Network requirements
- Petri Määttänen
Mobile apps need HTTPS access to Enreach API
IP addresses to open:
80.88.187.64/26
TCP ports to open:
443
Android https://support.google.com/work/android/answer/10513641?hl=en)
Firebase messaging (notifications):
FCM ports and your firewall
If your organization has a firewall to restrict traffic to or from the Internet, you need to configure it to allow mobile devices to connect with FCM in order for devices on your network to receive messages. FCM typically uses port 5228, but it sometimes uses 443, 5229, and 5230.
For devices connecting on your network, FCM doesn't provide specific IPs because our IP range changes too frequently and your firewall rules could get out of date, impacting your users' experience. Ideally, allowlist ports 5228-5230 & 443 with no IP restrictions. However, if you must have an IP restriction, you should allowlist all of the IP addresses listed in goog.json. This large list is updated regularly, and you are recommended to update your rules on a monthly basis. Problems caused by firewall IP restrictions are often intermittent and difficult to diagnose.
FCM offer a set of domain names that can be allowlisted instead of IP addresses. Those hostnames are listed below. If FCM starts using additional hostnames, they will be updated the list here. Using domain names for your firewall rule may or may not be functional in your firewall device.
TCP ports to open:
5228
5229
5230
443
Hostnames to open:
mtalk.google.com
mtalk4.google.com
mtalk-staging.google.com
mtalk-dev.google.com
alt1-mtalk.google.com
alt2-mtalk.google.com
alt3-mtalk.google.com
alt4-mtalk.google.com
alt5-mtalk.google.com
alt6-mtalk.google.com
alt7-mtalk.google.com
alt8-mtalk.google.com
android.apis.google.com
device-provisioning.googleapis.com
firebaseinstallations.googleapis.com
Network Address Translation and/or Stateful Packet Inspection firewalls:
If your network implements Network Address Translation (NAT) or Stateful Packet Inspection (SPI), implement a 30 minute or larger timeout for our connections over ports 5228-5230. This enables FCM to provide reliable connectivity while reducing the battery consumption of your users' mobile devices.
iOS (https://support.apple.com/en-us/HT210060)
APNS (notifications):
To use Apple Push Notification Service (APNs), your macOS, iOS, tvOS, and watchOS devices need a persistent connection to Apple's servers over Ethernet, cellular data (if capable), or Wi-Fi.
If you use a firewall or private Access Point Name for cellular data, your Apple devices must be able to connect to specific ports on specific hosts:
TCP port 5223 to communicate with APNs.
TCP port 443 or 2197 to send notifications to APNs.
TCP port 443 is used during device activation, and afterwards for fallback if devices can't reach APNs on port 5223. The connection on port 443 uses a proxy as long as the proxy allows the communication to pass through without decrypting.
The APNs servers use load balancing, so your devices don't always connect to the same public IP address for notifications. It's best to let your device access these ports on the entire 17.0.0.0/8 address block, which is assigned to Apple.
If you can't allow access to the entire 17.0.0.0/8 address block, open access via the same ports to these network ranges on IPv4 or IPv6:
IPv4
17.249.0.0/16
17.252.0.0/16
17.57.144.0/22
17.188.128.0/18
17.188.20.0/23
IPv6
2620:149:a44::/48
2403:300:a42::/48
2403:300:a51::/48
2a01:b740:a42::/48
© Enreach, Mannerheimintie 117, 00280 Helsinki, Finland
+358 40 450 3000, www.enreach.fi