Devices using APNs need a direct connection to Apple's server. If a device is unable to connect using cellular data, it will attempt to use Wi-Fi if available. If there is a proxy server on the Wi-Fi network, the device will not be able to use APNs, because APNs requires a direct and persistent connection from device to server.
When connecting to APNs, iOS devices will use the cellular data connection if it's available. Only if the cellular connection is not available or viable will the device switch to Wi-Fi for APNs connections.
For APNs traffic to get past your firewall, you'll need to open these ports:
- TCP port 5223 (used by devices to communicate to the APNs servers)
- TCP port 2195 (used to send notifications to the APNs)
- TCP port 2196 (used by the APNs feedback service)
- TCP Port 443 (used as a fallback on Wi-fi only, when devices are unable to communicate to APNs on port 5223)
The APNs servers use load balancing. Your devices will not always connect to the same public IP address for notifications. The entire 188.8.131.52/8 address block is assigned to Apple, so it's best to allow this range in your firewall settings.
Find more information on the ports Apple services use.