Firewall Settings for Scalefusion
- 30 Sep 2025
- 7 Minutes to read
- Print
- PDF
Firewall Settings for Scalefusion
- Updated on 30 Sep 2025
- 7 Minutes to read
- Print
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback!
Scalefusion is a cloud-hosted solution with servers across the continents. This means devices enrolled and managed by Scalefusion need to have continuous access to Scalefusion's servers so that they can be managed in real-time. The devices also need to have a connection with Google Push services, Apple Push services and Windows Push services, along with other components that are required for the management of devices. Also, to access Scalefusion's Dashboard, the PC/Laptop needs to have access to certain IPs and URLs.
However, an organization might be restricting internet access on their corporate-managed devices and/or PCs/Laptops by using a firewall or a proxy. In such cases, it becomes important to allow the URLs, IPs and ports required for Scalefusion to work smoothly in your organization.
This guide outlines the Firewall settings that need to be done for Scalefusion.
1. Scalefusion Instances
To cater to our global audience with various data residency rules and regulations, Scalefusion hosts multiple instances. These instances are hosted in various regions and the table below gives the details,
Instance Name | Instance URL | Instance Location |
|---|---|---|
EU | ||
USA | ||
India | ||
UAE |
All Regions
The following URLs, IP addresses and FQDNs need to be allowed in the firewall:
General
To allow traffic to Scalefusion servers from your device, please configure the following
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
*.mobilock.in |
|
|
| This is the main domain and IP that is required for API access and dashboard access. Allow the FQDN and allow the outbound request to connect to both: 80 and 443 ports. Scalefusion always uses HTTPS, and most firewalls allow this unless explicitly disabled. |
*.scalefusion.com | ||||
Allow Ports for Outbound connections | 5228, 5229, and 5230 | TCP | Outbound | To allow connectivity of Mobile Devices with Google GCM/FCM. |
On-Prem
To allow traffic from Scalefusion servers to the software installed in your cloud or on-premise infrastructure like Scalefusion On-Prem Connector or your own CA server then configure the following:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
*.mobilock.in | 80 & 443 | HTTP/S | Inbound |
|
*.scalefusion.com |
Android
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
Android Enterprise | - | - | Outbound | https://support.google.com/work/android/answer/10513641?hl=en |
Knox | - | - | Outbound | https://docs.samsungknox.com/admin/knox-admin-portal/get-started/samsung-knox-firewall-exceptions/ |
onlinerow.lenovocust.com | 443 | HTTPS | Outbound | If you are managing Lenovo devices, then the below URL is used to activate Lenovo CSDK, which allows you to achieve tighter integration with select Lenovo devices. |
clients3.google.com | 80 & 443 | HTTP/S | Used to detect captive portals and redirect accordingly. | |
android.clients.google.com | 443 | HTTP/S | Outbound | Used by the OS during device enrollment |
mtalk.google.com | 5222, 5228 | TCP | Outbound | Please allow TCP/UDP traffic as this is used for internal communication by the OS. |
Android GCM/FCM Push
Google GCM/FCM IP Addresses: All IP addresses contained in the IP blocks listed in Google's ASN of 15169
Description: If your organization has a firewall that restricts the traffic to or from the Internet, you'll need to configure it to allow connectivity with GCM. GCM doesn't provide specific IPs. It changes IPs frequently. So all the IPs listed here, https://www.dan.me.uk/bgplookup?asn=15169, should be allowed.
Google GCM Domain: mtalk.google.com:5228 & android.googleapis.com:443 & android.clients.google.com:443
Description: Some older Android versions need the above domain: port to be allowed for the GCM/FCM push to work.
For additional details and URL, please refer to FCM Firewall Rules and Firewall rules for Android Enterprise, aka EMM, to work properly.
