diff --git a/inventory/group_vars/proxies b/inventory/group_vars/proxies
index 53a291b4d6..3122f29b8d 100644
--- a/inventory/group_vars/proxies
+++ b/inventory/group_vars/proxies
@@ -63,6 +63,8 @@ custom_rules: [
 
     # Allow resultsdb talk to the inbound fedmsg relay.
     '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.124.207 -j ACCEPT',
+    # Allow openqa01 to talk to the inbound fedmsg relay.
+    '-A INPUT -p tcp -m tcp --dport 9941 -s 10.5.131.71 -j ACCEPT',
  ]
 
 fas_client_groups: sysadmin-noc,fi-apprentice
diff --git a/roles/fedmsg/base/tasks/main.yml b/roles/fedmsg/base/tasks/main.yml
index c4bbe6391d..16d751df01 100644
--- a/roles/fedmsg/base/tasks/main.yml
+++ b/roles/fedmsg/base/tasks/main.yml
@@ -119,7 +119,7 @@
   - relay.py
   - logging.py
   - base.py
-  when: "'persistent-cloud' not in group_names"
+  when: "'persistent-cloud' not in group_names and 'qa-isolated' not in group_names"
   tags:
   - config
   - fedmsgdconfig
@@ -152,7 +152,7 @@
   - restart fedmsg-irc
   - restart fedmsg-relay
 
-- name: setup basic /etc/fedmsg.d/ contents for cloud hosts
+- name: setup basic /etc/fedmsg.d/ contents for firewalled/external hosts
   template: >
     src="{{ item }}.j2"
     dest="/etc/fedmsg.d/{{ item }}"
@@ -165,7 +165,7 @@
   - relay.py
   - logging.py
   - base.py
-  when: "'persistent-cloud' in group_names"
+  when: "'persistent-cloud' in group_names or 'qa-isolated' in group_names"
   tags:
   - config
   - fedmsgdconfig
diff --git a/roles/fedmsg/base/templates/relay.py.j2 b/roles/fedmsg/base/templates/relay.py.j2
index 79733297bd..82cd0f957c 100644
--- a/roles/fedmsg/base/templates/relay.py.j2
+++ b/roles/fedmsg/base/templates/relay.py.j2
@@ -24,7 +24,7 @@ config = dict(
     # It is also used by the mediawiki php plugin which, due to the oddities of
     # php, can't maintain a single passive-bind endpoint of it's own.
     relay_inbound=[
-        {% if 'persistent-cloud' in group_names or 'jenkins-master' in group_names %}
+        {% if 'persistent-cloud' in group_names or 'jenkins-master' in group_names  or 'qa-isolated' in group_names %}
 
         # Stuff from the cloud has to go through our external proxy first..
         #"tcp://hub.fedoraproject.org:9941",