Wonder if anyone here happen to know the ip range of google's gcm server (for android push notification)?
I need the information so that our network team can open the firewall port for our UAT environment for incoming UAT test.
I tried to lookup from developer.android.com/google/gcm/ but no luck.
Our network team refused to open all ip range from asn 15169 which is a rather huge list.
I think there is an existing question IP address for Google Cloud Messaging server and the person found out that those are not published by Google. I also tried to look for it once but couldn't find. I might be wrong but I am pretty sure they don't publish that. Maybe instead of using corporate wifi, you can use direct 3G or 4G data plan.
In a comment on why GCM is not giving push notification in android device? question someone has mentioned that He opened the ports 5258,29,30 and then he was able to receive the regId from GCM server behind firewall.
Also I think the answer by #Eran on Which port and protocol does Google Cloud Messaging (GCM) use? will be of help. It says:
The device accesses the GCM servers on ports 5228-5230. If your organization has a firewall that restricts the traffic to or from the Internet, you'll need to configure it to allow connectivity with GCM. The ports to open are: 5228, 5229, and 5230. GCM typically only uses 5228, but it sometimes uses 5229 and 5230. GCM doesn't provide specific IPs. It changes IPs frequently. We recommend against using ACLs but if you must use them, take a broad approach such as the method suggested in this support link.
This is relevant if your device is connected to the internet via WiFi.
Hope this helps a bit.
Update:
As per Mark Whitaker answer to a similar question here, he mentions that:
Newer versions of Android also fall back to port 443 if ports 5228-5230 are blocked by a firewall.
Although there doesn't seem to be an official list still.
To add to what Shobhit Puri already said, I've also tried to find the answer to this question to be able to poke the appropriate holes in my firewall and am extremely disappointed with Google after concluding that the IP address used for Google Cloud Messaging is not obtained using a DNS request, or are obtained using DNS requests that subvert the Always On VPN functionality in Android.
By using the Always On VPN function in later versions of Android, I made sure that all traffic went through one of my servers. This also allowed me to use that server as a DNS Resolver and by activating query logging and rebooting the phone I was able to get a list of all of the DNS requests that it makes. Then, with some scripting magic I checked all of them, but none of them resolved to the IP address(es) that show up in my firewall logs with outbound port 5228 drops.
This leads me to conclude that the IP addresses used for GCM are obtained using a method other than DNS, such as Google Play Store web traffic.
Edit (Solution?): After running a script through all of my firewall logs going back as far as I have them and pulling out all of the dstport 5228 entries, I've been able to compile a list of IP addresses that GCM has tried to connect to. I can't say that this is a complete list, it will likely change based on geographic location, but notice the pattern...
74.125.28.188
74.125.129.188
74.125.20.188
173.194.79.188
74.125.142.188
74.125.192.188
74.125.140.188
74.125.139.188
74.125.137.188
74.125.134.188
74.125.130.188
173.194.68.188
173.194.76.188
I've created a group for all of those IP addresses and have configured my firewall to use that for my GCM whitelist. I have also setup a report to check for any dstport 5228 drops to let me know if I ever need to revisit this.
Related
My app has to receive push-notifications and right now am getting SERVICE_NOT_AVAILABLE after GoogleCloudMessaging.register() call.
My client has a strict firewall in his office and he doesn't have access to Google Play Services. I need to provide him a list of all URL's that Google Play services needs access to, so he can add it to white list.
So far there's only one url in my list: googleapis.com
I didn't find any information on this subject, so I will appreciate any help.
Looking at the documentation for GCM, it seems this is your answer:
Note: If your organization has a firewall that restricts the traffic to or from the Internet, you need to configure it to allow connectivity with GCM in order for your Android devices to receive messages. The ports to open are: 5228, 5229, and 5230. GCM typically only uses 5228, but it sometimes uses 5229 and 5230. GCM doesn't provide specific IPs, so you should allow your firewall to accept outgoing connections to all IP addresses contained in the IP blocks listed in Google's ASN of 15169.
Update with FCM
Official doc for firewall handling
Doing the interception of the requests of google services API, we can see the used hostname is : 1e100.net
And is described on google support : In October 2009, we started using a single domain name to identify our servers across all Google products, rather than use different product domains such as youtube.com, blogger.com, and google.com.
We have an app that uses FCM (ex GCM) for push messaging and notification on Android devices.
We have an use case where the app won't have open access to Google Play Services as it will be deployed on a corporate network - well it is a "everything closed except fixed servers with fixed IP addresses and ports" firewall. Direct connection to these services will not be allowed, but we can provide our own http/s or socks proxy to access whatever we want.
To my latest knowledge and searches on SO, even if you specify a proxy on android, the proxy will only be used if your app is set up to use it (no problem), but Google Play Services and Firebase will just ignore the proxy setting.
Has this changed? Can Firebase/FCM/Google play services run through the proxy specified in Android? And if so, from which android version?
