After our iPods stopped receiving updates for new app versions for Epic Rover app, it was determined that the FW was blocking that port. Upon further troubleshooting, it was determine that the change in the URL for the apps that used to be itunes.apple.com has changed to apps.apple.com. The new URL, apps.apple.com, was not whitelisted in Blue Coat. Apple stated that they try to update the TCP Ports list document in support.apple.com, but sometimes, new ports are not listed. The request may come down to the device, but when the device is trying to reach the new URL, the connection is blocked. I knew there was nothing wrong with the device, with the VPP token or Apple's back end. Try it from a hotspot or any other non-firewall, web-content filtered SSID.
I started seeing the same issue just last week. Some but not all devices are trying to connect to 17.x.x.x on port 5224 when attempting to get an itunes app. I've seen several different errors in the client troubleshooting log. And yes our firewall is blocking it too. Adding this port to the firewall would be a simple fix but it doesn't address the core question. Why a new port?
12064 Could not retrieve license for the app with iTunes Store ID XXXXXXXXXXX Error Code : 3 Cannot connect to iTunes Store