Appendix A - Harmony Mobile Communication Information

This appendix describes the networking rules required to configure your security systems in order to allow the solution's integration with your on-premises systems (UEMs, syslog, and so on).

If you do not know your dashboard's region, contact Check Point Support.

To prevent spam filters from blocking Harmony Mobile's emails, allow this IP address as a sender: 167.89.59.134.

For more information on how to integrate the Harmony Mobile Protect App with different UEMs, see Harmony Mobile UEM Integration Guide.

Best Practice - The best practice when enabling firewall access for Harmony Mobile is to use DNS Domain Name System. A hierarchical distributed naming system for computers, services, or resources connected to the internet or a private network. Used to translate names into IP addresses. based names. When it is not an option, use the IP addresses provided for the specified DNS in the table below.

Security system configuration rules:

Region	Description	Source	Destination	Destination Port
ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	au-gw.locsec.net ca-gw.locsec.net eu-gw.locsec.net uae-gw.locsec.net uk-gw.locsec.net gw.locsec.net	443
ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	bosko.locsec.net (Direct client/server connection is required)	443
ANY	Tenant Admin to customer's Harmony Mobile dashboard.	Customer's internal network	ap.portal.checkpoint.com ca.portal.checkpoint.com in.portal.checkpoint.com portal.checkpoint.com uae.portal.checkpoint.com uk.portal.checkpoint.com us.portal.checkpoint.com	443
ANY	Connection to the customer's SMTP server, if configured in dashboard (Settings >SMTP settings).	52.1.198.108 52.7.158.188 52.71.46.86 52.202.99.13 52.203.42.126	Customer SMTP server	SMTP port configured in the dashboard (Settings > SMTP)
ANY	Harmony Mobile Connector to customer UEM Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point.	Customer Harmony Mobile Connector server	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
US	Harmony Mobile Connector	Customer Harmony Mobile Connector server	us-relay.locsec.net	443
EU	Harmony Mobile Connector	Customer Harmony Mobile Connector server	eu-relay.locsec.net	443
AU	Harmony Mobile Connector	Customer Harmony Mobile Connector server	au-relay.locsec.net	443
CA	Harmony Mobile Connector	Customer Harmony Mobile Connector server	ca-relay.locsec.net	443
UAE	Harmony Mobile Connector	Customer Harmony Mobile Connector server	uae-relay.locsec.net	443
UK	Harmony Mobile Connector	Customer Harmony Mobile Connector server	uk-relay.locsec.net	443
APAC	Connection to customer's ArcSight/Syslog	54.79.100.215 13.238.250.74 13.236.78.154 13.54.82.229 54.79.2.81 13.55.226.84	Customer ArcSight/Syslog	Protocol and port as configured in the Dashboard (Settings > Syslog)
APAC	Connection to customer's UEM (APAC)	54.79.100.215 13.238.250.74 13.236.78.154 13.54.82.229 54.79.2.81 13.55.226.84	Customer UEM and/or Harmony Mobile Connector	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
APAC	Harmony Mobile Connector to Harmony Mobile (APAC)	Customer Harmony Mobile Connector server	Harmony Mobile Dashboard FQDN*	443
APAC	Harmony Mobile Connector connection to Harmony Mobile (APAC)	Customer Connector server	Harmony Mobile Dashboard FQDN*	443
EU	Connection to customer's ArcSight/Syslog	52.49.95.252 34.251.122.117 52.30.229.13 52.31.98.20 18.200.64.57 108.129.52.172	Customer ArcSight/Syslog	Protocol and port as configured in the Dashboard (Settings > Syslog)
EU	Connection to customer's UEM (EU).	52.49.95.252 34.251.122.117 52.30.229.13 52.31.98.20 18.200.64.57 108.129.52.172	Customer UEM and/or Harmony Mobile Connector	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
EU	Harmony Mobile Connector to Harmony Mobile (EU)	Customer Harmony Mobile Connector server	Harmony Mobile Dashboard FQDN*	443
EU	Harmony Mobile Connector connection to Harmony Mobile (EU)	Customer Connector server	Harmony Mobile Dashboard FQDN*	443
UAE	Connection to customer's ArcSight/Syslog	3.29.188.5 3.29.9.81 3.29.120.64	Customer ArcSight/Syslog	Protocol and port as configured in the Dashboard (Settings > Syslog)
UAE	Connection to customer's UEM (UAE)	3.29.188.5 3.29.9.81 3.29.120.64	Customer UEM and/or Harmony Mobile Connector	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
UAE	Harmony Mobile Connector connection to Harmony Mobile (UAE)	Customer Connector server	Harmony Mobile Dashboard FQDN*	443
UK	Connection to customer's ArcSight/Syslog	18.135.91.41 35.178.23.186 3.8.43.176	Customer ArcSight/Syslog	Protocol and port as configured in the Dashboard (Settings > Syslog)
UK	Connection to customer's UEM (UK)	18.135.91.41 35.178.23.186 3.8.43.176	Customer UEM and/or Harmony Mobile Connector	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
UK	Harmony Mobile Connector connection to Harmony Mobile (UK)	Customer Connector server	Harmony Mobile Dashboard FQDN*	443
US	Connection to customer's ArcSight/Syslog	52.71.46.86 3.208.56.54 3.209.41.124 3.226.181.180 3.209.220.26 52.203.42.126	Customer ArcSight/Syslog	Protocol and port as configured in the Dashboard (Settings > Syslog)
US	Connection to customer's UEM (US)	52.71.46.86 3.208.56.54 3.209.41.124 3.226.181.180 3.209.220.26 52.203.42.126	Customer UEM and/or Harmony Mobile Connector	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
US	Harmony Mobile Connector connection to Harmony Mobile (US)	Customer Connector server	Harmony Mobile Dashboard FQDN*	443

