Firewall Requirements

The Groupcall Emerge application consists of two components: the Emerge client and the Emerge server.

Emerge has three areas of requirement for network connectivity, with an optional fourth area if Microsoft Azure Service Bus is used. These connections can be via direct, routed, or proxied network connections. This is subject to certain requirements and can vary between the server side and the client/device.

Table of Contents

Emerge Components

The table below shows the areas for which network connectivity is required for each of the 2 Emerge components.

Server

Client (the device)

Application installation and updates

Application installation

Application health reporting, management and licensing

Application reporting and licensing

Access to the MIS system

Access to Emerge Server

Microsoft Azure Service Bus

Microsoft Azure Service Bus

The Emerge Support Tool

We have made an automated tool available that:

  • Checks certain pre-requisites for new environments that will use the Emerge server components (Including ports and networking configuration),
  • Assists in diagnosing issues in existing environments that use the Emerge server
  • Click here to run the Emerge Support Tool.

Communication Overview

  • All communication in the Groupcall Emerge platform is outgoing, with the exception of the Emerge Server listen port.
  • To clarify, the Emerge server polls for updates and posts health information, the Emerge Client connects to the Emerge server. Therefore, with the exception of the Emerge server listen port, there is no requirement to permit unsolicited ingress traffic.
  • If you are planning to use Emerge via the internet (e.g. using cellular data to access live student data while on school trips) then Microsoft Azure Service Bus can be utilised to avoid presenting an external port.
  • All aspects of Groupcall Emerge communication can be made via proxy (or reverse proxy) if required, subject to the detail requirements below.

Emerge Server - Application installation and updates

The Emerge server must be able to make contact with https://www.groupcall.co.uk/ to permit HTTP GET and HTTP POST

  • *.inf – text/plain
  • *.exe – application/octet-stream
  • *.gcu – application/x-zip-compressed

Emerge Server – Health reporting, management and licensing

The Emerge server must be able to make contact with https://dashboard.groupcall.com/ to permit HTTP GET and HTTP POST.

  • Permit any request, which may be of MIME type text/xml or application/octet-stream.
  • In the event that https://dashboard.groupcall.com/ is inaccessible Emerge will attempt to access the following addresses as a fallback:
    • https://dashboard.groupcall.com/
    • https://www.groupcall.co.uk/*

Emerge Server – Access to the MIS System

This varies by MIS:

  • SIMS: line of sight to SIMS SQL and Document Server, accessed by SIMS .net assemblies on Emerge server
  • Facility CMIS: line of sight to CMIS SQL, deployed on same computer as ePortal API server.

Emerge Server – Microsoft Azure Service Bus

Groupcall Emerge uses the Europe North presence in the Microsoft Azure Service Bus platform as its connection endpoint.

The Emerge server must be able to make contact with http://emergeen.servicebus.windows.net to permit HTTP GET, HTTP POST and HTTP 1.1 Chunked Transfer Encoding.

  • Note that if you use the open-source Squid proxy then the necessary elements of HTTP 1.1 chunked transfer encoding are only supported in recent builds of version 3.2.

Server TCP Ports

Emerge server communicates to Service Bus via the following TCP destination ports:

9350/tcp   

5671/tcp   

9351/tcp   

5672/tcp   

9352/tcp   

443/tcp   

9353/tcp   

80/tcp

9354/tcp

 

Server IP Addresses

  • The Azure Service Bus is identified by the certain IP address blocks.
  • Service Bus uses a watchdog service in the US to signpost the initial connection to the Europe North IP addresses.
    • Emerge data (which is all encrypted) is sent only to the Europe North Service Bus platform, the connectivity to US is only to find the IP addresses of the Europe North

It is usually simplest to just allow the outbound TCP ports from your server for Service Bus, however if you want to specifically whitelist the potential destination IP addresses within Azure Europe North then please refer to Microsoft documentation for the full list.

  • For successful communication between the Emerge server and Microsoft Azure Service Bus, any firewall configuration must allow outbound access to the above IP/port specification and permit related responses. It is not necessary to allow unsolicited ingress from these IP addresses.
  • While we do our best to keep this information up to date, these IP ranges may change at any time without notice and are outside of Groupcall’s control.

Emerge App – Installation

  • For installation of the current release versions of Emerge it is necessary for devices to be able to access the application store* for the platform in question.

*e.g. the Apple App Store, Android Marketplace, or Google Play

Emerge Client - Application reporting and licensing

The Emerge server must be able to make contact with https://www.groupcall.co.uk/ to permit HTTP GET and HTTP POST

  • Permit any request, which is expected to be of type text/plain

Emerge Client – Access to Emerge Server

  • This doesn’t apply if you’re using Microsoft Azure Service Bus to connect.
  • Access to the Service URL for the Emerge server, via HTTP, to permit HTTP GET, HTTP POST and HTTP PUT via the Groupcall Emerge RESTful API.
  • The Service URL for the Emerge server can be customised and is identified in the Emerge Management Console, which is part of the Emerge server.
    • The Service URL is a TCP connection and so can be subjected to routing, reverse proxies, etc. providing the above methods are supported.
  • HTTP is used for all transfers as payloads are strongly encrypted within the messages using both the device and user properties.

Emerge Client – Microsoft Azure Service Bus

Groupcall Emerge uses the Europe North presence in the Microsoft Azure Service Bus platform as its connection endpoint.

The Emerge Server must be able to make contact with http://emergeen.servcebus.windows.net to permit HTTP GET, HTTP POST and HTTP 1.1 Chunked Transfer Encoding.

  • Note that if you use the open-source Squid proxy then the necessary elements of HTTP 1.1 chunked transfer encoding are only supported in recent builds of the version 3.2.

Client TCP Ports:

The Emerge server communicates to Service Bus via the following TCP destination ports:

  • 80/tcp

Client IP Addresses:

  • The Azure Service Bus is identified by the certain IP address blocks.
  • Service Bus uses a watchdog service in the US to signpost the initial connection to the Europe North IP addresses.
    • Emerge data (which is all encrypted) is sent only to the Europe North Service Bus platform, the connectivity to US is only to find the IP addresses of the Europe North platform

It is usually simplest to just allow the outbound TCP ports from your server for Service Bus, however if you want to specifically whitelist the potential destination IP addresses within Azure Europe North then please refer to Microsoft documentation for the full list.

  • For successful communication between the Emerge server and Microsoft Azure Service Bus, any firewall configuration must allow outbound access to the above IP/port specification and permit related responses. It is not necessary to allow unsolicited ingress from these IP addresses.

Additional Resources