Category filter

Network Ports used by Hexnode UEM

This article explains the network ports used for connections with Hexnode or for integrating third-party services.

A port is a specific location through which information flows between various computers or networks. Hexnode uses several ports for enrolling and managing Android, Apple, and Windows devices. Make sure to keep these ports open for a full MDM feature implementation.

Following is the list of several ports needed for establishing connectivity between the various servers and components in Hexnode UEM.

Ports for Android devices

Communications for enrolling and managing Android devices use HTTPS on TCP 443. Hexnode uses standard FCM ports and services (Ports 5228, 5229, and 5230). The port 1883 (outbound) can be used for devices without FCM.

Port Number Inbound/Outbound Source Destination Description
8998 Outbound AD Agent Hexnode Cloud (i.e., Provide your portal name) AD Agent Service
443/80 Outbound Android Devices
  • *.samsungknox.com
  • *.secb2b.com
  • *.samsung.com
Samsung Knox Enrollment
443 Outbound Android Device www.googleapis.com Zero-touch Enrollment
443 Bidirectional Android Device Destination hosts mentioned in https://support.google.com/work/android/answer/10513641?hl=en App Management
443 Bidirectional Hexnode Cloud (i.e., Provide your portal name) Devices HTTPS port used for secure and encrypted communication between Hexnode server and devices
443 Bidirectional Devices Amazon s3 endpoints corresponding to the specific Hexnode UEM portal’s region. HTTPS port used for file, app management.
443 Bidirectional Devices
  • *.manage.microsoft.com
  • *api.office.com
  • *go.microsoft.com
  • *login.windows-ppe.net
  • *secure.aadcdn.
    microsoftonline-p.com
  • *vortex.data.microsoft.
    com
HTTPS port used for Office365 Login.
5228, 5229, 5230, 443 Bidirectional Android Devices Hostnames mentioned in https://firebase.google.com/docs/cloud-messaging/concept-options#messaging-ports-and-your-firewall Receive push notifications via Firebase Cloud Messaging (FCM)
1883, 8883 Outbound Android Devices
  • push.hexnode.com
  • push-eu.hexnode.com
  • push-us.hexnode.com
  • push-cpt.hexnode.com
  • push-uae.hexnode.com
  • push-ldn.hexnode.com
  • push-mum.hexnode.com
Receive push notifications via MQTT.
443 Outbound Android Devices
  • *.pushy.me
  • *.pushy.io
Receive push notifications via Pushy.
443, 3478 (TCP and UDP), 5349 (TCP) Bidirectional Android Devices
  • global.stun.twilio.com
  • global.turn.twilio.com
Simple Traversal of UDP Through NAT (STUN) port for Remote View support, STUN over TLS for Remote View support.
443 Bidirectional Android Devices
  • remoteview.hexnodemdm.com
  • remoteview-us.hexnode.com
  • remoteview-eu.hexnode.com
Remote View Server

Ports for Apple devices

Communications for enrolling and managing devices use HTTPS on TCP 443. Hexnode uses standard ports (TCP 2195 – outbound) to communicate with APNs (host address is gateway.push.apple.com). If the Apple devices are connected to the internet through Wi-Fi and fail to receive APNs notifications, there are chances that the firewall in your network blocks the outbound port 5223. Make sure that this port remains open to TCP traffic for notifications to work.

Port Number Inbound/Outbound Source Destination Description
8998 Outbound AD Agent Hexnode Cloud (i.e., Provide your portal name) AD Agent Service
443 Bidirectional Hexnode Cloud (i.e., Provide your portal name) Devices HTTPS port used for secure and encrypted communication between Hexnode server and devices
443 Bidirectional Devices Amazon s3 endpoints corresponding to the specific Hexnode UEM portal’s region. HTTPS port used for file, app management.
443 Bidirectional Devices
  • *.manage.microsoft.com
  • *api.office.com
  • *go.microsoft.com
  • *login.windows-ppe.net
  • *secure.aadcdn.
    microsoftonline-p.com
  • *vortex.data.microsoft.
    com
HTTPS port used for Office365 Login.
443, 3478 (TCP and UDP), 5349 (TCP) Bidirectional iOS Devices
  • global.stun.twilio.com
  • global.turn.twilio.com
Simple Traversal of UDP Through NAT (STUN) port for Remote View support, STUN over TLS for Remote View support.
443 Bidirectional iOS Devices
  • remoteview.hexnodemdm.com
  • remoteview-us.hexnode.com
  • remoteview-eu.hexnode.com
Remote View Server
1883, 8883 Outbound macOS devices
  • push.hexnode.com
  • push-eu.hexnode.com
  • push-us.hexnode.com
  • push-cpt.hexnode.com
  • push-uae.hexnode.com
  • push-ldn.hexnode.com
  • push-mum.hexnode.com
Receive push notifications via MQTT.
5223 Inbound Apple Devices 17.0.0.0/8 Apple Push Notification service (APNs) for Apple devices.
Notes:


Allow access for the entire 17.0.0.0/8 address block as Apple may use any address from the range for pushing notifications.

Or you may open access to the following network ranges via the same ports:

IPv4

  • 17.249.0.0/16
  • 17.252.0.0/16
  • 17.57.144.0/22
  • 17.188.128.0/18
  • 17.188.20.0/23
  • IPv6

  • 2620:149:a44::/48
  • 2403:300:a42::/48
  • 2403:300:a51::/48
  • 2a01:b740:a42::/48
  • Ports for Windows devices

    TCP port 443 is used in the case of the Windows Notification Service.

