Category Filter

Hexnode – Architecture

Hexnode lets you securely manage both personal and corporate mobile devices in your business. Using Hexnode, an IT manager can easily enroll devices over-the-air, impose settings/policies, manage apps and check compliance with enterprise’s standards. Unified web console simplifies EMM by letting you centrally manage and secure the entire fleet of devices.

The main infrastructure entities involved in the architecture are:

Hexnode server

The Server which hosts Hexnode Mobile Device Management software. The server must be accessible via public IP address as many users will be out of office network.

Firewall

A firewall establishes a barrier between a trusted, secure internal network of an enterprise and internet. It controls incoming and outgoing network traffic based on predefined set of rules.

APNs

Apple Push Notification Service is a highly efficient service created by Apple, to enable communication from a third party to iOS devices. APNs certificate installed in Hexnode server ensures that the managed mobile devices communicate through a secure channel using Apple Push Notification Service.

GCM/FCM

Google Cloud Messaging, recently known as Firebase Cloud Messaging, is a service developed by Google to help the servers to send notification to not only Android devices, but iOS and Chrome web apps.

WNS

Windows notification service, developed by Microsoft, allows communication between a third party service and any Windows devices, including Windows Phones, PCs and Xbox consoles.

Mobile Devices

Personal or corporate-owned devices of employees which need to be managed in an organization.

Architecture of Hexnode:

  1. Hexnode initiates the communication by sending a notification to APNs server, to wake up the managed mobile device (via TCP port 2195).
  2. A live TCP connection is maintained by all iOS devices to APNs, via port 5223.
  3. The device listens for the commands, policy settings and configurations sent by Hexnode.
  4. The device will execute the commands, apply the configurations/policies and report the data back to the Hexnode server.

APNs ports

  • Port 80: The default application port used during the installation of Hexnode.
  • Port 443: Used for secured and encrypted connection between mobile devices and Hexnode.
  • Port 2195 (outbound): This port must be open for the Hexnode server to
    communicate with APNs (Host Address is gateway.push.apple.com).
  • Port 5223(outbound): If the mobile devices are connected to the internet through Wi-Fi, this port should be open.

GCM/FCM ports

Ports 5228, 5229 and 5230 are used for Firebase Cloud Messaging. Google randomly uses any of these three ports.

WNS ports

TCP port 443 is used in the case of Windows Notification Service.

Alternate port

The port 1883 (outbound) can be used for devices without GCM.

Port Details

Port Number Inbound/Outbound Source Destination Description
8998 Outbound AD Agent Hexnode Cloud AD Agent Service
443 Bidirectional Android Devices
  • *.samsungknox.com
  • *.secb2b.com
  • *.samsung.com
Samsung KNOX Enrollment
443 Bidirectional Android Device www.googleapis.com Zero Touch Enrollment
443 Bidirectional Android Device
  • *play.googleapis.com
  • *.googleusercontent.com
  • android.clients.google.com
  • *.ggpht.com
  • *.gvt1.com
App Management
443 Bidirectional Windows Devices
  • *.notify.live.net
  • *.wns.windows.com
  • *.notify.windows.com
HTTPS port used for secure and encrypted communication between Hexnode server and Windows devices.
443 Bidirectional Apple Devices mesu.apple.com HTTPS port used for secure and encrypted communication between Hexnode server and Apple devices.
443 Bidirectional Hexnode Cloud Devices HTTPS port used for secure and encrypted communication between Hexnode server and devices
443 Bidirectional Devices
  • s3.eu.central-1.amazonaws.com
  • s3.amazonaws.com
HTTPS port used for file, app management.
443 Bidirectional Devices
  • *.manage.microsoft.com
  • *api.office.com
  • *go.microsoft.com
  • *login.windows-ppe.net
  • *secure.aadcdn.
    microsoftonline-p.com
  • *vortex.data.microsoft.
    com
HTTPS port used for Office365 Login.
1883 Bidirectional Android Devices *.pushy.me Hexnode Push Service if GCM is not available.
5228, 5229, 5230 Bidirectional Android Devices Internet Google push notification
3478 (TCP and UDP), 5349 (TCP) Bidirectional Android/ iOS Devices
  • global.stun.twilio.com
  • global.turn.twilio.com
Simple Traversal of UDP Through NAT (STUN) port for Remote View support, STUN over TLS for Remote View support.
443 Bidirectional Android/ iOS Devices remoteview.hexnodemdm.
com
Remote View Server
5223 Inbound Apple Devices 17.0.0.0/8 Apple Push Notification service (APNs) for Apple devices.