Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
required_configurations_for_open_mobile_access [2015/02/02 23:30]
ybarajas
required_configurations_for_open_mobile_access [2019/12/24 10:47] (current)
Line 1: Line 1:
 +====== Required Network Configurations for Open Mobile Access ======
 +
 +For maximum connectivity,​ customer firewalls, proxies and other network systems must allow access from the various services that comprise the iPass Open Mobile Service. We have two options for our customers to follow, based on the stringency of their security policies. The //Simple// option keeps the number of rules to a minimum by opening up only the required ports, but allows all hosts from the iPass production networks. The //​Advanced//​ option utilizes the same ports, but allows the customer to lock down the firewall to just the hosts that are currently in service. While this works just as well, it requires more rules in your firewalls, and if iPass adds services in the future, you may need to revisit these rules and open more hosts to our service.
 +
 +<​note>​If you are experiencing issues connecting to an on-campus Wi-Fi network using auth method EAP-TTLS, please visit **[[mcafee_note|special note on McAfee 8.7.0]]**. </​note>​
 +
 +
 +
 +
 +===== Simple Option =====
 +
 +This option opens up only the necessary TCP ports to two /20 blocks of IP space that are owned and maintained by iPass. TCP ports 80, 443 and 577 must be opened from the following IP blocks in order for the iPass Open Mobile service to function. If you are configuring a device that uses a white-listing format (such as an Access Gateway), you should allow the domains of ''​ipass.com''​ as well as ''​i-pass.com''​.
 +
 +
 +
 +^ IP Addresses ^ Location ^ 
 +| 216.239.96.0/​20 (216.239.96.0 -  216.239.111.255) | All iPass Data Centers |
 +
 +
 +===== Advanced Option =====
 +
 +<note important>​If you use the //Advanced Option//, you will need to return to this page occasionally to make sure that your configuration is up-to-date.</​note>​
 +
 +The following advanced configuration allows the customer to allow only the specific hosts that are currently in use.
 +
 +Users' devices as well as your servers must communicate with iPass servers. Below, you will find different iPass servers, along with the IP addresses and ports that must be able to communicate with them.
 +
 +    * **[[required_configurations_for_open_mobile_access&#​roamserver|RoamServer]]**
 +    * **[[required_configurations_for_open_mobile_access&#​roamserver_remote_manager|RoamServer Remote Manager]]**
 +    * **[[required_configurations_for_open_mobile_access&#​open_mobile_administration|Open Mobile Administration]]**
 +    * **[[required_configurations_for_open_mobile_access&#​open_mobile_client|Open Mobile Client]]**
 +    * **[[required_configurations_for_open_mobile_access&#​local_windows_client_processes|Local Windows Processes]]**
 +
 +
 +==== RoamServer ====
 +
 +The iPass RoamServer links the customer network to the iPass Network. It serves as a secure relay between the enterprise authentication database and the iPass Transaction centers. It is installed on the customer network, or can be hosted by iPass or an iPass partner.
 +
 +The following IP addresses must be able to communicate with the iPass RoamServer through TCP on port 577:
 +  * 216.239.98.125
 +  * 216.239.99.125
 +  * 216.239.105.125
 +  * 216.239.108.125
 +  * 216.239.109.125
 +  * 216.239.111.125
 +
 +<note important>​These IP addresses are strictly for configuration of firewalls and similar devices, and should not be used for other purposes. In general, these IP addresses cannot be directly contacted, such as through a PING utility.</​note>​
 +
 +==== RoamServer Remote Manager ====
 +
 +The iPass RoamServer Remote Manager (RSRM) is installed on the customer network and securely links the customer'​s authentication database with the iPass Open Mobile Portal. It allows the administrator to assign profiles to common name (cn) groups of users.
 +
 +The following IP addresses must be able to communicate with the iPass RoamServer Remote Manger (RSRM) through TCP on ports 8443:
 +  * 216.239.108.122
 +  * 216.239.108.124
 +
 +==== Open Mobile Administration ====
 +
 +=== Open Mobile Portal ===
 +
 +The Open Mobile Portal URL is https://​openmobile.ipass.com,​ and the ports required to reach the management system are TCP ports 80 and 443. The IP addresses for the Portal include:
 +  * 216.239.108.122
 +
 +==== Open Mobile Client ====
 +
 +The Open Mobile client must have access to the servers, URLs, and processes listed here.
 +
 +=== Open Mobile Data Collector ===
 +
 +The Open Mobile Data Collector receives connection and system information reported by the client and ties it to the reports available in Open Mobile Insight.
 +
 +The Data Collector requires TCP ports 80 and 443, and the URL is [[http://​om-datacollector.ipass.com|om-datacollector.ipass.com]]. The following IP addresses must be accessible:
 +
 +  * 52.52.68.163
 +  * 52.9.114.231
 +
 +=== Open Mobile Update Server ===
 +
 +The Open Mobile Update Server informs clients if updates are available for Open Mobile software, configurations or directories.