Notes -

Harmony Mobile Dashboard FQDN – The Fully Qualified Domain Name of your HM Dashboard, unique per customer (for example, sbm.mt2.locsec.net).
For more information on the structure of the ArcSight and Syslog events sent by Harmony Mobile, see Appendix B - Harmony Mobile Syslogs and Appendix C - Harmony Mobile ArcSight.

Policy Profiles Description

Main features:

Feature	Description
Anti-Phishing (See Anti-Phishing).	This category includes URLs that typically arrive in email or messaging apps and are established to steal information from users. These sites falsely represent themselves as legitimate websites to obtain users' account credentials or credit card information that can be used for fraudulent or illegal purposes.
Safe Browsing (See Safe Browsing).	This category includes URLs that may be reached during on-device browsing and are established to steal information from users or install drive-by malware. These sites falsely represent themselves as legitimate websites to obtain users' account credentials or credit card information that can be used for fraudulent or illegal purposes. These sites falsely represent themselves as legitimate websites to install malicious apps on the user's device to root/jailbreak the device, take command-and-control of the device, and steal on-device information.
Conditional Access (See Conditional Access).	This category is a list of corporate IP addresses and/or FQDN hostnames that the user's device cannot access while at high risk.
Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. (see Anti-Bot).	This category includes URLs, IP addresses, or domain names that use bots (zombies), including command-and-control sites facilitating stealing on-device personal and corporate information, record video or audio, and/or install other malicious code.
URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. (See URL Filtering)	This category allows the administrator to prohibit devices from accessing particular URLs in a specific subject category, such as gambling, guns, and violence, etc. This category also allows the administrator to block domain access from the user's device irrespective of the subject category or risk level of the device. In addition, this category also allows the administrator to allow domains that are always accessible to the user's device irrespective of the subject category or risk level of the device.
Parameter Configuration	This category allows users to configure the basic On-device Network Protection behavior (Disabled, Always on, Turn on when device is at risk.) This category also includes a Configure pop-up window that allows to configure different parameters of On-device Network Protection (General settings and suspending policy for On-device Network Protection)