Table of contents
The SUNMI firewall DNS whitelist is the single most common cause of day-one deployment delays. If you are the network or IT lead rolling out SUNMI devices across a US enterprise fleet, this list saves a week of back-and-forth with the firewall team. A SUNMI all-in-one device talks to Google for Play Services and attestation, to SUNMI for ROM OTA and the Partner Portal heartbeat, and to Android Enterprise endpoints for certification. Miss one of those on the egress firewall and the device looks “online” but the POS app cannot push, update, or check in.
Short answer (firewall change ticket): allow outbound HTTPS (TCP 443) to *.sunmi.com, *.google.com, *.googleapis.com, *.gstatic.com, android.googleapis.com; allow outbound TCP 5228-5230 to mtalk.google.com for Firebase push; allow outbound TCP 80 for OCSP/CRL. Full domain list and copy-paste ticket text below.
This guide is the reference list your network team can hand off to a firewall change ticket. Rosper is the authorized SUNMI distributor for the US and Canada; we set up enterprise fleets every week and have debugged every permutation of corporate firewall MITM, DNS blackhole, and port-block that kills SUNMI deployments. Use this list as the baseline, and skip the usual week of back-and-forth with the network team.
Why the SUNMI firewall DNS whitelist matters
A SUNMI device in a US enterprise deployment maintains four categories of outbound traffic:
- SUNMI platform. ROM OTA, Partner Portal heartbeat, App Store install, RemoteManager logs, Remote Assistance.
- Google Mobile Services. Play Store, Play Services attestation, Google Sign-In, Firebase Cloud Messaging, Android certification.
- Android Enterprise. Dedicated-device (kiosk) enrollment, policy sync, certificate chain validation.
- Merchant-specific POS stack. Your POS vendor’s cloud endpoints, which are independent of the SUNMI firewall DNS whitelist and tracked separately.
If the enterprise firewall blocks any domain in categories 1-3, the device stops being manageable. The merchant sees a POS that “looks normal” until the kiosk policy or ROM update fails silently in the background.
The SUNMI firewall DNS whitelist (US baseline)
SUNMI platform domains
| Domain | Purpose |
|---|---|
*.sunmi.com |
SUNMI main domain umbrella |
partner.sunmi.com |
Partner Portal MDM console |
appstore.sunmi.com |
SUNMI App Store APK push |
os.sunmi.com |
SUNMI OS ROM OTA delivery |
ota.sunmi.com |
ROM OTA package download |
p.sunmi.com |
Device push channel |
reg.sunmi.com |
Device registration/binding |
log.sunmi.com |
RemoteManager log upload |
Google Mobile Services domains
| Domain | Purpose |
|---|---|
*.google.com |
Google root umbrella |
*.googleapis.com |
Google Play Services APIs |
*.gstatic.com |
Google static assets |
play.googleapis.com |
Play Store app download |
android.clients.google.com |
Android / Play client endpoint |
clients1.google.com through clients6.google.com |
Google client APIs |
mtalk.google.com |
Firebase Cloud Messaging persistent channel (TCP 5228) |
*.firebaseio.com |
Firebase Realtime Database |
*.googleusercontent.com |
Google user content |
Android Enterprise / device certification
| Domain | Purpose |
|---|---|
android.googleapis.com |
Android Management API |
enterprise.google.com |
Android Enterprise enrollment |
www.google-analytics.com |
Play integrity attestation telemetry |
Port requirements
- TCP 443 (HTTPS) outbound to every domain above.
- TCP 5228, 5229, 5230 outbound to
mtalk.google.comfor Firebase Cloud Messaging. - TCP 80 (HTTP) outbound for OCSP and CRL certificate revocation checks. Some HTTPS TLS handshakes fail silently if OCSP is blocked.
Port 5228 is the most commonly missed requirement. A US enterprise firewall that only opens 443 will appear to work for the POS app (which uses HTTPS on 443) but silently drops every Firebase push notification. Menu updates, price pushes, and real-time order events do not arrive.
What happens if the SUNMI firewall DNS whitelist is incomplete
- Partner Portal push delayed. Kiosk policy and APK Auto Install sit in the queue and never apply. The ops team sees “pending” status for hours or days.
