Firewall Ports to Open for RUCKUS Cloud

The following table lists the ports that must be opened in the network firewall to ensure that managed APs, switches, guest users, DNS servers, and so on can communicate successfully with RUCKUS Cloud.

  • To allow RUCKUS Cloud to properly fuction, configure your firewall according to the following guidelines. These URLs must always be available:
  • Firewall Configuration: Verify that your firewall allows outbound connectivity to the following IP ranges and ports. You must allow network traffic initiated from your Ruckus AP’s and switches to these networks’ ranges, protocols and ports.
    All Usable IP Ranges
    34.66.162.64 - 34.66.162.95
    34.89.230.64 - 34.89.230.95
    34.92.234.64 - 34.92.234.95
    34.66.194.64 - 34.66.194.95
    Protocol and PortsFirewall FlowPurpose
    TCP 443 (HTTPS)AP/Switch to CloudAP discovery and connection to cloud
    TCP 22 (SSH)AP/Switch initiated to CloudBi-directional persistent connection to cloud for configuration change and firmware update
    UDP 123 (NTP)AP/Switch to CloudNetwork time protocol
    TCP 8090, 8099AP/Switch to CloudGuest/WiSPr/Open WLAN. Allow clients to connect to internet
    TCP 8100, 8111AP/Switch to CloudAllow clients to browse using proxy user endpoint
  • Verify that your AP’s are DHCP configured: If your AP’s have a statically assigned IP address it is important to move them to DHCP. While an AP may work with a static IP in most cases, there have been instances where an AP’s recovery may involve a reset. During the reset, the APs may revert to DHCP, and if there is no DHCP service present, the AP will not operate properly.

Note: APs and switches require the following DNS entries to be reachable to establish secure connectivity to RUCKUS Cloud. Ensure that the following DNS entries are whitelisted in your firewall:
  1. AP registrar FQDN ap-registrar.ruckuswireless.com
  2. CA FQDN ocsp.comodoca.com
Table 1. Ports Required for RUCKUS Cloud Communication
From (Sender) To (Listener) Port Purpose Symptoms When Blocked
Admin Any TCP:443 Login and access tenant account for managing tenant APs or switches RUCKUS Cloud portal is inaccessible.
AP/Switch RUCKUS Cloud (vSZ) TCP:22 SSH tunnel between the AP or switch and RUCKUS Cloud for management and control traffic The AP or switch is unable to connect to RUCKUS Cloud, DIR (newer models have CTL) LED is off.

Tenant account shows that AP or switch is disconnected.

AP /Switch RUCKUS Cloud (vSZ) TCP:443 Discovery of vSZ This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP or switch will be unable to connect to RUCKUS Cloud.
AP/Switch RUCKUS AP Registrar TCP:443 Query vSZ associated with registered AP This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP or switch will be unable to connect to RUCKUS Cloud.
AP/Switch RUCKUS NTP Server (ntp.ruckuswireless.com) UDP:123 Synchronization of the AP or switch clock with the NTP server
AP/Switch DNS server (provided by local DHCP) TCP/UDP:53 Query to resolve RUCKUS AP/switch Registrar's FQDN This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP switch will be unable to connect to RUCKUS Cloud.
Guest RUCKUS Cloud (Guest Portal) TCP:443 Guest authentication Guest portal is unreachable
Guest RUCKUS Cloud (Guest Portal) TCP:8090 Enabling guest access to a tenant network Guest authentication does not work and guest is unable to connect to the network
Guest RUCKUS Cloud (Guest Portal) TCP:8099 Enabling guest access to a tenant network Guest authentication does not work and guest is unable to connect to the network