- 30 Jul 2024
- 5 Minutes to read
- Print
- PDF
Firewall Settings for Scalefusion
- Updated on 30 Jul 2024
- 5 Minutes to read
- Print
- PDF
Scalefusion is a cloud-hosted solution with servers across the continents. This means devices enrolled and managed by Scalefusion need to have continuous access to Scalefusion's servers so that they can be managed in real-time. The devices also need to have a connection with Google Push services, Apple Push services and Windows Push services, along with other components that are required for the management of devices. Also, to access Scalefusion's Dashboard, the PC/Laptop needs to have access to certain IPs and URLs.
However, an organization might be restricting internet access on their corporate-managed devices and/or PCs/Laptops by using a firewall or a proxy. In such cases, it becomes important to allow the URLs, IPs and ports required for Scalefusion to work smoothly in your organization.
This guide outlines the Firewall settings that need to be done for Scalefusion.
All Regions
The following URLs, IP addresses and FQDNs need to be allowed in the firewall:
General
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
*.mobilock.in | 80 & 443 | HTTP/S | Outbound | This is the main domain and IP that is required for API access and dashboard access. Allow the FQDN and allow the outbound request to connect to both: 80 and 443 ports. Scalefusion always uses HTTPS, and most firewalls allow this unless explicitly disabled. |
*.scalefusion.com | ||||
Allow Ports for Outbound connections | 5228, 5229, and 5230 | TCP | Outbound | To allow connectivity of Mobile Devices with Google GCM/FCM. |
Android
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
Android Enterprise | - | - | Outbound | https://support.google.com/work/android/answer/10513641?hl=en |
Knox | - | - | Outbound | https://docs.samsungknox.com/admin/knox-admin-portal/get-started/samsung-knox-firewall-exceptions/ |
onlinerow.lenovocust.com | 443 | HTTPS | Outbound | If you are managing Lenovo devices, then the below URL is used to activate Lenovo CSDK, which allows you to achieve tighter integration with select Lenovo devices. |
clients3.google.com | 80 & 443 | HTTP/S | Used to detect captive portals and redirect accordingly. | |
android.clients.google.com | 443 | HTTP/S | Outbound | Used by the OS during device enrollment |
mtalk.google.com | 5222, 5228 | TCP | Outbound | Please allow TCP/UDP traffic as this is used for internal communication by the OS. |
Android GCM/FCM Push
- Google GCM/FCM IP Addresses: All IP addresses contained in the IP blocks listed in Google's ASN of 15169
- Description: If your organization has a firewall that restricts the traffic to or from the Internet, you'll need to configure it to allow connectivity with GCM. GCM doesn't provide specific IPs. It changes IPs frequently. So all the IPs listed here, https://www.dan.me.uk/bgplookup?asn=15169, should be allowed.
- Google GCM Domain: mtalk.google.com:5228 & android.googleapis.com:443 & android.clients.google.com:443
- Description: Some older Android versions need the above domain: port to be allowed for the GCM/FCM push to work.
For additional details and URL, please refer to FCM Firewall Rules and Firewall rules for Android Enterprise, aka EMM, to work properly.
iOS and macOS
Apple Push Notifications: Please refer to Apple’s documentation on the firewall configuration for Apple Push Notifications to work, at https://support.apple.com/en-in/HT203609
Windows
If you are using Scalefusion to manage Windows device inventory, then please allow the below URLs:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
next-services.apps.microsoft.com | 443 | HTTPS | Outbound | These URLs are used by Windows Access to School or Work app during modern management enrollment for various purposes related to service discovery, enrollment and push notifications. |
*.wns.windows.com | 443 | HTTPS | Outbound | |
*.notify.windows.com | 443 | HTTPS | Outbound | |
wscont1.apps.microsoft.com | 443 | HTTPS | Outbound | |
prod-unattended-rc.service.signalr.net | 443 | HTTPS | Outbound | |
portal.manage.microsoft.com | 443 | HTTPS | Outbound | |
login.microsoftonline.com | 443 | HTTPS | Outbound | |
enrollment.manage.microsoft.com | 443 | HTTPS | Outbound | |
ipinfo.io | 443 | HTTPS | Outbound | |
bspmts.mp.microsoft.com | 443 | HTTPS | Outbound | |
sfpush.service.signalr.net | 443 | HTTPS | Outbound |
If the above is not feasible, you need to use the IP list Microsoft provides and update it about every 2- 3 weeks, http://www.microsoft.com/en-us/download/confirmation.aspx?id=44238
Courtesy: StackOverflow
Pushy
On Devices that do not support Google Play Services, Scalefusion uses Pushy for sending remote commands. To allow Pushy to work, please use:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
*.pushy.me | 443 | HTTPS | Outbound | Pushy FQDNs used to send push messages to devices |
*.pushy.io | 443 | HTTPS | Outbound | |
pushy.me | 443 | HTTPS | Outbound | |
pushy.io | 443 | HTTPS | Outbound |
Note: Please notice the * character, which indicates a wildcard subdomain allowed, and the two separate domains pushy.me and pushy.io.
