNS). http://support.apple.com/kb/TS4264 Google Cloud Messaging. http://en.wikipedia.org/wiki/Google_Cloud_Messaging Microsoft Open Mobile Alliance (OMA) Device Management (DM) server https://en.wikipedia.org/wiki/OMA_Device_Management |