MDM Network Ports

Overview

A fully operational MDM setup requires a set of CapaInstaller services that are deployed correctly in the company network infrastructure. Consult the illustration and tables below when setting up your network for CapaInstaller MDM.

Network Ports Reference

The following illustration with referencing tables contains information about network ports used by CapaInstaller Mobile Device Management.

The referenced ports for CapaInstaller services are the default values. If the defaults are changed, refer to the port set in the service configuration.

If you have other isolated LAN zones, for example a separate WIFI zone, port openings for these zones should be the same as the LAN port openings




Services

Service

Port Number                       

Data Type

Direction

Origin DNS URL if Incoming

Destination DNS URL if Outgoing

Reference

cimdm

443 (SSL)

TCP

Public -> DMZ

CapaInstaller DMZ server


2 B

cimdm

8443 (SSL) OMA DM Protocol

TCP

Public -> DMZ

CapaInstaller DMZ server


2 B
SelfService9443 (CapaInstaller SelfService Portal)TCPPublic -> DMZCapaInstaller DMZ server
2 B

cibackend

5023 (CapaInstaller MDM default)

TCP

DMZ -> LAN

CapaInstaller Backend server


2 E
cifrontend5021 (CapaInstaller Frontend Default)TCPDMZ -> LANCapaInstaller Frontend server
2 E

CapaSystems server

7000 (CapaSystems server)

TCP

LAN -> Public


certservice.capainstaller.com

5 D

CapaInstaller frontend service

80 (HTTP)

TCP

LAN -> Public


download.capainstaller.com

4 D
ciscep443 (HTTPS)TCPLAN -> Public
https://scep.capaone.com

All devices

443 (SSL)

TCP

LAN -> Public


*

G

Service                        

Port Number                   

Data Type

Direction

Origin DNS URL if Incoming

Destination DNS URL if Outgoing

Reference

cimdm

2195 (Apple server)

TCP

DMZ -> Public


gateway.push.apple.com

2 F

cimdm

2196 (Apple server)

TCP

DMZ -> Public


feedback.push.apple.com

2 F

Service                           

Port Number

Data Type

Direction

Origin DNS URL if Incoming

Destination DNS URL if Outgoing

Reference

cimdm

5228 (Google server)

TCP

DMZ -> Public


android.apis.google.com

gcm-http.googleapis.com

fcm.googleapis.com

2 F

cimdm

5229 (Google server)

TCP

DMZ -> Public


android.apis.google.com

gcm-http.googleapis.com

fcm.googleapis.com

2 F

cimdm

5230 (Google server)

TCP

DMZ -> Public


android.apis.google.com

gcm-http.googleapis.com

fcm.googleapis.com

2 F
cimdm443 (Google server)TCPDMZ -> Public

android.apis.google.com

gcm-http.googleapis.com

fcm.googleapis.com

play.google.com

2 F

Services              

Port Number

Data Type

Direction

Origin DNS URL if Incoming

Destination DNS URL if Outgoing

Reference

cimdm

443 (Microsoft server)

TCP

DMZ -> Public



2 F

cimdm

7000 (Capasystems server)

TCP

DMZ -> Public



5 2 C

Devices

Devices                           

Port Number

Data Type

Direction

Origin DNS URL if Incoming

Destination DNS URL if Outgoing

Reference

All devices

443 (SSL)

TCP

LAN -> Public


*

G
All devices8443TCPLAN -> Public
*G

Devices                           

Port Number

Data Type

Direction

Origin DNS URL if Incoming

Destination DNS URL if Outgoing

Reference

Android devices

5228 (Google server)

TCP

LAN -> Public


android.apis.google.com

gcm-http.googleapis.com

fcm.googleapis.com

G

Android devices

5229 (Google server)

TCP

LAN -> Public


android.apis.google.com

gcm-http.googleapis.com

fcm.googleapis.com

G

Android devices

5230 (Google server)

