Search

Enabling FME Flow for Public Access

Richard Mosley
Richard Mosley
  • Updated

Introduction

FME Flow is often installed on an internal network with restricted access; however, some functionality, such as Webhooks or Flow Apps, may require communication with the public Internet.

There are many tools to secure a server for public access, including Reverse Proxy Servers, Application Gateways, Firewall Rules, Networking Rules, and Load Balancers. Safe Software does not provide a recommended configuration for this setup, and you will need to discuss with your IT team which solution will work best for your organization. This article documents the information you’ll need to proceed with your chosen solution.

HTTPS Configuration

The web application ports 80/443 must use HTTP/HTTPS. FME Flow can be configured with HTTPS by installing a certificate on each Web Application. To configure FME Flow with SSL, please read Configuring FME Flow for HTTPS.

Please ensure your cert matches FME Flow’s DNS name.

HTTPS Configuration with a Reverse Proxy or Load Balancer

If you are using a reverse proxy or a load balancer to configure FME Flow for public access, you can choose between several different configuration options.

  • Only FME Flow has SSL (TLS/SSL passthrough)
  • Only your reverse proxy or load balancer has SSL (TLS/SSL termination)
  • Both FME Flow and your reverse proxy/load balancer have SSL (End-to-end TLS/SSL, TLS/SSL bridging)

TLS/SSL Termination

If your reverse proxy or load balancer is already SSL-configured, you may choose to use TLS/SSL termination and not configure FME Flow with SSL. This will mean that traffic is decrypted at the load balancer/reverse proxy, then passed to Flow without encryption. For TLS/SSL termination, the reverse proxy can be on the same machine as FME Flow (as with using NGINX), or on a separate server. 

To correctly configure for TLS/SSL termination, the FME Flow Web Application must specify the redirect headers relative to the reverse proxy or load balancer, not itself. This is already done on Linux installations because we ship NGINX with FME Flow on Linux. The same changes can be made on Windows installations by following the steps below:

1. On the FME Flow Web Application machine, run a text editor as an administrator and open server.xml, located in

<FMEFlowDir>\Utilities\tomcat\conf

2. Update the proxyPort directive to 443:

proxyPort="443"

3. Update the scheme directive to https: 

scheme="https"

4. Repeat on any remaining FME Flow Web Applications if you have them.

5. Restart the services

With this configuration, the load balancer will decrypt SSL traffic and pass it to FME Flow unencrypted. When traffic comes from FME Flow back to the client, it will be sent as HTTPS so it won’t be rejected by, for example, SAML. However, the data Flow actually sends back will be unencrypted.

Follow this guide to configure SAML with a load balancer.

End-To-End TLS/SSL or TLS/SSL Bridging

If you require traffic to be encrypted on your internal network, end-to-end TLS/SSL or TLS/SSL bridging may need to be implemented. To set this up, you will need to configure FME Flow for HTTPS, then configure the load balancer/reverse proxy to point to Flow.

If you are using a non-CA cert like a self-signed certificate, you may have to import one or more certs (such as your reverse proxy/load balancer certificate or Flow’s certificate) into the FME Flow trust store. See Configuring FME Flow for HTTPS for instructions.

If this is necessary, but has not yet been successfully completed, you may experience PKIX Path Issues.

Webhooks

Webhooks use standard HTTP/HTTPS ports, typically 80/443.  To use this functionality outside your internal network, you must grant access to the service URL (used to run jobs directly) or the webhook URL from an automation trigger:

Service URL: https://myflow.com/<service>/ where the service is fmejobsubmitter, fmedatadownload, or fmedatastreaming. This URL can be found from the Run Workspace > Actions > Create Webhook.

Automation Webhook URL - REST API V3: https://myflow.com/fmerest/v3/automations/workflows/<UUID>/<UUID>/message. This URL can be found in Automations > Webhook Trigger.

As of FME Flow 2025.1, the V3 REST API has been deprecated. The current API will remain accessible, but no new features or general bug fixes will be implemented. Starting with FME Flow 2026.1, the V3 API will be removed. We encourage all users to prepare their systems for this change. 

The V4 REST API offers enhanced security and usability, including new and reorganized endpoints, as well as the removal of certain endpoints. For information on migrating from V3 to V4, please see the FME Flow REST API V4 documentation and click on the heading Migrating from REST API V4.
 

Automation Webhook URL - REST API V4: https://myflow.com/fmeapiv4/automations/<UUID>/<UUID>/message. This URL can be found in Automations > Webhook Trigger.

WebSockets

WebSockets initiate traffic on HTTP/HTTPS before being redirected to the WS/WSS protocol, so both protocols need to be opened to the public internet. WSS and WS traffic will go through port 7078 on FME Flow by default.

For more information on FME Flow port configuration, reference the FME Flow Ports documentation.

The WebSocket server is part of the FME Flow Core process, so in the case of installations where the FME Flow Core and FME Flow Web Application Server Service are on different machines, public WebSocket traffic will have to be routed to the core machine.  

Routing Traffic to FME Flow

For public access the following URL path patterns should be whitelisted:

  • /fmeserver/dist/
  • /fmeserver/images/
  • /fmeserver/fonts/
  • /fmeserver/bundle/
  • /fmeserver/app/
  • /fmeserver/apps/
  • /fmeserver/REST/
  • /fmeserver/run/
  • /fmeserver/login/
  • /fmeserver/styles/
  • /fmerest/v3/
  • /fmeapiv4/
  • /fmetoken
  • /fmedatadownload/
  • /fmedatastreaming/
  • /fmedataupload/
  • /fmekmllink/
  • /fmejobsubmitter/
  • /fmenotification/
  • /fmesso/
  • /fmesaml/
  • /api/

Additionally, if you are using a load balancer or reverse proxy that only passes certain traffic to your servers, make sure it is set to pass these paths so Flow receives everything it needs.

Using a Reverse Proxy or Load Balancer with One-Way Communication

If FME Flow cannot route traffic back to the reverse proxy/load balancer, you will need to route traffic back to the client through an outgoing proxy for FME Flow’s data download and data streaming services to work correctly.

FME Flow Service URLs

If you are using a reverse proxy or load balancer, FME Flow’s service URLs need to be changed to the reverse proxy/load balancer’s DNS name because clients will be unable to connect directly to the web application server.

To change all service host names from the FME Flow Web UI, open the Services page under Admin > System Configuration> Network & Email, then select "Change All Hosts." If necessary, you may also need to add your port number (example: 8443).

Troubleshooting

FME Flow Troubleshooting: Proxies
FME Flow Troubleshooting: SAML
SAML Authentication Failure
PKIX Path Issues when Configuring HTTPS/SSL for FME Flow
FME Flow on Azure: Unable to run jobs when using internal or private Azure Load Balancer
Failed to submit job via FME Flow Proxy when Core cannot communicate with Load Balancer

Additional Resources

FME Flow Best Practices Guide for IT Ops and Flow Admins
Configuring FME Flow for HTTPS
FME Flow Security
FME Flow Ports
Use a Reverse Proxy with FME Flow
Set Up the Load Balancer and Configure with FME Flow
SAML Configuration - FME Flow

Was this article helpful?

We're sorry to hear that.

Please tell us why.

As of January 14th, 2026, comments on knowledge base articles have been closed. To make sure questions don’t get missed and to enable more community support, we’ve moved discussions to the FME Community. If you have a question or a comment about this article, please create a new post or create a support ticket.