FME Flow: 2026.2

Enabling FME Flow for Public Access

FME Flow is often installed on an internal network with restricted access. However, some functionality, such as webhooks and Flow Apps, may require communication with the public Internet.

Routing Web Traffic to FME Flow

For public access, FME Flow's URL paths may need to be whitelisted. Additionally, if you are using a load balancer or reverse proxy that only passes certain traffic to your servers, make sure it is set to pass these paths so FME Flow receives everything it needs.

FME Flow’s URL paths start with the following:

  • /fmeserver/dist/
  • /fmeserver/images/
  • /fmeserver/fonts/
  • /fmeserver/bundle/
  • /fmeserver/app/
  • /fmeserver/apps/
  • /fmeserver/REST/
  • /fmeserver/run/
  • /fmeserver/login/
  • /fmeserver/styles/
  • /fmeserver/fmeauth
  • /fmeserver/ssotoken
  • /fmeinfo/
  • /fmemcp/
  • /fmeapiv4/
  • /fmetoken
  • /fmedatadownload/
  • /fmedatastreaming/
  • /fmedataupload/
  • /fmekmllink/
  • /fmejobsubmitter/
  • /fmenotification/
  • /fmesso/
  • /fmeoauth
  • /fmesaml/
  • /api/

It is possible to only whitelist paths for specific features you want publicly accessible. For example, all webhook paths start with /fmeapiv4/automations/. Likewise, if you are using the FME Flow WebSocket Server, you can whitelist only those paths.

Additional URLs for FME Flow

The following sites should also be whitelisted for access to automatic Licensing and Broadcast Messages.

  • https://fme-licensing.safe.com/
  • http://api.safe.com/

URL Rewriting

URL rewriting can be used as part of a reverse proxy’s rules to forward traffic to FME Flow. These rules may rely on URL pattern matching. This example is a pattern that will pass all the above URL paths, ensuring FME Flow receives all relevant traffic:

(^(api|fme).*)

Web Application Firewall (WAF) Rules

If your organization has strict OWASP rules, create a support ticket to discuss what this might mean for FME Flow.

Unencrypted FME Flow Behind a Reverse Proxy or Load Balancer with HTTPS (TLS/SSL Termination)

If your reverse proxy or load balancer is already SSL-configured and you do not require web traffic on your internal network to use HTTPS, you may choose not to configure FME Flow with SSL.

To configure an FME Flow deployment with HTTP behind a reverse proxy or load balancer with HTTPS, the FME Flow web application server must specify the redirect headers relative to the reverse proxy or load balancer, not itself. This configuration is already accomplished on Linux installations with an NGINX reverse proxy that is provided. The same changes can be made on Windows installations by following these steps:

  1. On the machine hosting the FME Flow web application server, run a text editor as an administrator and open server.xml, located in <FMEFlowDir>\Utilities\tomcat\conf.
  2. Add a directive proxyName with the value of the external reverse proxy/load balancer address. For example:

    proxyName="reverse.proxy.com"

  3. Update the proxyPort directive to 443:

    proxyPort="443"

  4. Update the scheme directive to https:

    scheme="https"

  5. Add a directive secure with value of true:

    secure="true"

  6. Change the address directive to the reverse proxy/load balancer IP address to prevent external requests directly to the web application server:

    address="<your reverse proxy IP address>"

  7. If you have a fault-tolerant installation of FME Flow, repeat on any remaining web application server hosts in your deployment.
  8. Restart the services.

With this configuration, the load balancer decrypts SSL traffic and passes it to FME Flow unencrypted. When traffic comes from FME Flow back to the client, it is labelled as HTTPS so it will not be rejected by, for example, SAML. However, the data FME Flow actually sends back is unencrypted.

To configure SAML with a load balancer, see SAML Configuration.

Using a Reverse Proxy or Load Balancer with One-Way Communication

If FME Flow cannot route traffic back to the reverse proxy/load balancer, you must route traffic back to the client through an outgoing proxy for FME Flow’s data download and data streaming services to work correctly.

WebSockets

On Windows installations, WebSocket Server traffic goes through port 7078 by default.

ON Linux installations, using NGINX as a reverse proxy, WebSocket server traffic goes through port 80/443 by default. NGINX runs in front of the web application server by default.

Timeouts

Reverse proxies and load balancers often have timeouts for client and server-side inactivity, which may impact connections with FME Flow.

If using the data download service or data streaming service, longer timeouts may be necessary for time-consuming jobs. Keep in mind workspace duration when configuring timeouts.

If using FME Flow’s REST Service, there are options to extend or choose the timeout period. Base this period on your workflow’s total maximum lifetime.

If using the FMEFlowJobSubmitter transformer and Wait for Jobs to Complete is Yes, timeouts must be greater than 45 seconds for job completion polling to work.

If using Streams, keep in mind that the idle timeout setting may impact how messages are received after longer periods of inactivity.

Large file Uploads

Verify that your maximum allowed upload size is large enough to support necessary file uploads to FME Flow.