Push providers, iOS devices, and Mac computers are often behind firewalls. To send notifications, you will need to allow inbound and outbound TCP packets over port 443 for the HTTP/2 provider API or port 2195 for the binary provider API.
To reach the feedback service, you will need to allow inbound and outbound TCP packets over port 2196.
Devices and computers connecting to the push service over Wi-Fi will need to allow inbound and outbound TCP packets over port 5223, or port 443 for a fallback when devices can’t reach APNs on port 5223.
OS X systems will also need to allow inbound and outbound TCP traffic over port 80.
The IP address range for the push service is subject to change; the expectation is that providers will connect by hostname rather than IP address. The push service uses a load balancing scheme that yields a different IP address for the same hostname. However, the entire 18.104.22.168/8 address block is assigned to Apple, so you can specify that range in your firewall ruleTo test that your firewall rules will allow access from the UMP robot to the Apple notification server, you can execute the following curl command from the UMP robot:
If your organization has a firewall to restrict traffic to or from the Internet, you need to configure it to allow mobile devices to connect with FCM in order for devices on your network to receive messages. FCM typically uses port 5228, but it sometimes uses 5229 and 5230.
For outgoing connections, FCM doesn't provide specific IPs because our IP range changes too frequently and your firewall rules could get out of date impacting your users' experience. Ideally, you will whitelist ports 5228-5230 with no IP restrictions. However, if you must have an IP restriction, you should whitelist all of the IP addresses in the IPv4 and IPv6 blocks listed in Google's ASN of 15169. This is a large list and you should plan to update your rules monthly. Problems caused by firewall IP restrictions are often intermittent and difficult to diagnose.
Ports to open for FCM messages:
IP addresses to whitelist:
One of these (option #1 is preferred):