020 8506 6100
<< Click to go to support home

 

Firewall Requirements

The Groupcall Emerge application consists of two components: the Emerge client and the Emerge server.

Emerge has three areas of requirement for network connectivity, with an optional fourth area if Microsoft Azure Service Bus is used. These connections can be via direct, routed, or proxied network connections. This is subject to certain requirements and can vary between the server side and the client/device.

Table of Contents

    Emerge Components

    The table below shows the areas for which network connectivity is required for each of the 2 Emerge components.

    Server

    Client (the device)

    Application installation and updates

    Application installation

    Application health reporting, management and licensing

    Application reporting and licensing

    Access to the MIS system

    Access to Emerge Server

    Microsoft Azure Service Bus

    Microsoft Azure Service Bus

    The Emerge Support Tool

    We have made an automated tool available that:

    • Checks certain pre-requisites for new environments that will use the Emerge server components (Including ports and networking configuration),
    • Assists in diagnosing issues in existing environments that use the Emerge server
    • Click here to run the Emerge Support Tool.

    Communication Overview

    • All communication in the Groupcall Emerge platform is outgoing, with the exception of the Emerge Server listen port.
    • To clarify, the Emerge server polls for updates and posts health information, the Emerge Client connects to the Emerge server. Therefore, with the exception of the Emerge server listen port, there is no requirement to permit unsolicited ingress traffic.
    • If you are planning to use Emerge via the internet (e.g. using cellular data to access live student data while on school trips) then Microsoft Azure Service Bus can be utilised to avoid presenting an external port.
    • All aspects of Groupcall Emerge communication can be made via proxy (or reverse proxy) if required, subject to the detail requirements below.

    Emerge Server - Application installation and updates

    The Emerge server must be able to make contact with https://www.groupcall.co.uk/ to permit HTTP GET and HTTP POST

    • *.inf – text/plain
    • *.exe – application/octet-stream
    • *.gcu – application/x-zip-compressed

    Emerge Server – Health reporting, management and licensing

    The Emerge server must be able to make contact with https://dashboard.groupcall.com/ to permit HTTP GET and HTTP POST.

    • Permit any request, which may be of MIME type text/xml or application/octet-stream.
    • In the event that https://dashboard.groupcall.com/ is inaccessible Emerge will attempt to access the following addresses as a fallback:
      • https://dashboard.groupcall.com/
      • https://www.groupcall.co.uk/*

    Emerge Server – Access to the MIS System

    This varies by MIS:

    • SIMS: line of sight to SIMS SQL and Document Server, accessed by SIMS .net assemblies on Emerge server
    • Facility CMIS: line of sight to CMIS SQL, deployed on same computer as ePortal API server.

    Emerge Server – Microsoft Azure Service Bus

    Groupcall Emerge uses the Europe North presence in the Microsoft Azure Service Bus platform as its connection endpoint.

    The Emerge server must be able to make contact with http://emergeen.servicebus.windows.net to permit HTTP GET, HTTP POST and HTTP 1.1 Chunked Transfer Encoding.

    • Note that if you use the open-source Squid proxy then the necessary elements of HTTP 1.1 chunked transfer encoding are only supported in recent builds of version 3.2.

    Server TCP Ports

    Emerge server communicates to Service Bus via the following TCP destination ports:

    9350/tcp   

    5671/tcp   

    9351/tcp   

    5672/tcp   

    9352/tcp   

    443/tcp   

    9353/tcp   

    80/tcp

    9354/tcp

     

    Server IP Addresses

    • The Azure Service Bus is identified by the certain IP address blocks.
    • Service Bus uses a watchdog service in the US to signpost the initial connection to the Europe North IP addresses.
      • Emerge data (which is all encrypted) is sent only to the Europe North Service Bus platform, the connectivity to US is only to find the IP addresses of the Europe North

    It is usually simplest to just allow the outbound TCP ports from your server for Service Bus, however if you want to specifically whitelist the potential destination IP addresses within Azure Europe North then please refer to Microsoft documentation for the full list.

    • For successful communication between the Emerge server and Microsoft Azure Service Bus, any firewall configuration must allow outbound access to the above IP/port specification and permit related responses. It is not necessary to allow unsolicited ingress from these IP addresses.
    • While we do our best to keep this information up to date, these IP ranges may change at any time without notice and are outside of Groupcall’s control.

    Emerge App – Installation

    • For installation of the current release versions of Emerge it is necessary for devices to be able to access the application store* for the platform in question.

    *e.g. the Apple App Store, Android Marketplace, or Google Play

    Emerge Client - Application reporting and licensing

    The Emerge server must be able to make contact with https://www.groupcall.co.uk/ to permit HTTP GET and HTTP POST

    • Permit any request, which is expected to be of type text/plain

    Emerge Client – Access to Emerge Server

    • This doesn’t apply if you’re using Microsoft Azure Service Bus to connect.
    • Access to the Service URL for the Emerge server, via HTTP, to permit HTTP GET, HTTP POST and HTTP PUT via the Groupcall Emerge RESTful API.
    • The Service URL for the Emerge server can be customised and is identified in the Emerge Management Console, which is part of the Emerge server.
      • The Service URL is a TCP connection and so can be subjected to routing, reverse proxies, etc. providing the above methods are supported.
    • HTTP is used for all transfers as payloads are strongly encrypted within the messages using both the device and user properties.

    Emerge Client – Microsoft Azure Service Bus

    Groupcall Emerge uses the Europe North presence in the Microsoft Azure Service Bus platform as its connection endpoint.

    The Emerge Server must be able to make contact with http://emergeen.servcebus.windows.net to permit HTTP GET, HTTP POST and HTTP 1.1 Chunked Transfer Encoding.

    • Note that if you use the open-source Squid proxy then the necessary elements of HTTP 1.1 chunked transfer encoding are only supported in recent builds of the version 3.2.

    Client TCP Ports:

    The Emerge server communicates to Service Bus via the following TCP destination ports:

    • 80/tcp

    Client IP Addresses:

    • The Azure Service Bus is identified by the certain IP address blocks.
    • Service Bus uses a watchdog service in the US to signpost the initial connection to the Europe North IP addresses.
      • Emerge data (which is all encrypted) is sent only to the Europe North Service Bus platform, the connectivity to US is only to find the IP addresses of the Europe North platform

    It is usually simplest to just allow the outbound TCP ports from your server for Service Bus, however if you want to specifically whitelist the potential destination IP addresses within Azure Europe North then please refer to Microsoft documentation for the full list.

    • For successful communication between the Emerge server and Microsoft Azure Service Bus, any firewall configuration must allow outbound access to the above IP/port specification and permit related responses. It is not necessary to allow unsolicited ingress from these IP addresses.

    Additional Resources



    Contact us:
    Telephone:
    Let's get social:

    © 2024 Community Brands UK Ltd T/A VenturEd Solutions UK