Firewall settings for minimal mycloud access

To use the WiseMo myCloud service behind a firewall, you can usually get away with typical “web-only” firewall settings as used in many places. However if you want to configure firewall settings more specifically for use with the WiseMo myCloud service, please proceed as follows:

Quick summary (typical case):

Port Allow IP list Alternative
80 and 443 mycloudall.wisemo.com
80 and 443 skinsall.wisemo.com or reject unknown
80 and 443 updatesall.wisemo.eu or reject unknown
80 and 443 csall.wisemo.net or reject unknown
1970 csall.wisemo.net or reject unknown
8580 skinsall.wisemo.net or reject unknown

Details:

  1. If you block or limit access to any ports likely to be used by WiseMo products (ports 80, 443, 1970 and 8580 are the defaults), please set your firewalls to explicitly reject outgoing packets instead of silently dropping them. This allows WiseMo products (and other programs inside your network) to more quickly deal with the policy restriction, either by reporting the error to the user or using appropriate fallback behavior. Silently dropping packets is a good tactic against known bad actors and port scans from the outside, but is less useful for traffic coming from inside your network anyway.
  2. If you are using a HTTPS inspection system that requires web browsers inside your network to trust a special CA certificate for the inspection system, please be sure to deploy that CA certificate to the system CA trust stores on your internal machines, including the ones running WiseMo Host programs. For example, to deploy to Windows machines, use the “Machine” part of group policy, not the user part. Similarly import it to the “Local Computer” certificate store for “Trusted Root Certification Authorities” on standalone Windows machines. This is because deploying the trust only to per user settings doesn’t help system-wide services that operate independently of user login, such as WiseMo Hosts.
  3. To do basic login to mycloud, allow access to port 80 (HTTP) and 443 (HTTPS) (port 80 can be changed to port 1970 in program settings) to at least the IP addresses published in DNS as mycloudall.wisemo.com, new IPs will be added to this list at least 30 days before being actively used. The actual URLs use the name mycloud.wisemo.com, which changes IPs quite frequently due to load balancing and cluster management.
  4. To actually make connections via mycloud, you also need to permit port 80 (HTTP) or 1970 (RC), and in the future port 443 (HTTPS) to the connections servers that may be used. Either to the entire pool of public connection servers published in DNS as csall.wisemo.net (new IPs are added to this list at least 7 days before being actively used) or arrange with WiseMo to setup your own dedicated connection servers on IP addresses of your own. The actual URL used will typically use raw IP addresses or random DNS names.
  5. To download graphical skins for remote controlling mobile and embedded devices, allow your Desktop Guest computers to access port 80 (HTTP), 443 (HTTPS), 1970 (RC) or port 8580 (legacy) to the IP addresses published in DNS as skinsall.wisemo.com, new IPs will be added to this list at least 30 days before being actively used. The actual URLs use the name skins.wisemo.com, which changes IPs quite frequently due to load balancing and cluster management. If you choose to open a port other than port 80, you need to specify that port in the Guest program settings.
  6. To allow direct connections between your Guest and Host computers, please open port 80 (HTTP) or 1970 (RC), and in the future port 443 between whatever locations you use for those, in particular, if those are already on the same side of your firewall, nothing needs to be opened for this.
  7. If you are using Android Hosts, either allow those to talk to the Google Cloud Messaging Servers or configure them not to use that (uses more battery and bandwidth, as they will then have to poll our mycloud servers instead of relying on Google Cloud Messaging).
  8. If you are using Apple iOS Hosts, allow those to talk to the Apple Notification Servers, because current Apple policies prevent us from offering alternate methods.
  9. If you use a module that supports automatic updates (very few currently do), those use port 80 or 443 to the IP addresses published in DNS as updatesall.wisemo.eu, new IPs will be added to this list at least 30 days before being actively used. The actual URLs use the name updates.wisemo.eu, which changes IPs quite frequently due to load balancing and cluster management. Not opening this should have no consequences other than having to find out about software updates manually.
  10. If you purchase perpetual licenses and connect directly without going through our mycloud service, you only need to allow the direct connections (#6 above) and the optional skin downloads (#5 above).