Enabling FME Flow for Public Access

Richard Mosley
Richard Mosley
  • Updated


FME Flow (formerly FME Server) is often installed on an internal network with restricted access, however, some functionality such as Webhooks or Flow Apps may require communication with the public internet.  There are many tools to secure a server for public access, including Reverse Proxies, Application Gateways, Firewall Rules, Networking Rules, and Load Balancers. Safe Software does not provide a recommended configuration for this setup and you will need to discuss with your IT team what solution is going to work best for your organization.  This article documents the information you’ll likely need to proceed with your chosen solution. 

HTTPS Configuration

FME Flow can be configured with HTTPS by installing a certificate on each Web Application. Alternatively, you may want to use a Reverse Proxy or Load Balancer to resolve HTTPS traffic and leave FME Flow Web Application without a certificate. In this case, the FME Flow Web Application must be configured to specify the redirect headers relative to the proxy, not itself. You can do that by following the steps below:
1. On the FME Flow Web Application machine Run a text editor as an administrator and open server.xml, located in

2. Update the proxyPort directive to 443:

3. Update the scheme directive to https: 

4. Repeat on any remaining FME Flow Web Applications if you have them.

5. Restart the services


Webhooks use standard HTTP/HTTPS ports typically this is 80/443.  To make use of this functionality outside your internal network, you must grant access to the webhook/service URL. For example:

Service URL: https://myflow.com/<service>/ where the service is fmejobsubmitter, datadownload, or datastreaming. This URL can be found from the Run Workspace > Actions > Create Webhook
Note: FME Mobile (formerly FME Data Express) also makes use of service URLs to run jobs

Webhook URL: https://myflow.com/fmerest/v3/automations/workflows/<UUID>/<UUID>/message. This URL can be found from Automations > Webhook Trigger


WebSockets are routed through HTTP/HTTPS before being redirected to the  WS/WSS protocol so both protocols need to be opened to the public internet. By default, both WSS and WS traffic will go through port 7078 on FME Flow. 
The WebSocket server is part of the FME Flow Core process, so in the case of installations where the FME Flow Core and FME Flow Web Application Server Service are on different machines, public WebSocket traffic will have to be routed to the core machine.  

Routing Traffic to FME Flow

For public access the following URL path patterns should be whitelisted: 


Additional Resources

Load balancing concepts for FME Flow in the cloud 
Configuring for HTTPS
FME Flow Security
F5 load balancer health checks
Using a Reverse Proxy with FME Flow
Using IIS and ARR as a reverse proxy
NGINX as a reverse proxy


Was this article helpful?



Please sign in to leave a comment.