Appendix A - Harmony Mobile Communication Information

This appendix describes the networking rules required to configure your security systems in order to allow the solution's integration with your on-premises systems (UEMs, syslog, and so on).

If you do not know your dashboard's region, contact Check Point Support.

To prevent spam filters from blocking Harmony Mobile's emails, allow this IP address as a sender: 167.89.59.134.

For more information on how to integrate the Harmony Mobile Protect App with different UEMs, see Harmony Mobile UEM Integration Guide.

Best Practice - The best practice when enabling firewall access for Harmony Mobile is to use DNS Domain Name System. A hierarchical distributed naming system for computers, services, or resources connected to the internet or a private network. Used to translate names into IP addresses. based names. When it is not an option, use the IP addresses provided for the specified DNS in the table below.

Security System Configuration Rules

Regions:

• APAC

  Region	Description	Source	Destination	Destination Port
  APAC	Connection to customer's ArcSight/Syslog	54.79.100.215 13.238.250.74 13.236.78.154 13.54.82.229  54.79.2.81 13.55.226.84 65.1.191.54	Customer ArcSight/Syslog	Protocol and port as configured in the Dashboard (Settings > Syslog)
  APAC	Connection to customer's UEM Unified Endpoint Management. An architecture and approach that controls different types of devices such as computers, smartphones and IoT devices from a centralized command point. (APAC)	54.79.100.215 13.238.250.74 13.236.78.154 13.54.82.229  54.79.2.81 13.55.226.84 65.1.191.54	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
  APAC	Harmony Mobile Connector to Harmony Mobile (APAC)	Customer Harmony Mobile Connector server	Harmony Mobile Dashboard FQDN*	443
  APAC	Harmony Mobile Connector connection to Harmony Mobile (APAC)	Customer Connector server	Harmony Mobile Dashboard FQDN*	443
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	au-gw.locsec.net ca-gw.locsec.net eu-gw.locsec.net uae-gw.locsec.net uk-gw.locsec.net in-gw.locsec.net gw.locsec.net	443
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	bosko.locsec.net (Direct client/server connection is required)	443
  ANY	Tenant Admin to customer's Harmony Mobile dashboard.	Customer's internal network	ap.portal.checkpoint.com ca.portal.checkpoint.com in.portal.checkpoint.com portal.checkpoint.com uae.portal.checkpoint.com uk.portal.checkpoint.com us.portal.checkpoint.com	443
  ANY	Connection to the customer's SMTP server, if configured in dashboard (Settings >SMTP settings).	54.225.176.210 52.203.42.126 3.219.149.71 52.202.175.192 54.162.65.19 3.209.220.26 18.210.156.139 3.226.181.180 3.209.41.124 3.208.56.54 52.71.46.86 34.228.181.154	Customer SMTP server	SMTP port configured in the dashboard (Settings > SMTP)
  ANY	Harmony Mobile Connector to customer UEM	Customer Harmony Mobile Connector server	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)

  * Harmony Mobile Dashboard FQDN – The Fully Qualified Domain Name of your HM Dashboard, unique per customer (for example, sbm.mt2.locsec.net).

• CA

  Region	Description	Source	Destination	Destination Port
  CA	Connection to customer's ArcSight/Syslog	35.182.193.41 35.182.219.40 99.79.19.121	Customer ArcSight/Syslog	Protocol and port as configured in the Dashboard (Settings > Syslog)
  CA	Connection to customer's UEM (CA)	35.182.193.41 35.182.219.40 99.79.19.121	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	au-gw.locsec.net ca-gw.locsec.net eu-gw.locsec.net uae-gw.locsec.net uk-gw.locsec.net in-gw.locsec.net gw.locsec.net	443
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	bosko.locsec.net (Direct client/server connection is required)	443
  ANY	Tenant Admin to customer's Harmony Mobile dashboard.	Customer's internal network	ap.portal.checkpoint.com ca.portal.checkpoint.com in.portal.checkpoint.com portal.checkpoint.com uae.portal.checkpoint.com uk.portal.checkpoint.com us.portal.checkpoint.com	443
  ANY	Connection to the customer's SMTP server, if configured in dashboard (Settings >SMTP settings).	54.225.176.210 52.203.42.126 3.219.149.71 52.202.175.192 54.162.65.19 3.209.220.26 18.210.156.139 3.226.181.180 3.209.41.124 3.208.56.54 52.71.46.86 34.228.181.154	Customer SMTP server	SMTP port configured in the dashboard (Settings > SMTP)
  ANY	Harmony Mobile Connector to customer UEM	Customer Harmony Mobile Connector server	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)

  * Harmony Mobile Dashboard FQDN – The Fully Qualified Domain Name of your HM Dashboard, unique per customer (for example, sbm.mt2.locsec.net).