TCP

LAN -> Public


android.apis.google.com

gcm-http.googleapis.com

fcm.googleapis.com

G
Android devices443 (Google server)TCPLAN -> Public

android.apis.google.com

gcm-http.googleapis.com

fcm.googleapis.com

play.google.com

G

Devices                            

Port Number              

Data Type

Direction

Origin DNS URL if Incoming

Destination DNS URL if Outgoing

Reference

Apple devices

2195 (Apple server)

TCP

LAN -> Public


gateway.push.apple.com

G

Apple devices

2196 (Apple server)

TCP

LAN -> Public


feedback.push.apple.com

G
Apple devices5223 (Apple server)TCPLAN -> Public

G

Devices

Port Number

Data Type

Direction

Origin DNS URL if Incoming

Destination DNS URL if Outgoing

Reference

Windows Phone devices

443 (Microsoft server)

TCP

LAN -> Public



G


https://capawiki.capasystems.com/display/CI56DOC/MDM+Network+Ports

Services and Clients

Description of the components from the illustration and reference tables

Services

 Click here to expand...

SCEP Service

Simple Certificate Enrollment Protocol http://en.wikipedia.org/wiki/Simple_Certificate_Enrollment_Protocol

The administrator must allow access through the firewall from the DMZ to the CapaInstaller Backend Service. The URL can be found from the Backend service configuration (http://ciserver.example.com:xx/cibackend). During enrollment the device will communicate with the SCEP service, so it needs to be accessible at the configured port (eg. port =1640).


MDM Service (Mobile Device Management)

The administrator must allow access through the firewall from the DMZ to the CapaInstaller Backend Service. The URL can be found from the Backend service configuration (http://ciserver.example.com:xx/cibackend).

The MDM service uses the DMZ Front-end Service. The Url can be found from the Frontend service configuration (http://mdm.example.com:xx/cifrontend).

The MDM service depends on two certificates (Apple certificate and SSL certificate) that are stored in the server's local certificate store (not the user store).

The MDM service hosts an enrollment homepage at URL: https://mdm.example.com/cimdm.

The MDM service communicates with the Apple Push Network Service (APNS). http://support.apple.com/kb/TS4264

The MDM service communicates with Google Cloud Messaging. http://en.wikipedia.org/wiki/Google_Cloud_Messaging

 

DMZ Frontend Service

The administrator must allow access through the firewall from the DMZ to the CapaInstaller internal Front-end Service. The URL can be found from the Frontend service configuration (http://ciserver.example.com:xx/cifrontend).


Back-end service

The Backend service communicates with the Active Directory, so it needs access to this, especially if AD lookup is required. The Backend service communicates with the CapaInstaller database.

Clients

 Click here to expand...

Mobile Devices on public network

The mobile devices communicate with the MDM service through the main URL: https://mdm.example.com/cimdm

The mobile devices communicate with the SCEP service through the main URL: http://mdm.example.com:5024/

The mobile devices communicate with the Apple Push Network Service (APNS). http://support.apple.com/kb/TS4264

The mobile devices communicate with Google Cloud Messaging. http://en.wikipedia.org/wiki/Google_Cloud_Messaging

The mobile devices communicate with the MDM service through the OMA URL: http://mdm.example.com:8443/ [Open Mobile Alliance (OMA) Device Management (DM) server (https://en.wikipedia.org/wiki/OMA_Device_Management)]


Computers on public network

The computers communicate with the DMZ Front-end service http://mdm.example.com:xx/cifrontend

 

LAN Mobile Devices

The devices will communicate just like the Mobile Devices on Public networks (see above).


LAN Computers

The computers communicate with the Internal Front-end service http://ciserver.example.com:xx/cifrontend

Unless the internal WiFi allows connection to the Internal Front-end service, computers that use WiFi may connect to the DMZ Front-end through the Public network

Third party services

 Click here to expand...

Apple Push Network Service

(APNS). http://support.apple.com/kb/TS4264

 

Google Cloud Messaging.

 http://en.wikipedia.org/wiki/Google_Cloud_Messaging

 

Microsoft Open Mobile Alliance (OMA) Device Management (DM) server https://en.wikipedia.org/wiki/OMA_Device_Management