iOS and macOS
Apple Push Notifications: Please refer to Apple’s documentation on the firewall configuration for Apple Push Notifications to work, at https://support.apple.com/en-in/HT203609
Windows
If you are using Scalefusion to manage Windows device inventory, then please allow the below URLs:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
next-services.apps.microsoft.com | 443 | HTTPS | Outbound |
|
*.wns.windows.com | 443 | HTTPS | Outbound | |
*.notify.windows.com | 443 | HTTPS | Outbound | |
wscont1.apps.microsoft.com | 443 | HTTPS | Outbound | |
prod-unattended-rc.service.signalr.net | 443 | HTTPS | Outbound | |
portal.manage.microsoft.com | 443 | HTTPS | Outbound | |
login.microsoftonline.com | 443 | HTTPS | Outbound | |
enrollment.manage.microsoft.com | 443 | HTTPS | Outbound | |
ipinfo.io | 443 | HTTPS | Outbound | |
bspmts.mp.microsoft.com | 443 | HTTPS | Outbound | |
sfpush.service.signalr.net | 443 | HTTPS | Outbound |
If the above is not feasible, you need to use the IP list Microsoft provides and update it about every 2- 3 weeks, http://www.microsoft.com/en-us/download/confirmation.aspx?id=44238
Courtesy: StackOverflow
Windows Updates Delivery Optimization
If you are using Scalefusion to manage Windows OS Updates Delivery Optimization, then please allow the below URLs:
URL/Domain/FQDN | Description |
*.prod.do.dsp.mp.microsoft.com | For communication between clients and the Delivery Optimization cloud service |
*.dl.delivery.mp.microsoft.com *.windowsupdate.com | For Delivery Optimization metadata |
win1910.ipv6.microsoft.com | For group peers across multiple NATs (Teredo) |
https://*.prod.do.dsp.mp.microsoft.com | Delivery Optimization service endpoint |
http://*.windowsupdate.com https://*.delivery.mp.microsoft.com https://*.update.microsoft.com https://tsfe.trafficshaping.dsp.mp.microsoft.com |
|
Delivery Optimization uses specific ports for update delivery: port 7680 (TCP) for peer-to-peer communication within a local network, port 3544 (UDP) for cross-NAT connections via Teredo when using "Group" or "Internet" download modes, and port 443 (HTTPS) for communication with the cloud service. If port 7680 is blocked, peer-to-peer functionality is disabled, but updates can still be downloaded via HTTP/HTTPS.
Courtesy: Microsoft
Pushy
On Devices that do not support Google Play Services, Scalefusion uses Pushy for sending remote commands. To allow Pushy to work, please use:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
*.pushy.me | 443 | HTTPS | Outbound | Pushy FQDNs used to send push messages to devices |
*.pushy.io | 443 | HTTPS | Outbound | |
pushy.me | 443 | HTTPS | Outbound | |
pushy.io | 443 | HTTPS | Outbound |
Note: Please notice the * character, which indicates a wildcard subdomain allowed, and the two separate domains pushy.me and pushy.io.
Remote Cast & Control
If you use Scalefusion’s Remote Cast & Control, please allow the WebRTC connections below:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
s1.xirsys.com | 80 & 443 | HTTP/S/TCP/UDP | Outbound | Used for device discovery and P2P connections for Remote Cast & Control |
OneIdP
If you are using Scalefusion's OneIdp suite of services, then please allow the below URLs:
Global Instance
If you are using Scalefusion’s OneIdP on https://app.scalefusion.com, then please allow the following URLs:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
app.oneidp.com | 443 | HTTPS | Outbound | |
accounts.oneidp.com | 443 | HTTPS | Outbound | Used for OneIdP SSO/authentication |
launchlocal.oneidp.com | 443 | HTTPS | Outbound | Used as iOS app launcher |
localverifier.oneidp.com | 443 | HTTPS | Outbound | |
smtp.mailgun.org | 443 | HTTPS | Outbound | Used as domain for mailgun to send, receive, and track emails. |
*.googleapis.com | 443 | HTTPS | Outbound | Allows communication with Google Services and their integration into other services. |
*.google.com | 443 | HTTPS | Outbound | Allow access to any subdomains of google.com |
US Instance
If you are using Scalefusion’s OneIdP on https://endpointlockdown.com, then please allow the following URLs:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
us.oneidp.com | 443 | HTTPS | Outbound | |
us-accounts.oneidp.com | 443 | HTTPS | Outbound | Used for OneIdP SSO/authentication |
us-launchlocal.oneidp.com | 443 | HTTPS | Outbound | Used as an iOS app launcher |
localverifier.oneidp.com | 443 | HTTPS | Outbound | |
smtp.mailgun.org | 443 | HTTPS | Outbound | Used as the domain for Mailgun to send, receive, and track emails. |
*.googleapis.com | 443 | HTTPS | Outbound | Allows communication with Google Services and their integration to other services. |