- ROM OTA stuck. The device attempts to download the ROM, the download stalls, and the “Automatic Upgrade at Night” window lapses without applying.
- Play Store stops responding. Apps fail to install or update. Play Protect certification may roll back to “uncertified.”
- Firebase push stops. Every cloud-push feature fails silently. The POS app appears fine until the merchant complains that orders from the online channel do not appear on the register.
- Remote Assistance cannot connect. Support engineers cannot take over the device for troubleshooting.
None of these present as obvious firewall errors on the device itself. Diagnosis usually starts from the ops side (“push not working”) and walks back to the network team.
Change-ticket language for the enterprise firewall team
Copy-paste-ready firewall change request:
Please allow outbound HTTPS (TCP 443) to the following domains from the store-floor POS VLAN. Also allow outbound TCP 5228-5230 to
mtalk.google.comfor Firebase push, and outbound TCP 80 for OCSP certificate checks.SUNMI:
*.sunmi.com,partner.sunmi.com,appstore.sunmi.com,os.sunmi.com,ota.sunmi.com,p.sunmi.com,reg.sunmi.com,log.sunmi.comGoogle:
*.google.com,*.googleapis.com,*.gstatic.com,play.googleapis.com,android.clients.google.com,mtalk.google.com,*.firebaseio.com,*.googleusercontent.com,clients1-6.google.comAndroid Enterprise:
android.googleapis.com,enterprise.google.com,www.google-analytics.comNo inbound ports required. No source-NAT considerations. DNS can resolve via the enterprise DNS or Google 8.8.8.8.
That language has closed hundreds of firewall tickets on the first pass for Rosper customers deploying SUNMI fleets in the US.
HTTPS MITM and enterprise DNS caveats
If the enterprise network uses an HTTPS MITM proxy (for example, Zscaler, Netskope, or a Palo Alto firewall with SSL decryption), add the SUNMI and Google Play domains to the MITM bypass list. Play Store and Google attestation do not accept a substituted TLS certificate; they reject it and the device looks uncertified.
If the enterprise runs an internal DNS resolver, make sure it returns the real IP for the SUNMI and Google domains and is not intercepting with a walled-garden response. Several large US retailers run default “block new domains” DNS policies that silently break device binding until the domains are explicitly allowed.
How Rosper helps US enterprise IT teams
Rosper supports US and Canadian SUNMI deployments from Maryland and Los Angeles. For enterprise fleet rollouts, we:
- Hand off this whitelist plus carrier-specific notes (Verizon/AT&T/Comcast/Bell/Rogers) to your network team before shipment.
- Walk through a pilot-store connectivity test before you stage the rollout.
- Coordinate the Partner Portal MDM onboarding so device binding and policy push are live before the devices reach the store.
Most US orders arrive in 2-7 business days with the SUNMI Care 3-year warranty. Contact our sales team or request a fleet quote at rospertech.com.
FAQ
Is the SUNMI firewall DNS whitelist the same for every SUNMI device?
The core domains are the same across T-series, P-series, K-series, and V-series devices. Payment-specific domains may be added for PCI-certified devices; the acquirer will supply that list. The baseline SUNMI firewall DNS whitelist in this guide covers all non-payment traffic.
Does Rosper maintain a live version of the SUNMI firewall DNS whitelist?
Yes. Rosper keeps a current whitelist referenced from this post. When SUNMI adds or retires domains, the whitelist is updated and customers on our enterprise support plan get a change notification.
Does the whitelist differ between US and Canada?
No. SUNMI devices in the US and Canada both use the global SUNMI and Google endpoints. CGNAT on some Canadian ISPs can affect port 5228 Firebase push reliability, but the domain list is identical.
What if port 5228 is blocked by the enterprise firewall?
Firebase Cloud Messaging requires port 5228 outbound to mtalk.google.com. If that port is blocked, push notifications fail on every Android device in the fleet, not just SUNMI. Request the port in the same firewall change ticket.
Does the whitelist cover the POS application’s own cloud endpoints?
No. The SUNMI firewall DNS whitelist covers device management, updates, and Google services. Your POS vendor provides the separate list of endpoints for their SaaS backend.