Thank you,
Nicolas
Here is the latest info from the firebase support (short answer: no)
"
Unfortunately, Firebase Cloud Messaging is currently not designed to support a Proxy and does not attempt to address all network conditions. An alternative is to whitelist FCM to not go through a proxy at all. You should whitelist all of the IP addresses in the IPv4 and IPv6 blocks listed in Google's ASN of 15169. For more information regarding FCM ports, please refer to this documentation.
https://firebase.google.com/docs/cloud-messaging/concept-options#ports_and_your_firewall
"
If any has ideas of workarounds, please feel free to share them :)
Thanks,
Nicolas
We have built an Android app which uses Firebase for user authentication. Our (large enterprise) client is planning to deploy it behind their firewall. During initial testing, the authentication stage fails whenever we are using their network. It does work on an open network.
I am trying to find out what firewall configuration is needed to use the firebase authentication API, but I cannot find anything in the docs. I know that the firewall allows port 80 and 443 for outgoing connections. I am assuming that no specific IPs are blacklisted. Ports 5228-5230 (which would be required for FCM) are not opened yet, as we are currently not using push notifications. I am wondering if this is the issue. However, all references I can find (usually inofficial ones on stackoverflow) insist that the firebase authentification happens via https and only 443 should be needed.
Is anyone able to verify this and perhaps provide the documentation which details this?
Our server in a confined environment need to push notification out to devices installed with our apps. We tried our push client on an open environment and it worked. However when moved to our server, there are network error due to firewall blockage.
Based on google documents:
If your organization has a firewall that restricts the traffic to or
from the Internet, you need to configure it to allow connectivity with
FCM in order for your Firebase Cloud Messaging client apps to receive
messages. The ports to open are: 5228, 5229, and 5230. FCM typically
only uses 5228, but it sometimes uses 5229 and 5230. FCM doesn't
provide specific IPs, so you should allow your firewall to accept
outgoing connections to all IP addresses contained in the IP blocks
listed in Google's ASN of 15169.
However, we are actually pushing using the HTTP protocol with the following URL:
https://fcm.googleapis.com/fcm/send
Does that means the port to open is now 443 instead of 5228?
Also we will need to configure the host as well because the security team does not allow us to connect to the domain. From the paragraph above, all IP addresses is in the ASN 15169, and i had only managed to find a list here
Anyone with experience with this can give a pointer? Thank you.
Does that means the port to open is now 443 instead of 5228?
To receive messages
You should open 5228, 5229 and 5230 as per the documentation.
To send messages
FCM doesn't provide specific IPs because our IP range changes too frequently and your firewall rules could get out of date impacting your users' experience.
Ideally, you will whitelist ports 5228-5230 with no IP restrictions.
However, if you must have an IP restriction, you should whitelist all of the IP addresses in the IPv4 and IPv6 blocks listed in Google's ASN of 15169. This is a large list and you should plan to update your rules monthly.
In addition to Darish's answer, Google does not recommend whitelisting IPs nor URLs:
For outgoing connections, FCM doesn't provide specific IPs because our
IP range changes too frequently and your firewall rules could get out
of date impacting your users' experience. Ideally, you will whitelist
ports 5228-5230 with no IP restrictions. However, if you must have an
IP restriction, you should whitelist all of the IP addresses in the
IPv4 and IPv6 blocks listed in Google's ASN of 15169. This is a large
list and you should plan to update your rules monthly. Problems caused
by firewall IP restrictions are often intermittent and difficult to
diagnose.
You can find information about Google's IP addresses here (Google help page) or here (ipinfo.io).
You can also try these commands (from first link above, translated from netstat to dig):
dig #8.8.8.8 _spf.google.com TXT
dig #8.8.8.8 _netblocks.google.com TXT
dig #8.8.8.8 _netblocks2.google.com TXT
dig #8.8.8.8 _netblocks3.google.com TXT
The first command gets you the SPF record for Google mail servers (which is all the IPs they own). That leads you to the _netblockN.google.com TXT records which give you all the IP ranges. My queries just now yielded these results:
_netblocks.google.com. 3599 IN TXT "v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
_netblocks2.google.com. 3599 IN TXT "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
_netblocks3.google.com. 3599 IN TXT "v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"
You could parse those TXT records and use the resulting IP ranges for your firewall rules. Google does recommend updating your rules monthly however.
I am using Parse API for pushing notifications in my Android app without problem.
The app should work without internet in my HotSpot network. So I need to open URLs, Maybe Ports or even protocols in my HotSpot network to allow the app to push its notifications.
I open these URLs without success:
*.apis.google.com
*.googleapis.com
*.parse.com
The fiddler is not showing anything useful. I guess that it may use another protocol instead of HTTP.
I want to know which URLs, IPs, protocols and or ports is used for Parse API to work and send its notifications?
If I'm not wrong, the Parse is using Google Cloud Messaging to push its notifications. But I don't know the GCM URLs either.
Any help would be appreciated
In summary, opening these IPs/domains is not going to be sufficient.
The device accesses the GCM servers on ports 5228-5230.
Note: If your organization has a firewall that restricts the traffic
to or from the Internet, you'll need to configure it to allow
connectivity with GCM. The ports to open are: 5228, 5229, and 5230.
GCM typically only uses 5228, but it sometimes uses 5229 and 5230. GCM
doesn't provide specific IPs. It changes IPs frequently. We recommend
against using ACLs but if you must use them, take a broad approach
such as the method suggested in this support link.
Here is the link to the relevant GCM documentation: https://developers.google.com/cloud-messaging/http
Latest Android versions fallback on port 443 in the absence of access to these ports.