Firewall Settings for Scalefusion
  • 30 Jul 2024
  • 5 Minutes to read
  • PDF

Firewall Settings for Scalefusion

  • PDF

Article summary

Scalefusion is a cloud-hosted solution with servers across the continents. This means devices enrolled and managed by Scalefusion need to have continuous access to Scalefusion's servers so that they can be managed in real-time. The devices also need to have a connection with Google Push services, Apple Push services and Windows Push services, along with other components that are required for the management of devices. Also, to access Scalefusion's Dashboard, the PC/Laptop needs to have access to certain IPs and URLs.

However, an organization might be restricting internet access on their corporate-managed devices and/or PCs/Laptops by using a firewall or a proxy. In such cases, it becomes important to allow the URLs, IPs and ports required for Scalefusion to work smoothly in your organization.

This guide outlines the Firewall settings that need to be done for Scalefusion.

All Regions

The following URLs, IP addresses and FQDNs need to be allowed in the firewall: 

General

URL/Domain/FQDNPortProtocolType/Direction
Description
*.mobilock.in
80 & 443

HTTP/S

Outbound
This is the main domain and IP that is required for API access and dashboard access. Allow the FQDN and allow the outbound request to connect to both: 80 and 443 ports. Scalefusion always uses HTTPS, and most firewalls allow this unless explicitly disabled.
*.scalefusion.com
Allow Ports for Outbound connections5228, 5229, and 5230TCP
Outbound
To allow connectivity of Mobile Devices with Google GCM/FCM.

Android

URL/Domain/FQDNPortProtocol
Type/Direction
Description
Android Enterprise--Outbound
https://support.google.com/work/android/answer/10513641?hl=en
Knox--Outbound
https://docs.samsungknox.com/admin/knox-admin-portal/get-started/samsung-knox-firewall-exceptions/ 
onlinerow.lenovocust.com443HTTPS
Outbound
If you are managing Lenovo devices, then the below URL is used to activate Lenovo CSDK, which allows you to achieve tighter integration with select Lenovo devices.
clients3.google.com80 & 443HTTP/S

Used to detect captive portals and redirect accordingly.
android.clients.google.com443HTTP/S
Outbound
Used by the OS during device enrollment
mtalk.google.com5222, 5228


TCP
UDP


OutboundPlease allow TCP/UDP traffic as this is used for internal communication by the OS.

Android GCM/FCM Push

  1. Google GCM/FCM IP Addresses: All IP addresses contained in the IP blocks listed in Google's ASN of 15169
    1. Description: If your organization has a firewall that restricts the traffic to or from the Internet, you'll need to configure it to allow connectivity with GCM. GCM doesn't provide specific IPs. It changes IPs frequently. So all the IPs listed here, https://www.dan.me.uk/bgplookup?asn=15169, should be allowed.
  2. Google GCM Domain: mtalk.google.com:5228 & android.googleapis.com:443 & android.clients.google.com:443
    1. Description: Some older Android versions need the above domain: port to be allowed for the GCM/FCM push to work.

For additional details and URL, please refer to FCM Firewall Rules and Firewall rules for Android Enterprise, aka EMM, to work properly.

iOS and macOS

Apple Push Notifications: Please refer to Apple’s documentation on the firewall configuration for Apple Push Notifications to work, at https://support.apple.com/en-in/HT203609

Windows

If you are using Scalefusion to manage Windows device inventory, then please allow the below URLs: 

URL/Domain/FQDNPortProtocol
Type/Direction
Description
next-services.apps.microsoft.com443HTTPS
Outbound

These URLs are used by Windows Access to School or Work app during modern management enrollment for various purposes related to service discovery, enrollment and push notifications.
*.wns.windows.com443HTTPS
Outbound
*.notify.windows.com443HTTPS
Outbound
wscont1.apps.microsoft.com443HTTPS
Outbound
prod-unattended-rc.service.signalr.net443HTTPS
Outbound
portal.manage.microsoft.com443HTTPS
Outbound
login.microsoftonline.com443HTTPS
Outbound
enrollment.manage.microsoft.com443HTTPS
Outbound
ipinfo.io443HTTPS
Outbound
bspmts.mp.microsoft.com443HTTPS
Outbound
sfpush.service.signalr.net443HTTPS
Outbound

If the above is not feasible, you need to use the IP list Microsoft provides and update it about every 2- 3 weeks, http://www.microsoft.com/en-us/download/confirmation.aspx?id=44238

Courtesy: StackOverflow

Pushy

On Devices that do not support Google Play Services, Scalefusion uses Pushy for sending remote commands. To allow Pushy to work, please use: 

URL/Domain/FQDNPortProtocol
Type/Direction
Description
*.pushy.me443HTTPS
Outbound
Pushy FQDNs used to send push messages to devices
*.pushy.io443HTTPS
Outbound

pushy.me

443HTTPS
Outbound

pushy.io

443HTTPS
Outbound

Note: Please notice the * character, which indicates a wildcard subdomain allowed, and the two separate domains pushy.me and pushy.io.

