Firewall Settings for Scalefusion
Scalefusion is a cloud-hosted solution with servers across the continents. This means devices enrolled and managed by Scalefusion need to have continuous access to Scalefusion's servers so that they can be managed in real time. The device's also need to have a connection with Google Push services, Apple Push services and Windows Push services along with other components that are required for the management of devices. Also to access Scalefusion's Dashboard, the PC/Laptop needs to have access to certain IP's and URL's.
However an organization might be restricting the internet access on their corporate managed devices and/or PC/Laptop's by using a firewall or a proxy. In such cases it becomes important to whitelist the URL's, IP's and ports required for Scalefusion to work smoothly in your organization.
This guide outlines the Firewall settings that need to be done for Scalefusion.
The following URL's, IP addresses and FQDN's need to be whitelisted in the firewall,
- Domain: *.mobilock.in & *.scalefusion.com
- Description: This is the main domain and IP which is required for API access, Dashboard access. Whitelist the FQDN and allow the outbound request to connect to both: 80 and 443 port. Scalefusion always uses HTTPS and most firewalls allow this unless explicitly disabled.
- Domain: mobilock.s3-website-eu-west-1.amazonaws.com
- Description: Allow the entire domain mobilock.s3-website-eu-west-1.amazonaws.com , as this S3 URL will have dynamic IP. This is required for files distributed using Content Management and the Branding related graphics.
- Domain: db5xszokwvv76.cloudfront.net
- Description: This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP as it will choose the closest location available. We suggest you to add a FQDN entry for this domain if possible. We only need this if you want to remotely install APK's on devices.
- URL: http://clients3.google.com/generate_204 and https://clients3.google.com/generate_204
- Description: Used for captive portal detection by Android clients.
Android GCM/FCM Push
- Google GCM/FCM IP Addresses: All IP addresses contained in the IP blocks listed in Google's ASN of 15169
- Description: If your organization has a firewall that restricts the traffic to or from the Internet, you'll need to configure it to allow connectivity with GCM. GCM doesn't provide specific IPs. It changes IPs frequently. So all the IP's listed here https://www.dan.me.uk/bgplookup?asn=15169 should be whitelisted.
- Google GCM Domain: mtalk.google.com:5228 & android.googleapis.com:443 & android.clients.google.com:443
- Description: Some older Android versions need the above domain:port to be whitelisted for the GCM/FCM push to work.
For additional details and URL's please refer to FCM Firewall Rules.
On Devices which do not support Google Play Services, Scalefusion uses Pushy for sending remote commands. To allow Pushy to work please use,
Note: Please notice the * character which indicates a wildcard subdomain whitelist, and the two separate domains pushy.me and pushy.io.
Knox Firewall Rules
If you are enrolling and managing Samsung devices that support Knox then please whitelist policies as per the Knox Firewall rules.
Apple Push Notifications
Please refer Apple's detailed document on the firewall configuration for Apple Push Notifications to work, https://support.apple.com/en-in/HT203609
Windows Push Notifications
Microsoft recommends that you use DNS based firewall rules. You need to have the following destination open for port 443:
If the above is not feasible, you need to use the IP list Microsoft provides and update it about every 2- 3 weeks, http://www.microsoft.com/en-us/download/confirmation.aspx?id=44238
- Domain: signal.mobilock.in
- Description: This is required for the Remote Cast & Control & Eva Communication Suite.Allow outbound connections to 443.
- Domain: s1.xirsys.com
- Description: This is required for the Remote Cast & Control.Allow outbound connections to 80 & 443.
Whitelist Ports for Outbound connections
- Ports for GCM/FCM: 5228, 5229, and 5230
- Description: To allow connectivity of Mobile Devices with Google GCM/FCM.
If you have any questions please contact us at firstname.lastname@example.org