Reputation: 61
Receiving FCM (GCM) behind proxy on Android
We have an app that uses FCM (ex GCM) for push messaging and notification on Android devices.
We have an use case where the app won't have open access to Google Play Services as it will be deployed on a corporate network - well it is a "everything closed except fixed servers with fixed IP addresses and ports" firewall. Direct connection to these services will not be allowed, but we can provide our own http/s or socks proxy to access whatever we want.
To my latest knowledge and searches on SO, even if you specify a proxy on android, the proxy will only be used if your app is set up to use it (no problem), but Google Play Services and Firebase will just ignore the proxy setting.
Has this changed? Can Firebase/FCM/Google play services run through the proxy specified in Android? And if so, from which android version?
Thank you, Nicolas
Upvotes: 1
Views: 2881
Answers (2)
Reputation: 1055
I was able to get FCM working with a few tweaks to our environment. Google could change their implementation at any point, so supporting this long-term is tricky.
If your proxy uses SSL inspection and resigns the server certificate with its own CA, you'll need to add some domains to a whitelist. These are called out on this page: https://support.google.com/work/android/answer/10513641?hl=en
Any firewall would need to also allow traffic out for specific IP addresses. Google has a long list of IPs used for various things and they don't document what each range is used for well IMO. This page shows how to see the full list: https://cloud.google.com/vpc/docs/configure-private-google-access#ip-addr-defaults
- If you need explicit IPs, you could look up the IP for a given domain and make some assumptions that the whole range that belongs to may be necessary. On a Unix machine, you can do
nslookup the.domain.com.
- If you need explicit IPs, you could look up the IP for a given domain and make some assumptions that the whole range that belongs to may be necessary. On a Unix machine, you can do
From my testing, *.googleapis.com is the important domain but there are some direct connections to IPs in 142.250.0.0/15 for some reason. These would also need to be allowed through the firewall and bypassed by SSL inspection.
Upvotes: 0
Reputation: 61
Here is the latest info from the firebase support (short answer: no)
" Unfortunately, Firebase Cloud Messaging is currently not designed to support a Proxy and does not attempt to address all network conditions. An alternative is to whitelist FCM to not go through a proxy at all. You should whitelist all of the IP addresses in the IPv4 and IPv6 blocks listed in Google's ASN of 15169. For more information regarding FCM ports, please refer to this documentation. https://firebase.google.com/docs/cloud-messaging/concept-options#ports_and_your_firewall "
If any has ideas of workarounds, please feel free to share them :) Thanks, Nicolas
Upvotes: 2
Related Questions
- Firebase Cloud Messaging (FCM) notifications doesn't work on devices behind proxy. Is there any alternative way to solve it?
- About GCM/FCM endpoint
- Migrating from gcm to fcm on android
- How to send upstream messages with FCM from android client?
- local server can't send message to Android application due to Proxy- GCM
- Use GCM rather than FCM
- FCM messages not reaching device when sent from server
- Proxy Google Cloud Messaging
- GCM server direct from android app
- Google cloud messaging GCM through proxy