• EU

  Region	Description	Source	Destination	Destination Port
  EU	Connection to customer's ArcSight/Syslog	52.49.95.252 34.251.122.117 52.30.229.13 52.31.98.20 18.200.64.57 108.129.52.172	Customer ArcSight/Syslog	Protocol and port as configured in the Dashboard (Settings > Syslog)
  EU	Connection to customer's UEM (EU)	52.49.95.252 34.251.122.117 52.30.229.13 52.31.98.20 18.200.64.57 108.129.52.172	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
  EU	Harmony Mobile Connector to Harmony Mobile (EU)	Customer Harmony Mobile Connector server	Harmony Mobile Dashboard FQDN*	443
  EU	Harmony Mobile Connector connection to Harmony Mobile (EU)	Customer Connector server	Harmony Mobile Dashboard FQDN*	443
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	au-gw.locsec.net ca-gw.locsec.net eu-gw.locsec.net uae-gw.locsec.net uk-gw.locsec.net in-gw.locsec.net gw.locsec.net	443
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	bosko.locsec.net (Direct client/server connection is required)	443
  ANY	Tenant Admin to customer's Harmony Mobile dashboard.	Customer's internal network	ap.portal.checkpoint.com ca.portal.checkpoint.com in.portal.checkpoint.com portal.checkpoint.com uae.portal.checkpoint.com uk.portal.checkpoint.com us.portal.checkpoint.com	443
  ANY	Connection to the customer's SMTP server, if configured in dashboard (Settings >SMTP settings).	54.225.176.210 52.203.42.126 3.219.149.71 52.202.175.192 54.162.65.19 3.209.220.26 18.210.156.139 3.226.181.180 3.209.41.124 3.208.56.54 52.71.46.86 34.228.181.154	Customer SMTP server	SMTP port configured in the dashboard (Settings > SMTP)
  ANY	Harmony Mobile Connector to customer UEM	Customer Harmony Mobile Connector server	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)

  * Harmony Mobile Dashboard FQDN – The Fully Qualified Domain Name of your HM Dashboard, unique per customer (for example, sbm.mt2.locsec.net).

• IN

  Region	Description	Source	Destination	Destination Port
  IN	Connection to customer's ArcSight/Syslog	65.2.156.71 65.1.191.54 65.0.210.5	Customer ArcSight/Syslog	Protocol and port as configured in the Dashboard (Settings > Syslog)
  IN	Connection to customer's UEM (IN)	65.2.156.71 65.1.191.54 65.0.210.5	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	au-gw.locsec.net ca-gw.locsec.net eu-gw.locsec.net uae-gw.locsec.net uk-gw.locsec.net in-gw.locsec.net gw.locsec.net	443
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	bosko.locsec.net (Direct client/server connection is required)	443
  ANY	Tenant Admin to customer's Harmony Mobile dashboard.	Customer's internal network	ap.portal.checkpoint.com ca.portal.checkpoint.com in.portal.checkpoint.com portal.checkpoint.com uae.portal.checkpoint.com uk.portal.checkpoint.com us.portal.checkpoint.com	443
  ANY	Connection to the customer's SMTP server, if configured in dashboard (Settings >SMTP settings).	54.225.176.210 52.203.42.126 3.219.149.71 52.202.175.192 54.162.65.19 3.209.220.26 18.210.156.139 3.226.181.180 3.209.41.124 3.208.56.54 52.71.46.86 34.228.181.154	Customer SMTP server	SMTP port configured in the dashboard (Settings > SMTP)
  ANY	Harmony Mobile Connector to customer UEM	Customer Harmony Mobile Connector server	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)

  * Harmony Mobile Dashboard FQDN – The Fully Qualified Domain Name of your HM Dashboard, unique per customer (for example, sbm.mt2.locsec.net).

