Whitelisting Apple iCloud services on a restrictive firewall

When using restrictive Layer 3 Firewall Rules for outbound traffic on the MX Security Appliance, services such as Apple iCloud can sometimes be inadvertently blocked. The purpose of this KB is to discuss the ports Apple iCloud needs access to perform backups and access data stored on iCloud.

Figure 1. Explicit deny rule blocking iCloud traffic. 

The firewall configuration shown in Figure 1 will block all outbound traffic except TCP 80 amd TCP 443 (http and https).  A user trying to use another protocol, like UDP, or another port, like 25, will be blocked by the firewall. With these rules in place many other features will not work.

To allow iCloud to function, Apple has a list of ports which need to be allowed for iCloud to function on your client devices. The ports used by iCloud are:

TCP 25

TCP 80

TCP 443

TCP 587

TCP 993

TCP 5223

To allow the connection on these ports, use the following configuration.

Figure 2. iCloud firewall config.

Once the connections are allowed, iCloud will function and users will be able to back up their devices or pull information they have stored in iCloud.