Firewall Settings for Scalefusion
- 16 Feb 2024
- 4 Minutes to read
- Print
- PDF
Firewall Settings for Scalefusion
- Updated on 16 Feb 2024
- 4 Minutes to read
- Print
- PDF
Article Summary
Share feedback
Thanks for sharing your feedback!
Scalefusion is a cloud-hosted solution with servers across the continents. This means devices enrolled and managed by Scalefusion need to have continuous access to Scalefusion's servers so that they can be managed in real-time. The devices also need to have a connection with Google Push services, Apple Push services and Windows Push services, along with other components that are required for the management of devices. Also, to access Scalefusion's Dashboard, the PC/Laptop needs to have access to certain IPs and URLs.
However, an organization might be restricting internet access on their corporate-managed devices and/or PCs/Laptops by using a firewall or a proxy. In such cases, it becomes important to allow the URLs, IPs and ports required for Scalefusion to work smoothly in your organization.
This guide outlines the Firewall settings that need to be done for Scalefusion.
All Regions
The following URLs, IP addresses and FQDNs need to be allowed in the firewall,
General
| URL/Domain/FQDN | Port | Description |
| *.mobilock.in | 80 & 443 | This is the main domain and IP that is required for API access and dashboard access. Allow the FQDN and allow the outbound request to connect to both: 80 and 443 ports. Scalefusion always uses HTTPS, and most firewalls allow this unless explicitly disabled. |
| *.scalefusion.com | ||
| Allow Ports for Outbound connections | 5228, 5229, and 5230 | To allow connectivity of Mobile Devices with Google GCM/FCM. |
Android
| URL/Domain/FQDN | Port | Description |
| Android Enterprise | - | https://support.google.com/work/android/answer/10513641?hl=en |
| Knox | - | https://docs.samsungknox.com/admin/knox-admin-portal/get-started/samsung-knox-firewall-exceptions/ |
| onlinerow.lenovocust.com | 443 | If you are managing Lenovo devices, then the below URL is used to activate Lenovo CSDK, which allows you to achieve tighter integration with select Lenovo devices. |
| clients3.google.com | 80 & 443 | Used to detect captive portals and redirect accordingly. |
| android.clients.google.com | 443 | Used by the OS during device enrollment |
| mtalk.google.com | 5222, 5228 | Please allow TCP/UDP traffic as this is used for internal communication by the OS. |
Android GCM/FCM Push
- Google GCM/FCM IP Addresses: All IP addresses contained in the IP blocks listed in Google's ASN of 15169
- Description: If your organization has a firewall that restricts the traffic to or from the Internet, you'll need to configure it to allow connectivity with GCM. GCM doesn't provide specific IPs. It changes IPs frequently. So all the IPs listed here, https://www.dan.me.uk/bgplookup?asn=15169, should be allowed.
- Google GCM Domain: mtalk.google.com:5228 & android.googleapis.com:443 & android.clients.google.com:443
- Description: Some older Android versions need the above domain: port to be allowed for the GCM/FCM push to work.
For additional details and URL, please refer to FCM Firewall Rules and Firewall rules for Android Enterprise, aka EMM, to work properly.
iOS and macOS
Apple Push Notifications: Please refer to Apple’s documentation on the firewall configuration for Apple Push Notifications to work, at https://support.apple.com/en-in/HT203609
Windows
If you are using Scalefusion to manage Windows device inventory, then please allow the below URLs
| URL/Domain/FQDN | Port | Description |
| next-services.apps.microsoft.com | 443 | These URLs are used by Windows Access to School or Work app during modern management enrollment for various purposes related to service discovery, enrollment and push notifications. |
| *.wns.windows.com | 443 | |
| *.notify.windows.com | 443 | |
| wscont1.apps.microsoft.com | 443 | |
| prod-unattended-rc.service.signalr.net | 443 | |
| portal.manage.microsoft.com | 443 | |
| login.microsoftonline.com | 443 | |
| enrollment.manage.microsoft.com | 443 | |
| ipinfo.io | 443 | |
| bspmts.mp.microsoft.com | 443 | |
| sfpush.service.signalr.net | 443 |
If the above is not feasible, you need to use the IP list Microsoft provides and update it about every 2- 3 weeks, http://www.microsoft.com/en-us/download/confirmation.aspx?id=44238
Courtesy: StackOverflow
Pushy
On Devices that do not support Google Play Services, Scalefusion uses Pushy for sending remote commands. To allow Pushy to work, please use,
| URL/Domain/FQDN | Port | Description |
| *.pushy.me | 443 | Pushy FQDNs used to send push messages to devices |
| *.pushy.io | 443 | |
pushy.me | 443 | |
pushy.io | 443 |
Note: Please notice the * character, which indicates a wildcard subdomain allowed, and the two separate domains pushy.me and pushy.io.
Remote Cast & Control
If you are using Scalefusion’s Remote Cast & Control, then please allow the below for WebRTC connections.
| URL/Domain/FQDN | Port | Description |
| s1.xirsys.com | 80 & 443 | Used for device discovery and P2P connections for Remote Cast & Control |
Global (EU) Instance
This section provides the URLs and FQDNs that you have to allow if you are using https://app.scalefusion.com
| URL/Domain/FQDN | Port | Description |
| mobilock.s3-website-eu-west-1.amazonaws.com | 443 | Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics. |
db5xszokwvv76.cloudfront.net d17n3uawl7kvhu.cloudfront.net | 443 | This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices. |
signal.scalefusion.com signal.mobilock.in | 443 | This is required for the Remote Cast & Control & Eva Communication Suite. Allow outbound connections to 443. |
chat.mobilock.in eva.mobilock.in eva.scalefusion.com | EVA Chat |
US Instance
This section provides the URLs and FQDNs that you have to allow if you are using https://endpointlockdown.com
| URL/Domain/FQDN | Port | Description |
| *.endpointlockdown.com | 80 & 443 | This is the main domain and IP that is required for API access and dashboard access. Allow the FQDN and allow the outbound request to connect to both: the 80 and 443 ports. Scalefusion always uses HTTPS, and most firewalls allow this unless explicitly disabled. |
| assets-hp-reap.s3.amazonaws.com | 443 | Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics. |
| db5xszokwvv76.cloudfront.net | 443 | This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices. |
| signal.endpointlockdown.com | 443 | Used for the WebRTC connections during Remote Cast & Control |
| chat.gomdm.io | 443 | Used for the VOIP communication in Remote Cast & Control |
India Instance
This section provides the URLs and FQDNs that you have to allow if you are using https://in.scalefusion.com
| URL/Domain/FQDN | Port | Description |
| assets-sf-bharat.s3.ap-south-1.amazonaws.com | 443 | Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics. |
| d2vykazg2augye.cloudfront.net | 443 | This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices. |
| rc-in.scalefusion.com | 443 | Used for the WebRTC connections during Remote Cast & Control |
| eva-in.scalefusion.com | 443 | Chat URL |
Transport Layer Security (TLS) versions
Scalefusion supports only TLSv1.2 and TLSv1.3 versions, so please allow traffic on/from this layer.
Was this article helpful?