• UAE

  Region	Description	Source	Destination	Destination Port
  UAE	Connection to customer's ArcSight/Syslog	3.29.188.5 3.29.9.81 3.29.120.64	Customer ArcSight/Syslog	Protocol and port as configured in the Dashboard (Settings > Syslog)
  UAE	Connection to customer's UEM (UAE)	3.29.188.5 3.29.9.81 3.29.120.64	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
  UAE	Harmony Mobile Connector connection to Harmony Mobile (UAE)	Customer Connector server	Harmony Mobile Dashboard FQDN*	443
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	au-gw.locsec.net ca-gw.locsec.net eu-gw.locsec.net uae-gw.locsec.net uk-gw.locsec.net in-gw.locsec.net gw.locsec.net	443
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	bosko.locsec.net (Direct client/server connection is required)	443
  ANY	Tenant Admin to customer's Harmony Mobile dashboard.	Customer's internal network	ap.portal.checkpoint.com ca.portal.checkpoint.com in.portal.checkpoint.com portal.checkpoint.com uae.portal.checkpoint.com uk.portal.checkpoint.com us.portal.checkpoint.com	443
  ANY	Connection to the customer's SMTP server, if configured in dashboard (Settings >SMTP settings).	54.225.176.210 52.203.42.126 3.219.149.71 52.202.175.192 54.162.65.19 3.209.220.26 18.210.156.139 3.226.181.180 3.209.41.124 3.208.56.54 52.71.46.86 34.228.181.154	Customer SMTP server	SMTP port configured in the dashboard (Settings > SMTP)
  ANY	Harmony Mobile Connector to customer UEM	Customer Harmony Mobile Connector server	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)

  * Harmony Mobile Dashboard FQDN – The Fully Qualified Domain Name of your HM Dashboard, unique per customer (for example, sbm.mt2.locsec.net).

• UK

  Region	Description	Source	Destination	Destination Port
  UK	Connection to customer's ArcSight/Syslog	18.135.91.41 35.178.23.186 3.8.43.176	Customer ArcSight/Syslog	Protocol and port as configured in the Dashboard (Settings > Syslog)
  UK	Connection to customer's UEM (UK)	18.135.91.41 35.178.23.186 3.8.43.176	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
  UK	Harmony Mobile Connector connection to Harmony Mobile (UK)	Customer Connector server	Harmony Mobile Dashboard FQDN*	443
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	au-gw.locsec.net ca-gw.locsec.net eu-gw.locsec.net uae-gw.locsec.net uk-gw.locsec.net in-gw.locsec.net gw.locsec.net	443
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	bosko.locsec.net (Direct client/server connection is required)	443
  ANY	Tenant Admin to customer's Harmony Mobile dashboard.	Customer's internal network	ap.portal.checkpoint.com ca.portal.checkpoint.com in.portal.checkpoint.com portal.checkpoint.com uae.portal.checkpoint.com uk.portal.checkpoint.com us.portal.checkpoint.com	443
  ANY	Connection to the customer's SMTP server, if configured in dashboard (Settings >SMTP settings).	54.225.176.210 52.203.42.126 3.219.149.71 52.202.175.192 54.162.65.19 3.209.220.26 18.210.156.139 3.226.181.180 3.209.41.124 3.208.56.54 52.71.46.86 34.228.181.154	Customer SMTP server	SMTP port configured in the dashboard (Settings > SMTP)
  ANY	Harmony Mobile Connector to customer UEM	Customer Harmony Mobile Connector server	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)

  * Harmony Mobile Dashboard FQDN – The Fully Qualified Domain Name of your HM Dashboard, unique per customer (for example, sbm.mt2.locsec.net).

