UMP mobile firewall requirements for Push Notifications

Document ID : KB000102973
Last Modified Date : 21/06/2018
Show Technical Document Details
Introduction:
The UMP mobile webapp can send Push Notifications to both Apple IOS and Andriod mobile devices.

If there is a firewall between the UMP robot(s) and the mobile devices registered to receive these push notifications, these messages may be blocked.

How should firewalls be configured to allow push notifications to be successfully delivered  from the UMP mobile webapp?
How can firewall rules be tested outside the UMP mobile webapp?
Background:
Mobile device users have registered to receive push notifications from the CA Mobile App, but are not receiving them.

If you enable UMP mobile webapp debug messages to be recorded in the UMP portal.log by following the instructions found in the following Knowledge Document:

KB000100345 : How to Enable Mobile Push notifications messages in UMP portal.log

and you see messages similar to the following:

For Android mobile device users:
ERROR [POST2GCM:119] Exception sending post to GCM server, IOException: Connection timed out: connect java.net.ConnectException: Connection timed out: connect

For Apple IOS mobile device users:
ERROR [POST2APNS:77] Exception sending post: com.notnoop.exceptions.NetworkIOException: java.net.ConnectException: Connection timed out: connect java.net.ConnectException: Connection timed out: connect

it means that requests to the Google and/or Apple notification server is blocked by the firewall.
Users will not receive push notifications until the firewall rules are corrected to allow this traffic.
Environment:
UIM/UMP 8.47 and later
Instructions:
Firewall requirements are provider specific.

Apple Notification server firewall requirements:
From Apple Technical Note TN2265
https://developer.apple.com/library/archive/technotes/tn2265/_index.html#//apple_ref/doc/uid/DTS40010376-CH1-TNTAG41

Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to allow inbound and outbound TCP packets over port 443 for the HTTP/2 provider API or port 2195 for the binary provider API.

To reach the feedback service, you will need to allow inbound and outbound TCP packets over port 2196.

Devices and computers connecting to the push service over Wi-Fi will need to allow inbound and outbound TCP packets over port 5223, or port 443 for a fallback when devices can’t reach APNs on port 5223.

OS X systems will also need to allow inbound and outbound TCP traffic over port 80.

The IP address range for the push service is subject to change; the expectation is that providers will connect by hostname rather than IP address. The push service uses a load balancing scheme that yields a different IP address for the same hostname. However, the entire 17.0.0.0/8 address block is assigned to Apple, so you can specify that range in your firewall rule

To test that your firewall rules will allow access from the UMP robot to the Apple notification server, you can execute the following curl command from the UMP robot:

If you have telnet installed:
telnet gateway.push.apple.com 2195

If you have curl installed:
curl -v telnet://gateway.push.apple.com:2195

You should see an output line similar to the following if this is successful:

* Connected to gateway.push.apple.com (NNN.NNN.NNN.NNN) port 2195 (#0)

where NNN.NNN.NNN.NNN is the Apple Notification server that telnet successfully connected to.

If your Apple IOS mobile devices are connected to an network via WiFi and users are not receiving push notifications, then from a device in the same network, you can use the following to test to see if the firewall rules are properly set in this network:

If you have telnet installed:
telnet gateway.push.apple.com 5223

If you have curl installed:
curl -v telnet://gateway.push.apple.com:5223

Google (Andriod) Notification server firewall requirements:
As documented in the "FCM ports and your firewall" section of the "About FCM Messages" document:
https://firebase.google.com/docs/cloud-messaging/concept-options#messaging_ports_and_your_firewall

If your organization has a firewall to restrict traffic to or from the Internet, you need to configure it to allow mobile devices to connect with FCM in order for devices on your network to receive messages. FCM typically uses port 5228, but it sometimes uses 5229 and 5230.

For outgoing connections, FCM doesn't provide specific IPs because our IP range changes too frequently and your firewall rules could get out of date impacting your users' experience. Ideally, you will whitelist ports 5228-5230 with no IP restrictions. However, if you must have an IP restriction, you should whitelist all of the IP addresses in the IPv4 and IPv6 blocks listed in Google's ASN of 15169. This is a large list and you should plan to update your rules monthly. Problems caused by firewall IP restrictions are often intermittent and difficult to diagnose.

Ports to open for FCM messages:

  • 5228
  • 5229
  • 5230

IP addresses to whitelist:

One of these (option #1 is preferred):

  1. No IP restrictions
  2. All IP addresses contained in the IP blocks listed in Google's ASN of 15169 https://ipinfo.io/AS15169. Don't forget to update this at least once a month.
To test that your firewall rules will allow access from the UMP robot to the FCM notification server, you can execute the following curl command from the UMP robot:

This can only be tested with the following curl command:
curl -v https://fcm.googleapis.com/fcm/send

In the outputs, you should see a line similar to the following:

* Connection state changed (HTTP/2 confirmed)

For a list of active FCM notification servers, you can execute the following command:

nslookup fcm.googleapis.com

The outputs of this nslookup command may vary.