Emerge Firewall Requirements

The Groupcall Emerge application consists of two components, the Emerge client and the Emerge server.

Emerge has three areas of requirement for network connectivity, with an optional fourth area if Microsoft Azure Service Bus is used. These connections can be via direct, routed, or proxied network connections, subject to certain requirements, and vary between the server side and the client/device.

The table below shows the areas for which network connectivity is required for each of the 2 Emerge components.

Server Client (the device)
Application installation and updates Application installation
Application health reporting, management, and licensing Application reporting and licensing
Access to the MIS system Access to Emerge Server
Microsoft Azure Service Bus Microsoft Azure Service Bus

 

The Emerge Support Tool

We have made an automated tool available that;

  • Checks certain pre-requisites for new environments that will use the Emerge Server side components
    • (Including ports and networking configuration),
  • Assists in diagnosing issues in existing environments that use the Emerge Server side components.

Please see this guide for more information. This may be used as supplement/automated tool to the information on the current page.

Communication overview

All communication in the Groupcall Emerge platform is outgoing, with the exception of the Emerge Server listen port. For example the Emerge Server polls for updates and posts health information, the Emerge Client connects to the Emerge Server. Therefore, with the exception of the Emerge Server listen port, there is no requirement to permit unsolicited ingress traffic. If you are planning to use Emerge via the Internet (e.g. via using cellular data to access live student data while on school trips) then Microsoft Azure Service Bus can be utilised to avoid presenting an external port. All aspects of Groupcall Emerge communication can be made via proxy (or reverse proxy) if required, subject to the detail requirements below.

Emerge Server – Application installation and updates

  • The Emerge Server must be able to make contact with http://www.groupcall.co.uk/* to permit HTTP GET and HTTP POST
    • *.inf – text/plain
    • *.exe – application/octet-stream
    • *.gcu – application/x-zip-compressed

Emerge Server – health reporting, management and licensing

  • The Emerge Server must be able to make contact with https://dashboard.groupcall.com/* to permit HTTP GET and HTTP POST
    • Permit any request, which may be of MIME type text/xml or application/octet-stream
    • In the event that https://dashboard.groupcall.com/* is inaccessible Emerge will attempt to access the following addresses as a fall-back
      • http://dashboard.groupcall.com/*
      • http://www.groupcall.co.uk/*

Emerge Server – access to the MIS system

  • This varies by MIS
    • SIMS - line of sight to SIMS SQL and Document Server, accessed by SIMS .net assemblies on Emerge Server computer.
    • Facility CMIS – line of sight to CMIS SQL, deployed on same computer as ePortal API server.

Emerge Server – Microsoft Azure Service Bus

  • Groupcall Emerge uses the ‘Europe North’ presence in the Microsoft Azure Service Bus platform as its primary connection endpoint.
    • 'Europe West' is used as a secondary/fail-over endpoint.
  • The Emerge Server must be able to make contact with http://emergeen.servicebus.windows.net to permit HTTP GET, HTTP POST and HTTP 1.1 Chunked Transfer Encoding
    • If you wish to take advantage of the secondary/failover endpoint provided, The Emerge Server must be able to make contact with http://emergeew.servicebus.windows.net to permit the same protocols.
    • Note that if you use the open-source Squid proxy then the necessary elements of HTTP 1.1 chunked transfer encoding are only supported in recent builds of version 3.2.

Server TCP Ports

Emerge Server communicates to Service Bus via the following TCP destination ports:

  • 9350/tcp
  • 9351/tcp
  • 9352/tcp
  • 9353/tcp
  • 9354/tcp
  • 5671/tcp
  • 5672/tcp
  • 443/tcp
  • 80/tcp

Server IP Addresses

  • The Azure Service Bus is identified by the certain IP address blocks.
  • Service Bus uses a 'watchdog' service in the US to signpost the initial connection to the Europe North/West IP addresses.
    • Emerge data (which is all encrypted) is sent only to the Europe North/West Service Bus platform, the connectivity to US is only to find the IP addresses of the Europe North platform.

