Introduction
FME Flow (formerly FME Server) is often installed on an internal network with restricted access, however, some functionality such as Webhooks or Flow Apps may require communication with the public internet. There are many tools to secure a server for public access, including Reverse Proxies, Application Gateways, Firewall Rules, Networking Rules, and Load Balancers. Safe Software does not provide a recommended configuration for this setup and you will need to discuss with your IT team what solution is going to work best for your organization. This article documents the information you’ll likely need to proceed with your chosen solution.
HTTPS Configuration
FME Flow can be configured with HTTPS by installing a certificate on each Web Application. Alternatively, you may want to use a Reverse Proxy or Load Balancer to resolve HTTPS traffic and leave FME Flow Web Application without a certificate. In this case, the FME Flow Web Application must be configured to specify the redirect headers relative to the proxy, not itself. You can do that by following the steps below:1. On the FME Flow Web Application machine Run a text editor as an administrator and open server.xml, located in
<FMEFlowDir>\Utilities\tomcat\conf
2. Update the proxyPort directive to 443:
proxyPort="443"
3. Update the scheme directive to https:
scheme="https"
4. Repeat on any remaining FME Flow Web Applications if you have them.
5. Restart the services
Webhooks
Webhooks use standard HTTP/HTTPS ports typically this is 80/443. To make use of this functionality outside your internal network, you must grant access to the webhook/service URL. For example:Service URL: https://myflow.com/<service>/ where the service is fmejobsubmitter, datadownload, or datastreaming. This URL can be found from the Run Workspace > Actions > Create Webhook
Note: FME Mobile (formerly FME Data Express) also makes use of service URLs to run jobs
Webhook URL: https://myflow.com/fmerest/v3/automations/workflows/<UUID>/<UUID>/message. This URL can be found from Automations > Webhook Trigger
WebSockets
WebSockets are routed through HTTP/HTTPS before being redirected to the WS/WSS protocol so both protocols need to be opened to the public internet. By default, both WSS and WS traffic will go through port 7078 on FME Flow. The WebSocket server is part of the FME Flow Core process, so in the case of installations where the FME Flow Core and FME Flow Web Application Server Service are on different machines, public WebSocket traffic will have to be routed to the core machine.
Routing Traffic to FME Flow
For public access the following URL path patterns should be whitelisted: /fmeserver/dist/
/fmeserver/images/
/fmeserver/fonts/
/fmeserver/bundle/
/fmeserver/app/
/fmeserver/apps/
/fmeserver/REST/
/fmeserver/run/
/fmeserver/login/
/fmeserver/styles/
/fmerest/v3/
/fmeapiv4/
/fmetoken
/fmedatadownload/
/fmedatastreaming/
/fmedataupload/
/fmekmllink/
/fmejobsubmitter/
/fmenotification/
/fmesso/
/fmesaml/
Additional Resources
Load balancing concepts for FME Flow in the cloudConfiguring for HTTPS
FME Flow Security
F5 load balancer health checks
Using a Reverse Proxy with FME Flow
Using IIS and ARR as a reverse proxy
NGINX as a reverse proxy
Comments
0 comments
Please sign in to leave a comment.