Ports and protocols
This section lists the communication details for required and optional network connections.
From the internet to the Sophos Mobile server
Port forwarding, NAT, WAF, Reverse Proxy are supported.
Protocol |
Port |
Destination |
Comment |
Optional? |
---|---|---|---|---|
HTTP |
80 |
<Sophos Mobile server> |
Forwards to HTTPS port |
Yes |
HTTPS |
443 |
<Sophos Mobile server> |
Access to Sophos Mobile Admin and Self Service Portal, device sync, UTM, NAC |
From the internal network to the Sophos Mobile server
Protocol |
Port |
Destination |
Comment |
Optional? |
---|---|---|---|---|
HTTP |
80 |
<Sophos Mobile server> |
Forwards to HTTPS port |
Yes |
HTTPS |
443 |
<Sophos Mobile server> |
Access to Sophos Mobile Admin and Self Service Portal, device sync, UTM, NAC |
From the Sophos Mobile server to the Internet
Protocol |
Port |
Destination |
Comment |
Optional? |
---|---|---|---|---|
HTTPS with client cert. |
443 |
services.sophosmc.com (85.22.154.49) |
For push notifications to Apple (APNs), Microsoft (MPNS, WNS), Android (Baidu Push) devices |
|
HTTPS |
443 |
android.googleapis.com fcm.googleapis.com/fcm/send |
Google Firebase Cloud Messaging for Android devices |
|
APNs with client cert. |
443 |
api.push.apple.com (17.0.0.0/8) |
Apple Push Notification service |
|
HTTPS |
443 |
vpp.itunes.apple.com (17.0.0.0/8) |
Apple Volume Purchase Program |
Yes |
HTTPS |
443 |
itunes.apple.com (17.0.0.0/8) |
Apple app identifier search |
|
HTTPS |
443 |
deviceservices-external.apple.com (17.0.0.0/8) |
Apple Activation Lock Bypass for supervised devices |
Yes |
HTTPS |
443 |
mdmenrollment.apple.com (17.0.0.0/8) |
Apple Device Enrollment Program |
Yes |
HTTPS |
443 |
login.live.com *.notify.windows.com |
Windows Push Notification service |
|
HTTPS |
443 |
www.googleapis.com |
Android Enterprise |
Yes |
HTTPS |
443 |
www.google.com/recaptcha/api/siteverify |
Google reCAPTCHA service for password reset and token enrollment |
|
HTTPS |
443 |
login.microsoftonline.com graph.microsoft.com |
Intune app protection, federated authentication with Azure AD |
Yes |
HTTPS |
443 |
login.teamviewer.com webapi.teamviewer.com start.teamviewer.com |
TeamViewer integration |
Yes |
HTTPS |
443 |
One of the following Sophos Central regions: smc-device-if-cloudstation-eu-west-1.prod.hydra.sophos.com smc-device-if-cloudstation-eu-central-1.prod.hydra.sophos.com smc-device-if-cloudstation-us-west-2.prod.hydra.sophos.com smc-device-if-cloudstation-us-east-2.prod.hydra.sophos.com |
Migration from a Sophos Mobile on-premise installation or Sophos Mobile as a Service to Sophos Central |
Yes |
From the Sophos Mobile server to the following internal hosts
Protocol |
Port |
Destination |
Comment |
Optional? |
---|---|---|---|---|
MS SQL |
1433 |
<your database host> |
Only if on a different computer than Sophos Mobile |
|
MySQL |
3306 |
|||
SMTP plain |
25 |
<your SMTP host> |
Enrollment and maintenance emails |
|
SMTP SSL |
465 |
|||
SMTP TLS |
587 |
|||
LDAP |
389 |
<your LDAP host> |
To your directory server |
Yes |
LDAPS |
636 |
|||
HTTPS |
443 |
<your Exchange server> |
For ActiveSync traffic |
Yes |
HTTPS |
443 |
<your SGN server> |
For SGN integration |
Yes |
From Android devices to the internet
Service |
Port |
Destination |
Comment |
Optional? |
---|---|---|---|---|
FCM |
5228-5230 |
internet (all IP blocks listed in Google’s ASN 15169) |
Google Firebase Cloud Messaging (FCM) for Android devices. IP ranges might change regularly. If you use IP restrictions, check the ASN 15169 document at least monthly. |
|
HTTPS |
443 |
www.googleapis.com |
Zero-touch enrollment |
Yes |
HTTPS |
443 |
*.samsungknox.com *.secb2b.com *.samsung.com |
Samsung Knox Mobile Enrollment |
Yes |
HTTPS |
443 |
4.sophosxl.net/lookup |
Sophos website classification service. Required for Sophos Intercept X for Mobile Web Filtering. |
From iPhones, iPads, and Macs to the internet
Service |
Port |
Destination |
Comment |
Optional? |
---|---|---|---|---|
APNs |
5223 |
17.0.0.0/8 |
Apple Push Notification service for iPhones, iPads, and Macs. |
|
HTTPS |
443 |
mesu.apple.com |
Apple service for available iPhone, iPad, and Mac updates. |
Yes1 |
HTTPS |
443 |
push-services.sophosmc.com |
Sophos notification service for the Sophos Secure Email iPhone or iPad app. |
Yes2 |
HTTPS |
443 |
4.sophosxl.net/lookup |
Sophos website classification service. Required for Sophos Intercept X for Mobile Web Filtering. |
From Windows and Windows Mobile devices to the internet
Service |
Port |
Destination |
Comment |
Optional? |
---|---|---|---|---|
HTTPS |
443 |
*.notify.windows.com *.wns.windows.com *.notify.live.net |
Windows Notification Service (WNS) and Microsoft Push Notification Service (MPNS) for Windows devices. |
From Chrome devices to the internet
Service |
Port |
Destination |
Comment |
Optional? |
---|---|---|---|---|
HTTPS |
443 |
4.sophosxl.net/lookup |
Sophos website classification service. Required for Sophos Chrome Security Web Filtering. |