For Securly Classroom (formerly ChromeTools) to work properly, devices need to be able to receive push notifications from Google's Firebase Cloud Messaging (FCM), formerly Google Cloud Messaging (GCM).
The following information was taken from an article on the Google Firebase web site:
Your firewall rule should allow incoming traffic on ports: 5228, 5229, and 5230.
Therefore, your firewall rule should be set to allow these ports from any source IP (outside) to any destination IP (inside device).
For the source on the incoming connection FCM doesn't provide specific IPs because Google's IP range changes too frequently and your firewall rules could get out of date impacting your users' experience. Ideally, you will whitelist ports 5228-5230 with no IP restrictions.
However, if you absolutely must have an IP restriction, you should whitelist all of the IP addresses in the IPv4 and IPv6 blocks listed in Google's ASN of 15169 (over 500 ranges). This is a large list and you should plan to update your rules monthly. Problems caused by firewall IP restrictions are often intermittent and difficult to diagnose.
If your network implements Network Address Translation (NAT) or Stateful Packet Inspection (SPI), implement a 30 minute or larger timeout for our connections over ports 5228-5230. This enables us to provide reliable connectivity while reducing the battery consumption of your users' mobile devices.