*.google.com | 443 | HTTPS | Outbound | Allow access to any subdomains of google.com |
India Instance
If you are using Scalefusion’s OneIdP on https://in.scalefusion.com, then please allow the following URLs:
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
in.oneidp.com | 443 | HTTPS | Outbound | |
in-accounts.oneidp.com | 443 | HTTPS | Outbound | Used for OneIdP SSO/authentication |
in-launchlocal.oneidp.com | 443 | HTTPS | Outbound | Used as an iOS app launcher |
localverifier.oneidp.com | 443 | HTTPS | Outbound | |
smtp.mailgun.org | 443 | HTTPS | Outbound | Used as the domain for Mailgun to send, receive, and track emails. |
*.googleapis.com | 443 | HTTPS | Outbound | Allows communication with Google Services and their integration to other services. |
*.google.com | 443 | HTTPS | Outbound | Allow access to any subdomains of google.com |
Global (EU) Instance
This section provides the URLs and FQDNs that you have to allow if you are using https://app.scalefusion.com
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
mobilock.s3-website-eu-west-1.amazonaws.com | 443 | HTTPS | Outbound | Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics. |
db5xszokwvv76.cloudfront.net d17n3uawl7kvhu.cloudfront.net | 443 | HTTPS | Outbound | This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices. |
signal.scalefusion.com signal.mobilock.in | 443 | HTTPS/TCP/UDP | Outbound | This is required for the Remote Cast & Control & Eva Communication Suite. Allow outbound connections to 443. |
chat.mobilock.in eva.mobilock.in eva.scalefusion.com | 443 | HTTPS/TCP/UDP | Outbound | EVA communication suite |
US Instance
This section provides the URLs and FQDNs that you have to allow if you are using https://endpointlockdown.com
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
*.endpointlockdown.com | 80 & 443 | HTTPS | Outbound | This is the main domain and IP required for API and dashboard access. Allow the FQDN and allow the outbound request to connect to both: the 80 and 443 ports. Scalefusion always uses HTTPS, and most firewalls allow this unless explicitly disabled. |
assets-hp-reap.s3.amazonaws.com | 443 | HTTPS | Outbound | Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics. |
db5xszokwvv76.cloudfront.net | 443 | HTTPS | Outbound | This is CDN Edge Server, Scalefusion MDM Server distributes the admin-uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices. |
signal.endpointlockdown.com | 443 | HTTPS/TCP/UDP | Outbound | Used for the WebRTC connections during Remote Cast & Control |
eva.endpointlockdown.com | 443 | HTTPS/TCP/UDP | Outbound | Eva communication suite |
India Instance
This section provides the URLs and FQDNs that you have to allow if you are using https://in.scalefusion.com
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
assets-sf-bharat.s3.ap-south-1.amazonaws.com | 443 | HTTPS | Outbound | Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics. |
d2vykazg2augye.cloudfront.net | 443 | HTTPS | Outbound | This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices. |
rc-in.scalefusion.com | 443 | HTTPS/TCP/UDP | Outbound | Used for the WebRTC connections during Remote Cast & Control |
eva-in.scalefusion.com | 443 | HTTPS/TCP/UDP | Outbound | Eva communication suite |
MEA Instance
This section provides the URLs and FQDNs that you have to allow if you are using https://mea.scalefusion.com
URL/Domain/FQDN | Port | Protocol | Type/Direction | Description |
|---|---|---|---|---|
scalefusion-uae-assets.s3.me-central-1.amazonaws.com | 443 | HTTPS | Outbound | Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics. |
d7a4g5ksfhora.cloudfront.net | 443 | HTTPS | Outbound | This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices. |
| 443 | HTTPS | Outbound | Identity and authentication service (OneIDP) |
| 443 | HTTPS | Outbound | Account authentication and session management |
| 443 | HTTPS | Outbound | Local launch and login integration services |
smtp.mailgun.org | 443 | HTTPS | Outbound | Used as domain for mailgun to send, receive, and track emails. |
*.googleapis.com | 443 | HTTPS | Outbound | Allows communication with Google Services and their integration into other services. |
*.google.com | 443 | HTTPS | Outbound | Allow access to any subdomains of google.com |
rc-mea.scalefusion.com | 443 | HTTPS/TCP/UDP | Outbound | This is required for the Remote Cast & Control & Eva Communication Suite. Allow outbound connections to 443. |
Transport Layer Security (TLS) versions
Scalefusion supports only TLSv1.2 and TLSv1.3 versions, so please allow traffic on/from this layer.
IPs for Webhooks
Webhooks Originating IP Address: 165.22.203.134
Note: This IP address is subject to change without prior notice.
Was this article helpful?
