Firewall rules to permit Playstore & Appstore push notifications & apps install

Our firewalls are not sync'ed to public DNS so we can't create rules by URL of playstore or appstore.

Our corporate mobile devices need to have push notifications & apps install :
what's the range of IP for appstore & playstore required & the ports to permit?

I heard appstore is a Class A subnet while playstore is probably a Class B:
is it a good practice to permit firewall rules to such big subnet ranges ?
sunhuxAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jackie ManIT ManagerCommented:
It is a very tough question.

I heard appstore is a Class A subnet while playstore is probably a Class B:
is it a good practice to permit firewall rules to such big subnet ranges ?

Yes..  it will be a very big subnet ranges just for Android devices and the purpose of a firewall will diminish for sure.

A zone based firewall rules might be applicable for filtering the mobile devices ; whitelisting the MAC address of such devices and make a user bass policy for allowing or disallowing the bypass of the firewall.
0
serialbandCommented:
Apple owns an entire class A subnet, so, everything in it is Apple's infrastructure.  17.0.0.0/8
Several early companies have entire Class A  (IBM 9.0.0.0/8)

Akamai is more complex http://tools.tracemyip.org/search--isp/akamai+technologies

I suggest using DNS names for the whitelist instead.
0
sunhuxAuthor Commented:
> I suggest using DNS names for the whitelist instead.
But our firewalls do not reference external DNSes thus we ca only use IP.
0
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Jackie ManIT ManagerCommented:
But our firewalls do not reference external DNSes thus we can only use IP.

For Google Play Store, it is not technical possible to whitelist by IP addresses as their server pools are just too big and their IP addresses are changing from time to time.
0
serialbandCommented:
It's time to get a better firewall.
0
sunhuxAuthor Commented:
Even if we permit by URL (which our firewall resolves via external DNS), isn't still too big a range of
IP to permit for incoming traffic (the risk of hackers spoofing those Appstore & Play Store IPs) ?
0
sunhuxAuthor Commented:
> make a user bass policy for allowing or disallowing the bypass of the firewall
What's the above?   So if we bypass the firewall, won't need firewall rules??
0
sunhuxAuthor Commented:
Juniper is zone-based, so is it good enough ?
0
Jackie ManIT ManagerCommented:
Actually, a good firewall is only part of the solution and you need a good MDM to enforce policies for all mobile devices.

It is really a big topic and you need to think from the users' perspective also.
0
sunhuxAuthor Commented:
Ok, nobody can provide the range of Play Store IP addrs while I've got it for Appstore.

Now, if we permit at our Bluecoat proxy (which could resolve appstore & playstore
URLs), would this be good enough?
0
sunhuxAuthor Commented:
>it is not technical possible to whitelist by IP addresses as their server pools are just too big and their
>IP addresses are changing from time to time.
So using a proxy will solve the above issue (as our proxy resolves to public DNS)?
0
Jackie ManIT ManagerCommented:
I cannot find any information in relation to your bluecoat proxy.. but maybe the information below will help you.

How to get the play store working for me.
Note that I do not have an Any->Any firewall rule for outbound traffic.
Note Also that my device is not in the Transparent Proxy Skiplist

1. Allow outbound traffic to Google Play Ports
Create Service Definitions for Google Play with TCP ports 5222, 5223, and 5228 (5222 may be for Talk/Chat)
I added them to a Service Group called Google Services and set up a firewall rule:
Internal Network -> Google Services -> Any -> Allow

2. Allow those Google Play Ports in transparent proxy Target Services.
Add those services individually to the Allowed Target Services on the Web Protection -> Filtering Options -> Misc page.
Note that Sophos did not allow me to add the service group I created above, I could only add the individual services.

3. Lower the file size for virus scanning to 20mb.
Web Filtering -> Policies -> Default Content Filter Action - Antivirus -> Do not scan files larger than 20mb
Note that you would need to make this adjustment in your whatever policy makes sense for you, if you have custom policies.

The first two alone didn't help with Google Chrome at 28mb. Lowering the A/V scan size was the final step.
Smaller Apps from the Play Store install fine.

Source: https://community.sophos.com/products/unified-threat-management/f/web-protection-web-filtering-application-visibility-control/46079/google-play-store-issues
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apple Networking

From novice to tech pro — start learning today.