 +
 +The Update Server requires TCP port 80, and the URL's are http://​om-updater.ipass.com and http://​om-activation-updater.ipass.com. The following IP addresses must be accessible:
 +
 +  * 216.239.108.124
 +  * 216.239.108.131
 +
 +=== Open Mobile Download Server ===
 +
 +The Open Mobile Download Server retrieves update files for Open Mobile software, configurations,​ and directories.
 +
 +The Download Server requires TCP port 443, and the URL is https://​om-download.ipass.com. The following IP addresses must be accessible:
 +
 +  * 216.239.108.123
 +
 +=== iPass Client ID Servers ===
 +
 +iPass Client ID servers are contacted the first time  an iPass client makes a network connection, ​ to obtain a unique client identifier. The identifier is used in all transactions to ensure security of client connections. ClientID servers communicate through TCP port 80, and the URL is http://​did.gslb.ipass.com. Access is required to the following IP addresses in order to obtain the ID:
 +  * 216.239.108.97
 +  * 216.239.111.97
 +
 +=== OpenAccess ===
 +
 +OpenAccess service needs to register with the server through ports 80 and 443 at the following URL:
 +  *https://​dapi.devicescape.net/​register
 +
 +The following URLs should also be available for OpenAccess:
 +  *http://​alive.devicescape.net:​80
 +  *http://​dapi.devicescape.net:​80
 +  *https://​dapi.devicescape.net:​443
 +  *https://​api.devicescape.com:​443
 +
 +
 +=== Sniff Servers ===
 +
 +The iPass Sniff Servers are used by Open Mobile to determine if an Internet connection can be made, or if further action (such as accepting local terms and conditions) is required. The sniff servers communicate through TCP port 80, and the URLs are http://​sniff.gslb.i-pass.com and http://​sniff.i-pass.com. Currently all sniff servers are on CDN utilizing dynamic IP addresses. Customers must therefore add DNS based ACLs to whitelist both URLs.
 +
 +
 +=== Connection Quality Test Servers ===
 +
 +These servers are only required for the Connection Quality Indicator and Speed Test features on Open Mobile clients. The Connection Quality Test servers
 +communicate through TCP port 80 over HTTP, and the URLs are:
 +
 +  *http://​qos.ipass.com
 +  *http://​speedtest.ipass.com
 +  *http://​qos.gslb.ipass.com
 +  *http://​qos-emea.ipass.com
 +  *http://​qos-apac.ipass.com
 +  *http://​qos-atl.ipass.com
 +  *http://​qos-sjc.ipass.com
 +
 +Currently all Speed Test servers are on CDN utilizing dynamic IP addresses. Customers must therefore add DNS based ACLs to whitelist both URLs.
 +
 +
 +=== Push notification Server ===
 +
 +Client retrieves any iPass push notification messages from this service:
 +
 +  *https://​omns.ipass.com/​
 +
 +
 +=== Wi-Fi Hotspot Server ===
 +
 +Client calls this service for the Wi-Fi Hotspot Finder location services:
 +
 +  *https://​api.wifilookup.com/​
 +
 +
 +=== SmartConnect DNS server ===
 +
 +Client uses this for DNS communication to SmartConnect for connection management guidance (but NOT when it senses a “point of interest” on a LAN/WLAN connection made outside of our client… i.e. home or office network)
 +
 +  *https://​kr0.io/​
 +
 +
 +=== SmartConnect server ===
 +
 +SmartConnect connection management server (instructs client on best available network base on location).
 +
 +  *https://​k.ipass.com/​
 +
 +
 +=== Log server ===
 +
 +Client auto-uploads logs on connection attempt failure (vs user manually sending logs to help@ipass.com)
 +
 +  *https://​logservices.ipass.com/​
 +
 +
 +==== Local Windows Client Processes ====
 +
 +
 +On Windows platforms, these Open Mobile processes must be running in order for the Open Mobile client to have full functionality. Each must be allowed explicit access through the user’s personal firewall.
 +
 +
 +^ Process ^ Description |
 +|iMobility.exe |Main executable for the Open Mobile client. |
 +|iMobilityService.exe |Controls the user interface and intermediates between iMobility.exe and the Open Mobile platform. |
 +|iPlatformService.exe |Main service that controls policy enforcement. |
 +|iPlatformHost.exe (2 instances) |Enables the client to impersonate the user or system account. Two instances must be running: one each in the system and user contexts. |
 +|iPassLogonPolicy.exe |Enables Windows Logon Processing. |
 +
 +
 +
 +
 +
 +{{tag>​requirements firewall roamserver tech_notes}}
 +
 +
 +
 +\\
  
 

©2015 iPass Inc. All rights reserved. Terms of Use