Firewall Settings for Scalefusion

Scalefusion is a cloud-hosted solution with servers across the continents. This means devices enrolled and managed by Scalefusion need to have continuous access to Scalefusion's servers so that they can be managed in real time. The device's also need to have a connection with Google Push services, Apple Push services and Windows Push services along with other components that are required for the management of devices. Also to access Scalefusion's Dashboard, the PC/Laptop needs to have access to certain IP's and URL's.

However an organization might be restricting the internet access on their corporate managed devices and/or PC/Laptop's by using a firewall or a proxy. In such cases it becomes important to allow the URL's, IP's and ports required for Scalefusion to work smoothly in your organization.

This guide outlines the Firewall settings that need to be done for Scalefusion.

https://support.google.com/work/android/answer/10513641?hl=en

General

The following URL's, IP addresses and FQDN's need to be allowed in the firewall,

  1. Domain: *.mobilock.in & *.scalefusion.com
    1. Description: This is the main domain and IP which is required for API access, Dashboard access. Allow the FQDN and allow the outbound request to connect to both: 80 and 443 port. Scalefusion always uses HTTPS and most firewalls allow this unless explicitly disabled.
  2. Domain: mobilock.s3-website-eu-west-1.amazonaws.com
    1. Description: Allow the entire domain mobilock.s3-website-eu-west-1.amazonaws.com , as this S3 URL will have dynamic IP. This is required for files distributed using Content Management and the Branding related graphics.
  3. Domain: db5xszokwvv76.cloudfront.net
    1. Description: This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP as it will choose the closest location available. We suggest you to add a FQDN entry for this domain if possible. We only need this if you want to remotely install APK's on devices.
  4. URL: http://clients3.google.com/generate_204 and https://clients3.google.com/generate_204
    1. Description: Used for captive portal detection by Android clients.
  5. Transport Layer Security (TLS) versions: Scalefusion supports only TLSv1.2 and TLSv1.3 versions, so please allow traffic on/from this layer.

Android GCM/FCM Push

  1. Google GCM/FCM IP Addresses: All IP addresses contained in the IP blocks listed in Google's ASN of 15169
    1. Description: If your organization has a firewall that restricts the traffic to or from the Internet, you'll need to configure it to allow connectivity with GCM. GCM doesn't provide specific IPs. It changes IPs frequently. So all the IP's listed here https://www.dan.me.uk/bgplookup?asn=15169 should be allowed.
  2. Google GCM Domain: mtalk.google.com:5228 & android.googleapis.com:443 & android.clients.google.com:443
    1. Description: Some older Android versions need the above domain:port to be allowed for the GCM/FCM push to work.

For additional details and URL's please refer to FCM Firewall Rules and Firewall rules for Android Enterprise aka EMM to work properly.

Pushy

On Devices which do not support Google Play Services, Scalefusion uses Pushy for sending remote commands. To allow Pushy to work please use,

  • *.pushy.me:443
  • *.pushy.io:443
  • https://pushy.me
  • https://pushy.io

Note: Please notice the * character which indicates a wildcard subdomain allow, and the two separate domains pushy.me and pushy.io.

Knox Firewall Rules

If you are enrolling and managing Samsung devices that support Knox then please allow policies as per the Knox Firewall rules.

Lenovo SDK Firewall Rules

If you are managing Lenovo devices then the below URL is used to activate Lenovo CSDK that allows to achieve tighter integration with select Lenovo devices.

  1. Domain: onlinerow.lenovocust.com

Apple Push Notifications

Please refer Apple's detailed document on the firewall configuration for Apple Push Notifications to work, https://support.apple.com/en-in/HT203609

Windows

Enrollment
  • enrollment.manage.microsoft.com
  • login.microsoftonline.com
  • portal.manage.microsoft.com
  • bspmts.mp.microsoft.com
  • ipinfo.io
Push Notifications

Microsoft recommends that you use DNS based firewall rules. You need to have the following destination open for port 443:

  • https://next-services.apps.microsoft.com
  • https://*.wns.windows.com
  • https://*.notify.windows.com
  • https://wscont1.apps.microsoft.com
  • prod-unattended-rc.service.signalr.net
  • sfpush.service.signalr.net

If the above is not feasible, you need to use the IP list Microsoft provides and update it about every 2- 3 weeks, http://www.microsoft.com/en-us/download/confirmation.aspx?id=44238

Courtesy: StackOverFlow

Remote Cast

  1. Domain: signal.mobilock.in
    1. Description: This is required for the Remote Cast & Control & Eva Communication Suite.Allow outbound connections to 443.
  2. Domain: s1.xirsys.com
    1. Description: This is required for the Remote Cast & Control.Allow outbound connections to 80 & 443.

Allow Ports for Outbound connections

  1. Ports for GCM/FCM: 5228, 5229, and 5230
    1. Description: To allow connectivity of Mobile Devices with Google GCM/FCM.

If you have any questions please contact us at [email protected]


How did we do?


Powered by HelpDocs (opens in a new tab)