• US

  Region	Description	Source	Destination	Destination Port
  US	Connection to customer's ArcSight/Syslog	52.71.46.86 3.208.56.54 3.209.41.124 3.226.181.180 3.209.220.26 52.203.42.126 54.225.176.210 3.219.149.71 52.202.175.192 54.162.65.19 18.210.156.139 34.228.181.154	Customer ArcSight/Syslog	Protocol and port as configured in the Dashboard (Settings > Syslog)
  US	Connection to customer's UEM (US)	52.71.46.86 3.208.56.54 3.209.41.124 3.226.181.180 3.209.220.26 52.203.42.126 54.225.176.210 3.219.149.71 52.202.175.192 54.162.65.19 18.210.156.139 34.228.181.154	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)
  US	Harmony Mobile Connector connection to Harmony Mobile (US)	Customer Connector server	Harmony Mobile Dashboard FQDN*	443
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	au-gw.locsec.net ca-gw.locsec.net eu-gw.locsec.net uae-gw.locsec.net uk-gw.locsec.net in-gw.locsec.net gw.locsec.net	443
  ANY	Connection from mobile devices to Harmony Mobile from corporate network.	Customer's internal network	bosko.locsec.net (Direct client/server connection is required)	443
  ANY	Tenant Admin to customer's Harmony Mobile dashboard.	Customer's internal network	ap.portal.checkpoint.com ca.portal.checkpoint.com in.portal.checkpoint.com portal.checkpoint.com uae.portal.checkpoint.com uk.portal.checkpoint.com us.portal.checkpoint.com	443
  ANY	Connection to the customer's SMTP server, if configured in dashboard (Settings >SMTP settings).	54.225.176.210 52.203.42.126 3.219.149.71 52.202.175.192 54.162.65.19 3.209.220.26 18.210.156.139 3.226.181.180 3.209.41.124 3.208.56.54 52.71.46.86 34.228.181.154	Customer SMTP server	SMTP port configured in the dashboard (Settings > SMTP)
  ANY	Harmony Mobile Connector to customer UEM	Customer Harmony Mobile Connector server	Customer UEM	443 BES UEM only: 18084 (default) Citrix XenMobile only: 4443 (default)

  * Harmony Mobile Dashboard FQDN – The Fully Qualified Domain Name of your HM Dashboard, unique per customer (for example, sbm.mt2.locsec.net).

• For customers using Harmony Mobile Connector

  Region	Description	Source	Destination	Destination Port
  AU	Harmony Mobile Connector	Customer Harmony Mobile Connector server	au-relay.locsec.net	443
  CA	Harmony Mobile Connector	Customer Harmony Mobile Connector server	ca-relay.locsec.net	443
  EU	Harmony Mobile Connector	Customer Harmony Mobile Connector server	eu-relay.locsec.net	443
  UAE	Harmony Mobile Connector	Customer Harmony Mobile Connector server	uae-relay.locsec.net	443
  UK	Harmony Mobile Connector	Customer Harmony Mobile Connector server	uk-relay.locsec.net	443
  US	Harmony Mobile Connector	Customer Harmony Mobile Connector server	us-relay.locsec.net	443

Notes - For more information on Harmony Mobile Connector installation, see Harmony Mobile Connector Installation Guide. For more information on the structure of the ArcSight and Syslog events sent by Harmony Mobile, see Appendix B - Harmony Mobile Syslogs and Appendix C - Harmony Mobile ArcSight.

Policy Profiles Description

Main features:

Feature	Description
Anti-Phishing (See Anti-Phishing).	This category includes URLs that typically arrive in email or messaging apps and are established to steal information from users. These sites falsely represent themselves as legitimate websites to obtain users' account credentials or credit card information that can be used for fraudulent or illegal purposes.
Safe Browsing (See Safe Browsing).	This category includes URLs that may be reached during on-device browsing and are established to steal information from users or install drive-by malware. These sites falsely represent themselves as legitimate websites to obtain users' account credentials or credit card information that can be used for fraudulent or illegal purposes. These sites falsely represent themselves as legitimate websites to install malicious apps on the user's device to root/jailbreak the device, take command-and-control of the device, and steal on-device information.
Conditional Access (See Conditional Access).	This category is a list of corporate IP addresses and/or FQDN hostnames that the user's device cannot access while at high risk.
Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT. (see Anti-Bot).	This category includes URLs, IP addresses, or domain names that use bots (zombies), including command-and-control sites facilitating stealing on-device personal and corporate information, record video or audio, and/or install other malicious code.
URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. (See URL Filtering)	This category allows the administrator to prohibit devices from accessing particular URLs in a specific subject category, such as gambling, guns, and violence, etc. This category also allows the administrator to block domain access from the user's device irrespective of the subject category or risk level of the device. In addition, this category also allows the administrator to allow domains that are always accessible to the user's device irrespective of the subject category or risk level of the device.
Parameter Configuration	This category allows users to configure the basic On-device Network Protection behavior (Disabled, Always on, Turn on when device is at risk.) This category also includes a Configure pop-up window that allows to configure different parameters of On-device Network Protection (General settings and suspending policy for On-device Network Protection)