Adroit Air delivers selected alarms and process data to mobile devices via the internet. This raises concerns around exposing servers and sensitive data to the internet. While the architecture was designed to minimize exposure, there are additional measures that can provide even more peace of mind.

Your firewall is the first line of defense. Since Adroit Air communicates to a known collection of endpoints it is easy enough to whitelist these destinations on your firewall Required URLs.pdf (57.8 KB). For an added layer of security, the Adroit Air datasource can be set up on a standalone SmartUI Server running in a DMZ. This SmartUI Server can access Agent Servers on your SCADA network by opening specific TCP ports on the internal firewall. The perimeter firewall still only whitelists the predefined URLS. We have also allowed use of a specified authenticated proxy for outbound communications.

While Adroit Air does store basic account information on the cloud, all SCADA data is delivered directly onto Google’s push notification fabric, destined only for app instances that have been explicitly granted access by our 2-step verification onboarding procedure.

Lastly, it is easy to manage user access to push notifications from the Air datasource configuration window. Access can be removed when a user no longer requires, or is no longer permitted to view certain data.
This can also be automated by using the domain crosscheck feature. For this feature to function correctly, all users must use their corporate domain email address when registering their Adroit Air account on the app. Then, while the domain crosschecking feature is enabled, the Adroit Air datasource will only communicate to Adroit Air users who’s email addresses are active on the domain where the Air datasource is running. In this way, if a user’s employment is terminated (and their corporate email suspended as part of an HR process) they will automatically stop receiving notifications from the Air datasource.

To add further here is a comprehensive lists of ports and address they need to be open for Air to communicate to Firebase/Firestore via FCM.

FCM ports and your firewall

If your organization has a firewall to restrict traffic to or from the Internet, you need to configure it to allow mobile devices to connect with FCM in order for devices on your network to receive messages. FCM typically uses port 5228, but it sometimes uses 443, 5229, and 5230.

For devices connecting on your network, FCM doesn’t provide specific IPs because our IP range changes too frequently and your firewall rules could get out of date, impacting your users’ experience. Ideally, allowlist ports 5228-5230 & 443 with no IP restrictions. However, if you must have an IP restriction, you should allowlist all of the IP addresses listed in goog.json. This large list is updated regularly, and you are recommended to update your rules on a monthly basis. Problems caused by firewall IP restrictions are often intermittent and difficult to diagnose.

We do offer a set of domain names that can be allowlisted instead of IP addresses. Those hostnames are listed below. If we start using additional hostnames, we will update the list here. Using domain names for your firewall rule may or may not be functional in your firewall device.

TCP ports to open:

• 5228
• 5229
• 5230
• 443

Hostnames to open:

• mtalk.google.com
• mtalk4.google.com
• mtalk-staging.google.com
• mtalk-dev.google.com
• alt1-mtalk.google.com
• alt2-mtalk.google.com
• alt3-mtalk.google.com
• alt4-mtalk.google.com
• alt5-mtalk.google.com
• alt6-mtalk.google.com
• alt7-mtalk.google.com
• alt8-mtalk.google.com
• android.apis.google.com
• fcm.googleapis.com
• device-provisioning.googleapis.com
• firebaseinstallations.googleapis.com

Hello Guys,

Is there a fresh list of what should be allowed in the network side to have Air working properly?
I will request it to our IT department, and I would like to confirm how is it today.

Regards,

Hi Roldan,

The information in the preceding posts still apply.
Basically for the datasource to publish messages it needs to be able to communicate the api’s listed in the Required URLs pdf.

The second portion is about receiving incoming push notifications in the app on devices that are connected to your company network. This is generally already allowed but in very strict cases the rules as stated are still valid. For additional information please see this link: https://firebase.google.com/docs/cloud-messaging/concept-options#messaging-ports-and-your-firewall