It is usually simplest to just allow the outbound TCP ports from your server for Service Bus, however if you want to specifically whitelist the potential destination IP addresses within Azure Europe North and Azure Europe West then please refer to Microsoft documentation for the full list.

  • For successful communication between the Emerge Server and Microsoft Azure Service Bus, any firewall configuration must allow outbound access to the above IP/port specification and permit related responses. It is not necessary to allow unsolicited ingress from these IP addresses.
  • These IP ranges may change at any time without notice and are outside of Groupcall's control. We obviously do our best to keep the above information up to date, but you may wish to look at Additional Resources to verify this information if you experience any issues.

Emerge Client – installation

*e.g. the Apple App Store, Android Marketplace, or Google Play etc

  • For installation of the current release versions of Emerge it is necessary for devices to be able to access the application store* for the platform in question.

Emerge Client – Application reporting and licensing

  • The Emerge Server must be able to make contact with http://www.groupcall.co.uk/* to permit HTTP GET and HTTP POST
    • Permit any request, which is expected to be of type text/plain
  • The Emerge Server must be able to make contact with https://dashboard.groupcall.com/* to permit HTTP GET and HTTP POST
    • Permit any request, which is expected to be of type text/plain

Emerge Client – Access to Emerge Server

  • This doesn’t apply if you’re using Microsoft Azure Service Bus to connect
  • Access to the Service URL for the Emerge Server, via HTTP, to permit HTTP GET, HTTP POST and HTTP PUT via the Groupcall Emerge RESTful API
  • The Service URL for the Emerge Server can be customised and is identified in the Emerge Management Console, which is part of Emerge Server
    • The Service URL is a TCP connection and so can be subjected to routing, reverse proxies, etc providing the above methods are supported.
  • HTTP is used for all transfers as payloads are strongly encrypted within the messages using both the device and user properties.

Emerge Client – Microsoft Azure Service Bus

  • Groupcall Emerge uses the ‘Europe North’ presence in the Microsoft Azure Service Bus platform as its primary connection endpoint.
    • 'Europe West' is used as a secondary/fail-over endpoint.
  • The Emerge Server must be able to make contact with http://emergeen.servicebus.windows.net to permit HTTP GET, HTTP POST and HTTP 1.1 Chunked Transfer Encoding
    • If you wish to take advantage of the secondary/failover endpoint provided, The Emerge Server must be able to make contact with http://emergeew.servicebus.windows.net to permit the same protocols.
    • Note that if you use the open-source Squid proxy then the necessary elements of HTTP 1.1 chunked transfer encoding are only supported from version 3.2 builds after r10907

Client TCP Ports

  • Emerge Server communicates to Service Bus via the following TCP destination ports:
    • 80/tcp

Client IP Addresses

  • The Azure Service Bus is identified by the certain IP address blocks.
  • Service Bus uses a 'watchdog' service in the US to signpost the initial connection to the Europe North/West IP addresses.
    • Emerge data (which is all encrypted) is sent only to the Europe North/West Service Bus platform, the connectivity to US is only to find the IP addresses of the Europe North platform.

It is usually simplest to just allow the outbound TCP ports from your server for Service Bus, however if you want to specifically whitelist the potential destination IP addresses within Azure Europe North and Azure Europe West then please refer to Microsoft documentation for the full list.

  • For successful communication between Emerge Server and Microsoft Azure Service Bus, any firewall configuration must allow outbound access to the above IP/port specification and permit related responses. It is not necessary to allow unsolicited ingress from these IP addresses.

Additional references

The following links may be helpful in configuring and troubleshooting Service Bus integration issues as well as providing further information to that which is provided above should you wish to understand more.

Please note, the above links are to third party websites and so may change without warning.

Next Steps...

If you need any further assistance or get in to any difficulty, then please contact Groupcall Support. If the issue affects Groupcall Partner products you should refer to the support arrangements for that specific Groupcall Partner.

…And Finally

Have you followed Groupcall on Twitter and Facebook? Stay informed, get the latest news, updates and useful tips on all of our products!