The UMP mobile webapp can send Push Notifications to both Apple IOS and Andriod mobile devices.
If there is a firewall between the UMP robot(s) and the mobile devices registered to receive these push notifications, these messages may be blocked.
How should firewalls be configured to allow push notifications to be successfully delivered from the UMP mobile webapp?
How can firewall rules be tested outside the UMP mobile webapp?
Mobile device users have registered to receive push notifications from the CA Mobile App, but are not receiving them.
If you enable UMP mobile webapp debug messages to be recorded in the UMP portal.log by following the instructions found in the following Knowledge Document:
KB000100345 : How to Enable Mobile Push notifications messages in UMP portal.log
and you see messages similar to the following:
For Android mobile device users:
ERROR [POST2GCM:119] Exception sending post to GCM server, IOException: Connection timed out: connect java.net.ConnectException: Connection timed out: connect
For Apple IOS mobile device users:
ERROR [POST2APNS:77] Exception sending post: com.notnoop.exceptions.NetworkIOException: java.net.ConnectException: Connection timed out: connect java.net.ConnectException: Connection timed out: connect
it means that requests to the Google and/or Apple notification server is blocked by the firewall.
Users will not receive push notifications until the firewall rules are corrected to allow this traffic.
UIM/UMP 8.47 and later
Firewall requirements are provider specific.
Apple Notification server firewall requirements:
From Apple Technical Note TN2265
Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to allow inbound and outbound TCP packets over port 443 for the HTTP/2 provider API or port 2195 for the binary provider API.
To reach the feedback service, you will need to allow inbound and outbound TCP packets over port 2196.
Devices and computers connecting to the push service over Wi-Fi will need to allow inbound and outbound TCP packets over port 5223, or port 443 for a fallback when devices can’t reach APNs on port 5223.
OS X systems will also need to allow inbound and outbound TCP traffic over port 80.
The IP address range for the push service is subject to change; the expectation is that providers will connect by hostname rather than IP address. The push service uses a load balancing scheme that yields a different IP address for the same hostname. However, the entire 220.127.116.11/8 address block is assigned to Apple, so you can specify that range in your firewall ruleTo test that your firewall rules will allow access from the UMP robot to the Apple notification server, you can execute the following curl command from the UMP robot:
If your organization has a firewall to restrict traffic to or from the Internet, you need to configure it to allow mobile devices to connect with FCM in order for devices on your network to receive messages. FCM typically uses port 5228, but it sometimes uses 5229 and 5230.
For outgoing connections, FCM doesn't provide specific IPs because our IP range changes too frequently and your firewall rules could get out of date impacting your users' experience. Ideally, you will whitelist ports 5228-5230 with no IP restrictions. However, if you must have an IP restriction, you should whitelist all of the IP addresses in the IPv4 and IPv6 blocks listed in Google's ASN of 15169. This is a large list and you should plan to update your rules monthly. Problems caused by firewall IP restrictions are often intermittent and difficult to diagnose.
Ports to open for FCM messages:
IP addresses to whitelist:
One of these (option #1 is preferred):