    Port Number Inbound/Outbound Source Destination Description
    8998 Outbound AD Agent Hexnode Cloud (i.e., Provide your portal name) AD Agent Service
    443 Bidirectional Windows Devices
    • *.notify.live.net
    • *.wns.windows.com
    • *.notify.windows.com
    HTTPS port used for secure and encrypted communication between Hexnode server and Windows devices.
    443 Bidirectional Hexnode Cloud (i.e., Provide your portal name) Devices HTTPS port used for secure and encrypted communication between Hexnode server and devices
    443 Bidirectional Devices Amazon s3 endpoints corresponding to the specific Hexnode UEM portal’s region. HTTPS port used for file, app management.
    443 Bidirectional Devices
    • *.manage.microsoft.com
    • *api.office.com
    • *go.microsoft.com
    • *login.windows-ppe.net
    • *secure.aadcdn.
      microsoftonline-p.com
    • *vortex.data.microsoft.
      com
    HTTPS port used for Office365 Login.
    1883, 8883 Outbound Windows devices
    • push.hexnode.com
    • push-eu.hexnode.com
    • push-us.hexnode.com
    • push-cpt.hexnode.com
    • push-uae.hexnode.com
    • push-ldn.hexnode.com
    • push-mum.hexnode.com
    Receive push notifications via MQTT.
    443 Bidirectional Windows devices
    • remoteview.hexnodemdm.com
    • remoteview-us.hexnode.com
    • remoteview-eu.hexnode.com
    Remote View Server

    Ports for Linux Devices

    The following are the essential network ports and URLs that must be allowlisted in Netskope to ensure the Hexnode Linux Agent functions properly.

    Port Number Inbound/Outbound Source Destination Description
    443 Bidirectional Hexnode Cloud (i.e., provide your portal name) Linux Devices HTTPS port used for secure communication between the Hexnode server and enrolled Linux devices (/linux-server/ API polling and command delivery).
    443 Outbound Linux Enrollment Installer (CLI) Hexnode Cloud (i.e., provide your portal name) HTTPS port used during device enrollment (/check-auth/, /linux-enroll/, /linux-checkin/). Required for initial agent setup.
    443 Outbound Linux Devices Amazon S3 endpoints corresponding to the specific Hexnode UEM portal’s region HTTPS port used to download the Linux MDM agent binary, enterprise applications, scripts, and other portal-hosted files.
    443 Outbound Linux Devices downloads.hexnode.com HTTPS port used to download Linux feature components such as Remote View Assist, Live Terminal, and Web Content Filtering binaries.
    443 Outbound Linux Devices Portal-supplied HTTPS download URL (any host) HTTPS port used when the portal provides a custom download URL for enterprise apps, agent updates, scripts, or Web Content Filtering binaries.
    1883, 8883 Outbound Linux Devices Hostnames listed under MQTT push servers above MQTT port used to receive real-time push notifications and commands. If blocked, the agent uses HTTPS polling on port 443.
    443 Outbound Linux Devices Live Terminal Server (portal-supplied liveTerminalUrl; see Live Terminal servers above) HTTPS port used for Live Terminal Socket.IO sessions between the device and the Hexnode Live Terminal server (for example, beta-liveterminal.hexnode.com).
    443 Bidirectional Linux Devices Remote View Server (portal-supplied remoteViewUrl; see Remote View servers above) HTTPS port used for Remote View and Remote Control session signaling and data exchange.
    443 Outbound Linux Devices (Remote View Assist) http://www.hexnode.com HTTPS port used to load EULA, privacy policy, terms, and support links in the Remote View client.
    443 Outbound Linux Devices (Hexnode Access deployments) Hexnode Cloud (i.e., provide your portal name) HTTPS port used to download portal assets such as favicon images for Hexnode Access kiosk login (/media/img/favicon.png).
    443 Outbound Linux Devices (optional — Location tracking) ipinfo.io HTTPS port used for IP-based geolocation lookup.
    443 Outbound Linux Devices (optional — Location tracking) nominatim.openstreetmap.org HTTPS port used for reverse geocoding of device coordinates.
    443 Outbound Linux Devices (optional — Real-time location) location.services.mozilla.com HTTPS port used for Wi-Fi-based geolocation.
    80 Outbound Linux Devices (optional — Real-time location) ip-api.com HTTP port used as a fallback for IP-based location lookup.
    53 Outbound Linux Devices (Web Content Filtering enabled) 1.1.1.1 UDP port used by the Hexnode DNS filter service for upstream DNS resolution.
    53 Inbound (local loopback) Linux Devices (Web Content Filtering enabled) 127.0.0.1 UDP port used by the local Hexnode DNS filter listener on the device. Applications on the device resolve DNS through this local service when Web Content Filtering is active.
    22 Inbound (local loopback) Linux Devices (Live Terminal session active) 127.0.0.1 TCP port used for the local SSH connection between the Live Terminal client and the device SSH server during an active Live Terminal session.
    Local (Unix domain socket) Hexnode Access UI Agent and Linux MDM Agent /run/mdm_agent/agent.sock, /run/mdm_agent/agent_gui.sock Local inter-process communication between the UI Agent and MDM Agent on the device. Not an external network connection.
    Solution Framework