Network and Firewall Configuration

ENPS Mobile consists of two parts - the Mobile Gateway and the Web Service Host - that should be installed on a single server. All devices connecting to ENPS Mobile will need direct access to both components.

In a standard installation where ENPS Mobile will be used outside the newsroom and without VPN access, the ENPS Mobile Server should be placed in a DMZ.

If a VPN solution will be required for access to ENPS Mobile, the ENPS Mobile server can be placed inside your protected network. The server can also be placed inside your protected network if it will only be accessed from within the newsroom and studio, (e.g. a dedicated server for use with the Tablet Story Viewer).

Suggested Network Deployment for ENPS Mobile with External Access:

Please note the following:

  • ENPS Mobile can be configured to work over port 80 (HTTP) or port 443 (HTTPS). However, it is strongly recommended to only use port 443 (HTTPS) for maximum security, even if the Mobile servers are entirely within your network and not exposed to the Internet. The native iOS & Android Apps will only work using HTTPS.

  • When placing the Mobile server in a DMZ, only port 443 should be allowed inbound from the public Internet (unless you are choosing not to use HTTPS).

  • When using HTTPS, a signed SSL certificate from a trusted CA is required. Self-signed certificates cannot be used. This is discussed in detail during the installation process in the SSL Certificates topic.

  • Traffic must be allowed between the ENPS Mobile Server in the DMZ and the ENPS servers inside the protected network as follows:

From the DMZ to the protected network:

  • 10505 (TCP). Used for user login and all search requests (for search requests only if using IS or WSS). Needs to be open to all ENPS servers in the enterprise.

  • 10506 (TCP). All non-search client data requests. Needs to be open to all ENPS servers in the enterprise.

  • 10510 (TCP). Private channel to the News Object Manager(s) (NOM(s)) for real-time updates of all non-wire content. Needs to be open to all ENPS servers in the enterprise.

  • 8080 (TCP). Used for search requests when using Solr.

From the protected network to the DMZ (all ports TCP except 10512, which is UDP):

  • 10512 (UDP). Real-time updates of incoming wire content. Needs to be open from all ENPS servers in the enterprise.

  • 80 (TCP). Allows automatic updating of the Web Service Host whenever a change is made to the ENPS global tables. Needs to be open only from the Central Server.

  • For sites using UDP broadcasts, the IP address of your Mobile server(s) should be added to the [Reflectors] section of the NWP.INI file on all of your ENPS servers and the News Wire Profiler (NWP) restarted.

  • For sites using Multicast, complete the step above and also ensure the following settings are in place:

    • MulticastAlsoBroadcast=1 in the Global Configuration Table

    • Broadcast=0 in the [NWP] section of NWP.INI

    • Broadcast=1 in the [TCPIP] section of NWP.INI

  • If your Mobile server is in a subnet that is already receiving UDP traffic from your ENPS servers, none of the above changes to the NWP.INI or Global Configuration table are necessary. No configuration changes are needed for the NOM whether you are using UDP broadcasts or Multicast.

  • In order to avoid interference with real-time updates in Mobile, no ENPS desktop clients should be run on the Mobile server.

  • Multiple instances of the ENPS Mobile server can be deployed throughout the enterprise, both inside and outside the protected network, as needed.

  • No additional components are required on the ENPS server to support ENPS Mobile.