Remote Cast & Control
If you use Scalefusion’s Remote Cast & Control, please allow the WebRTC connections below:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
s1.xirsys.com | 80 & 443 | HTTP/S/TCP/UDP | Outbound | Used for device discovery and P2P connections for Remote Cast & Control |
OneIdP
If you are using Scalefusion's OneIdp suite of services, then please allow the below URLs:
Global Instance
If you are using Scalefusion’s OneIdP on https://app.scalefusion.com, then please allow the following URLs:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
app.oneidp.com | 443 | HTTPS | Outbound | |
accounts.oneidp.com | 443 | HTTPS | Outbound | Used for OneIdP SSO/authentication |
launchlocal.oneidp.com | 443 | HTTPS | Outbound | Used as iOS app launcher |
localverifier.oneidp.com | 443 | HTTPS | Outbound | |
smtp.mailgun.org | 443 | HTTPS | Outbound | Used as domain for mailgun to send, receive, and track emails. |
*.googleapis.com | 443 | HTTPS | Outbound | Allows communication with Google Services and their integration into other services. |
*.google.com | 443 | HTTPS | Outbound | Allow access to any subdomains of google.com |
US Instance
If you are using Scalefusion’s OneIdP on https://endpointlockdown.com, then please allow the following URLs:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
us.oneidp.com | 443 | HTTPS | Outbound | |
us-accounts.oneidp.com | 443 | HTTPS | Outbound | Used for OneIdP SSO/authentication |
us-launchlocal.oneidp.com | 443 | HTTPS | Outbound | Used as an iOS app launcher |
localverifier.oneidp.com | 443 | HTTPS | Outbound | |
smtp.mailgun.org | 443 | HTTPS | Outbound | Used as the domain for Mailgun to send, receive, and track emails. |
*.googleapis.com | 443 | HTTPS | Outbound | Allows communication with Google Services and their integration to other services. |
*.google.com | 443 | HTTPS | Outbound | Allow access to any subdomains of google.com |
India Instance
If you are using Scalefusion’s OneIdP on https://in.scalefusion.com, then please allow the following URLs:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
in.oneidp.com | 443 | HTTPS | Outbound | |
in-accounts.oneidp.com | 443 | HTTPS | Outbound | Used for OneIdP SSO/authentication |
in-launchlocal.oneidp.com | 443 | HTTPS | Outbound | Used as an iOS app launcher |
localverifier.oneidp.com | 443 | HTTPS | Outbound | |
smtp.mailgun.org | 443 | HTTPS | Outbound | Used as the domain for Mailgun to send, receive, and track emails. |
*.googleapis.com | 443 | HTTPS | Outbound | Allows communication with Google Services and their integration to other services. |
*.google.com | 443 | HTTPS | Outbound | Allow access to any subdomains of google.com |
Global (EU) Instance
This section provides the URLs and FQDNs that you have to allow if you are using https://app.scalefusion.com
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
mobilock.s3-website-eu-west-1.amazonaws.com | 443 | HTTPS | Outbound | Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics. |
db5xszokwvv76.cloudfront.net d17n3uawl7kvhu.cloudfront.net | 443 | HTTPS | Outbound | This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices. |
signal.scalefusion.com signal.mobilock.in | 443 | HTTPS/TCP/UDP | Outbound | This is required for the Remote Cast & Control & Eva Communication Suite. Allow outbound connections to 443. |
chat.mobilock.in eva.mobilock.in eva.scalefusion.com | 443 | HTTPS/TCP/UDP | Outbound | EVA communication suite |
US Instance
This section provides the URLs and FQDNs that you have to allow if you are using https://endpointlockdown.com
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
*.endpointlockdown.com | 80 & 443 | HTTPS | Outbound | This is the main domain and IP required for API and dashboard access. Allow the FQDN and allow the outbound request to connect to both: the 80 and 443 ports. Scalefusion always uses HTTPS, and most firewalls allow this unless explicitly disabled. |
assets-hp-reap.s3.amazonaws.com | 443 | HTTPS | Outbound | Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics. |
db5xszokwvv76.cloudfront.net | 443 | HTTPS | Outbound | This is CDN Edge Server, Scalefusion MDM Server distributes the admin-uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices. |
signal.endpointlockdown.com | 443 | HTTPS/TCP/UDP | Outbound | Used for the WebRTC connections during Remote Cast & Control |
eva.endpointlockdown.com | 443 | HTTPS/TCP/UDP | Outbound | Eva communication suite |
India Instance
This section provides the URLs and FQDNs that you have to allow if you are using https://in.scalefusion.com
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
assets-sf-bharat.s3.ap-south-1.amazonaws.com | 443 | HTTPS | Outbound | Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics. |
d2vykazg2augye.cloudfront.net | 443 | HTTPS | Outbound | This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices. |
rc-in.scalefusion.com | 443 | HTTPS/TCP/UDP | Outbound | Used for the WebRTC connections during Remote Cast & Control |
eva-in.scalefusion.com | 443 | HTTPS/TCP/UDP | Outbound | Eva communication suite |
Transport Layer Security (TLS) versions
Scalefusion supports only TLSv1.2 and TLSv1.3 versions, so please allow traffic on/from this layer.