Firewall Ports to Open for RUCKUS Cloud
The following table lists the ports that must be opened in the network firewall to ensure that managed APs, switches, guest users, DNS servers, and so on can communicate successfully with RUCKUS Cloud.
- To allow RUCKUS Cloud to properly fuction, configure your firewall according to the following guidelines. These URLs must always be available:
- Firewall Configuration: Verify that your firewall allows outbound
connectivity to the following IP ranges and ports. You must allow network traffic
initiated from your Ruckus AP’s and switches to these networks’ ranges, protocols
and ports.
All Usable IP Ranges 34.66.162.64 - 34.66.162.95 34.89.230.64 - 34.89.230.95 34.92.234.64 - 34.92.234.95 34.66.194.64 - 34.66.194.95 Protocol and Ports Firewall Flow Purpose TCP 443 (HTTPS) AP/Switch to Cloud AP discovery and connection to cloud TCP 22 (SSH) AP/Switch initiated to Cloud Bi-directional persistent connection to cloud for configuration change and firmware update UDP 123 (NTP) AP/Switch to Cloud Network time protocol TCP 8090, 8099 AP/Switch to Cloud Guest/WiSPr/Open WLAN. Allow clients to connect to internet TCP 8100, 8111 AP/Switch to Cloud Allow clients to browse using proxy user endpoint - Verify that your AP’s are DHCP configured: If your AP’s have a statically assigned IP address it is important to move them to DHCP. While an AP may work with a static IP in most cases, there have been instances where an AP’s recovery may involve a reset. During the reset, the APs may revert to DHCP, and if there is no DHCP service present, the AP will not operate properly.
Note: APs and switches require the following
DNS entries to be reachable to establish secure connectivity to RUCKUS Cloud. Ensure
that the following DNS entries are whitelisted in your firewall:
- AP registrar FQDN ap-registrar.ruckuswireless.com
- CA FQDN ocsp.comodoca.com
From (Sender) | To (Listener) | Port | Purpose | Symptoms When Blocked |
---|---|---|---|---|
Admin | Any | TCP:443 | Login and access tenant account for managing tenant APs or switches | RUCKUS Cloud portal is inaccessible. |
AP/Switch | RUCKUS Cloud (vSZ) | TCP:22 | SSH tunnel between the AP or switch and RUCKUS Cloud for management and control traffic | The AP or switch is unable to connect to RUCKUS Cloud,
DIR (newer models have CTL) LED is off. Tenant account shows that AP or switch is disconnected. |
AP /Switch | RUCKUS Cloud (vSZ) | TCP:443 | Discovery of vSZ | This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP or switch will be unable to connect to RUCKUS Cloud. |
AP/Switch | RUCKUS AP Registrar | TCP:443 | Query vSZ associated with registered AP | This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP or switch will be unable to connect to RUCKUS Cloud. |
AP/Switch | RUCKUS NTP Server (ntp.ruckuswireless.com) | UDP:123 | Synchronization of the AP or switch clock with the NTP server | |
AP/Switch | DNS server (provided by local DHCP) | TCP/UDP:53 | Query to resolve RUCKUS AP/switch Registrar's FQDN | This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP switch will be unable to connect to RUCKUS Cloud. |
Guest | RUCKUS Cloud (Guest Portal) | TCP:443 | Guest authentication | Guest portal is unreachable |
Guest | RUCKUS Cloud (Guest Portal) | TCP:8090 | Enabling guest access to a tenant network | Guest authentication does not work and guest is unable to connect to the network |
Guest | RUCKUS Cloud (Guest Portal) | TCP:8099 | Enabling guest access to a tenant network | Guest authentication does not work and guest is unable to connect to the network |