Government Gateway - Firewall FAQ

ASM's gateway addresses:

It seems that customers' border (hardware) firewalls that use SSL inspection (each firewall vendor has a it's own name for this function but is usually called something like "SSL scanning", "HTTPS interception" or "deep packet inspection") can block connections to the above addresses. We think this is because the connections set up websocket callbacks.

To get around this, customers (or their IT) should ensure that their border firewall excludes the above addresses from such functions.

Q. What if a customer says they are not blocking the connection but the 'ASM Sequoia Helios Gateway' service is logging "Web socket did not receive a valid test notification within the allotted period. About to dispose the web socket and attempt to reconnect. If this warning appears consistently it should be investigated"?
A. The customers border firewall is likely blocking the connection. They should contact the people that manage their border firewall and ask them to exclude the above addresses from any SSL inspection and/or check the logs on the firewall to find out why the connection is being blocked. The information here may help them resolve the problem.

Q. Can you tell us what IP addresses are used?
A. No, we use Cloudflare to protect our services, Cloudflare can change theses IP addresses at any time (this is in part how they can protect us). Please use the fully qualified domain names and

Q. What port numbers are used?
A. Connections to these services use the standard HTTPS port (443).

Q. What is a websocket callback?
A. From : "WebSocket is a computer communications protocol, providing full-duplex communication channels over a single TCP connection." Sequoia connects to our service over the HTTPS port.

Q. How can I configure the websocket connection to use my proxy?
A. The proxy address and credentials can be configured in 'ASM.Sequoia.Gateways.Helios.exe.config'.
    Located on your sequoia server in the following directory: '...\Sequoia Server\GatewayHelios\'.
        Within the applicationSettings element.
            UseProxy must be set to true.
            The ProxyAddress should be set (e.g.
            The username and password can be configured if required. If provided, the password must be base64 encoded.

Helpful links:
How to work around a websocket being blocked on a Sophos firewall