Firewall Settings for Scalefusion
  • 18 Jun 2024
  • 4 Minutes to read
  • PDF

Firewall Settings for Scalefusion

  • PDF

Article summary

Scalefusion is a cloud-hosted solution with servers across the continents. This means devices enrolled and managed by Scalefusion need to have continuous access to Scalefusion's servers so that they can be managed in real-time. The devices also need to have a connection with Google Push services, Apple Push services and Windows Push services, along with other components that are required for the management of devices. Also, to access Scalefusion's Dashboard, the PC/Laptop needs to have access to certain IPs and URLs.

However, an organization might be restricting internet access on their corporate-managed devices and/or PCs/Laptops by using a firewall or a proxy. In such cases, it becomes important to allow the URLs, IPs and ports required for Scalefusion to work smoothly in your organization.

This guide outlines the Firewall settings that need to be done for Scalefusion.

All Regions

The following URLs, IP addresses and FQDNs need to be allowed in the firewall,

General

URL/Domain/FQDNPortDescription
*.mobilock.in80 & 443This is the main domain and IP that is required for API access and dashboard access. Allow the FQDN and allow the outbound request to connect to both: 80 and 443 ports. Scalefusion always uses HTTPS, and most firewalls allow this unless explicitly disabled.
*.scalefusion.com
Allow Ports for Outbound connections5228, 5229, and 5230To allow connectivity of Mobile Devices with Google GCM/FCM.

Android

URL/Domain/FQDNPortDescription
Android Enterprise-https://support.google.com/work/android/answer/10513641?hl=en
Knox-https://docs.samsungknox.com/admin/knox-admin-portal/get-started/samsung-knox-firewall-exceptions/ 
onlinerow.lenovocust.com443If you are managing Lenovo devices, then the below URL is used to activate Lenovo CSDK, which allows you to achieve tighter integration with select Lenovo devices.
clients3.google.com80 & 443Used to detect captive portals and redirect accordingly.
android.clients.google.com443Used by the OS during device enrollment
mtalk.google.com5222, 5228Please allow TCP/UDP traffic as this is used for internal communication by the OS.

Android GCM/FCM Push

  1. Google GCM/FCM IP Addresses: All IP addresses contained in the IP blocks listed in Google's ASN of 15169
    1. Description: If your organization has a firewall that restricts the traffic to or from the Internet, you'll need to configure it to allow connectivity with GCM. GCM doesn't provide specific IPs. It changes IPs frequently. So all the IPs listed here, https://www.dan.me.uk/bgplookup?asn=15169, should be allowed.
  2. Google GCM Domain: mtalk.google.com:5228 & android.googleapis.com:443 & android.clients.google.com:443
    1. Description: Some older Android versions need the above domain: port to be allowed for the GCM/FCM push to work.

For additional details and URL, please refer to FCM Firewall Rules and Firewall rules for Android Enterprise, aka EMM, to work properly.

iOS and macOS

Apple Push Notifications: Please refer to Apple’s documentation on the firewall configuration for Apple Push Notifications to work, at https://support.apple.com/en-in/HT203609

Windows

If you are using Scalefusion to manage Windows device inventory, then please allow the below URLs

URL/Domain/FQDNPortDescription
next-services.apps.microsoft.com443
These URLs are used by Windows Access to School or Work app during modern management enrollment for various purposes related to service discovery, enrollment and push notifications.
*.wns.windows.com443
*.notify.windows.com443
wscont1.apps.microsoft.com443
prod-unattended-rc.service.signalr.net443
portal.manage.microsoft.com443
login.microsoftonline.com443
enrollment.manage.microsoft.com443
ipinfo.io443
bspmts.mp.microsoft.com443
sfpush.service.signalr.net443

If the above is not feasible, you need to use the IP list Microsoft provides and update it about every 2- 3 weeks, http://www.microsoft.com/en-us/download/confirmation.aspx?id=44238

Courtesy: StackOverflow

Pushy

On Devices that do not support Google Play Services, Scalefusion uses Pushy for sending remote commands. To allow Pushy to work, please use,

URL/Domain/FQDNPortDescription
*.pushy.me443Pushy FQDNs used to send push messages to devices
*.pushy.io443

pushy.me

443

pushy.io

443

Note: Please notice the * character, which indicates a wildcard subdomain allowed, and the two separate domains pushy.me and pushy.io.

Remote Cast & Control

If you are using Scalefusion’s Remote Cast & Control, then please allow the below for WebRTC connections.

URL/Domain/FQDNPortDescription
s1.xirsys.com80 & 443Used for device discovery and P2P connections for Remote Cast & Control

OneIdP

Global Instance

If you are using Scalefusion’s OneIdP, then please allow the following URLs:

URL/Domain/FQDNDescription
app.oneidp.com
accounts.oneidp.comUsed for OneIdP SSO/authentication
launchlocal.oneidp.comUsed as iOS app launcher
smtp.mailgun.orgUsed as domain for mailgun to send, receive, and track emails.
*.googleapis.comAllows communication with Google Services and their integration to other services.
*.google.comAllow access to any subdomains of google.com

Global (EU) Instance

This section provides the URLs and FQDNs that you have to allow if you are using https://app.scalefusion.com

URL/Domain/FQDNPortDescription
mobilock.s3-website-eu-west-1.amazonaws.com443Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics.

db5xszokwvv76.cloudfront.net

d17n3uawl7kvhu.cloudfront.net

443This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices.

signal.scalefusion.com

signal.mobilock.in

443This is required for the Remote Cast & Control & Eva Communication Suite. Allow outbound connections to 443.

chat.mobilock.in

eva.mobilock.in eva.scalefusion.com


EVA Chat

US Instance

This section provides the URLs and FQDNs that you have to allow if you are using https://endpointlockdown.com

URL/Domain/FQDNPortDescription
*.endpointlockdown.com80 & 443This is the main domain and IP that is required for API access and dashboard access. Allow the FQDN and allow the outbound request to connect to both: the 80 and 443 ports. Scalefusion always uses HTTPS, and most firewalls allow this unless explicitly disabled.
assets-hp-reap.s3.amazonaws.com443Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics.
db5xszokwvv76.cloudfront.net443This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices.
signal.endpointlockdown.com443Used for the WebRTC connections during Remote Cast & Control
chat.gomdm.io443Used for the VOIP communication in Remote Cast & Control

India Instance

This section provides the URLs and FQDNs that you have to allow if you are using https://in.scalefusion.com

URL/Domain/FQDNPortDescription
assets-sf-bharat.s3.ap-south-1.amazonaws.com443Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics.
d2vykazg2augye.cloudfront.net443This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices.
rc-in.scalefusion.com443Used for the WebRTC connections during Remote Cast & Control
eva-in.scalefusion.com443Chat URL

Transport Layer Security (TLS) versions

Scalefusion supports only TLSv1.2 and TLSv1.3 versions, so please allow traffic on/from this layer.



Was this article helpful?