Remote Cast & Control

If you use Scalefusion’s Remote Cast & Control, please allow the WebRTC connections below: 

URL/Domain/FQDNPortProtocol
Type/Direction
Description
s1.xirsys.com80 & 443HTTP/S/TCP/UDP
Outbound
Used for device discovery and P2P connections for Remote Cast & Control

OneIdP

If you are using Scalefusion's OneIdp suite of services, then please allow the below URLs: 

Global Instance

If you are using Scalefusion’s OneIdP on https://app.scalefusion.com, then please allow the following URLs:

URL/Domain/FQDNPortProtocol
Type/Direction
Description
app.oneidp.com443
HTTPS
Outbound

accounts.oneidp.com443
HTTPS
Outbound
Used for OneIdP SSO/authentication
launchlocal.oneidp.com443HTTPS
Outbound
Used as iOS app launcher
localverifier.oneidp.com
443
HTTPS
Outbound

smtp.mailgun.org443
HTTPS
Outbound
Used as domain for mailgun to send, receive, and track emails.
*.googleapis.com443
HTTPS
Outbound
Allows communication with Google Services and their integration into other services.
*.google.com443
HTTPS
Outbound
Allow access to any subdomains of google.com

US Instance

If you are using Scalefusion’s OneIdP on https://endpointlockdown.com, then please allow the following URLs:

URL/Domain/FQDNPort
Protocol
Type/Direction
Description
us.oneidp.com    443
HTTPS
Outbound

us-accounts.oneidp.com  443
HTTPS
Outbound
Used for OneIdP SSO/authentication
us-launchlocal.oneidp.com  443
HTTPS
Outbound
Used as an iOS app launcher
localverifier.oneidp.com  443
HTTPS
Outbound

smtp.mailgun.org443
HTTPS
Outbound
Used as the domain for Mailgun to send, receive, and track emails.
*.googleapis.com443
HTTPS
Outbound
Allows communication with Google Services and their integration to other services.
*.google.com443HTTPS
Outbound
Allow access to any subdomains of google.com

India Instance

If you are using Scalefusion’s OneIdP on https://in.scalefusion.com, then please allow the following URLs:

URL/Domain/FQDNPortProtocol
Type/Direction
Description
in.oneidp.com443HTTPS
Outbound

in-accounts.oneidp.com443
HTTPS
Outbound
Used for OneIdP SSO/authentication
in-launchlocal.oneidp.com443
HTTPS
Outbound
Used as an iOS app launcher
localverifier.oneidp.com
443
HTTPS
Outbound

smtp.mailgun.org443
HTTPS
Outbound
Used as the domain for Mailgun to send, receive, and track emails.
*.googleapis.com443
HTTPS
Outbound
Allows communication with Google Services and their integration to other services.
*.google.com443
HTTPS
OutboundAllow access to any subdomains of google.com

Global (EU) Instance

This section provides the URLs and FQDNs that you have to allow if you are using https://app.scalefusion.com

URL/Domain/FQDNPortProtocol
Type/Direction
Description
mobilock.s3-website-eu-west-1.amazonaws.com443HTTPS
Outbound
Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics.

db5xszokwvv76.cloudfront.net

d17n3uawl7kvhu.cloudfront.net

443HTTPS
Outbound
This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices.

signal.scalefusion.com

signal.mobilock.in

443HTTPS/TCP/UDP
Outbound
This is required for the Remote Cast & Control & Eva Communication Suite. Allow outbound connections to 443.

chat.mobilock.in

eva.mobilock.in eva.scalefusion.com

443HTTPS/TCP/UDP
Outbound
EVA communication suite 

US Instance

This section provides the URLs and FQDNs that you have to allow if you are using https://endpointlockdown.com

URL/Domain/FQDNPortProtocolType/Direction
Description
*.endpointlockdown.com80 & 443HTTPS
Outbound
This is the main domain and IP required for API and dashboard access. Allow the FQDN and allow the outbound request to connect to both: the 80 and 443 ports. Scalefusion always uses HTTPS, and most firewalls allow this unless explicitly disabled.
assets-hp-reap.s3.amazonaws.com443HTTPS
Outbound
Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics.
db5xszokwvv76.cloudfront.net443HTTPS
Outbound
This is CDN Edge Server, Scalefusion MDM Server distributes the admin-uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices.
signal.endpointlockdown.com443HTTPS/TCP/UDP
OutboundUsed for the WebRTC connections during Remote Cast & Control
eva.endpointlockdown.com
443HTTPS/TCP/UDP
Outbound
Eva communication suite

India Instance

This section provides the URLs and FQDNs that you have to allow if you are using https://in.scalefusion.com

URL/Domain/FQDNPortProtocol
Type/Direction
Description
assets-sf-bharat.s3.ap-south-1.amazonaws.com443HTTPS
Outbound
Allow the entire domain, as this S3 URL will have a dynamic IP. This is required for files distributed using Content Management, App Management and Branding-related graphics.
d2vykazg2augye.cloudfront.net443HTTPS
Outbound
This is CDN Edge Server, Scalefusion MDM Server distributes the admin uploaded APK through this server for faster download. It has a dynamic IP, as it will choose the closest location available. We suggest you add a FQDN entry for this domain if possible. We only need this if you want to remotely install APKs on devices.
rc-in.scalefusion.com443HTTPS/TCP/UDP
Outbound
Used for the WebRTC connections during Remote Cast & Control
eva-in.scalefusion.com443HTTPS/TCP/UDP
Outbound
Eva communication suite 

Transport Layer Security (TLS) versions

Scalefusion supports only TLSv1.2 and TLSv1.3 versions, so please allow traffic on/from this layer.



Was this article helpful?