Firewall Ports to Open for RUCKUS Cloud

The following table lists the ports that must be opened in the network firewall to ensure that managed APs, switches, guest users, DNS servers, and so on can communicate successfully with RUCKUS Cloud.

Note: APs and switches require the following DNS entries to be reachable to establish secure connectivity to RUCKUS Cloud. Ensure that the following DNS entries are whitelisted in your firewall:
  1. AP registrar FQDN ap-registrar.ruckuswireless.com
  2. CA FQDN ocsp.comodoca.com
Table 1. Ports Required for RUCKUS Cloud Communication
From (Sender) To (Listener) Port Purpose Symptoms When Blocked
Admin Any TCP:443 Login and access tenant account for managing tenant APs or switches RUCKUS Cloud portal is inaccessible.
AP/Switch RUCKUS Cloud TCP:22 SSH tunnel between the AP or switch and RUCKUS Cloud for management and control traffic The AP or switch is unable to connect to RUCKUS Cloud, DIR (newer models have CTL) LED is off.

Tenant account shows that AP or switch is disconnected.

AP /Switch RUCKUS Cloud TCP:443 Discovery of vSZ This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP or switch will be unable to connect to RUCKUS Cloud.
AP/Switch RUCKUS AP Registrar TCP:443 Query vSZ associated with registered AP This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP or switch will be unable to connect to RUCKUS Cloud.
AP/Switch RUCKUS NTP Server (ntp.ruckuswireless.com) UDP:123 Synchronization of the AP or switch clock with the NTP server
AP/Switch DNS server (provided by local DHCP) TCP/UDP:53 Query to resolve RUCKUS AP/switch Registrar's FQDN This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP switch will be unable to connect to RUCKUS Cloud.
Guest RUCKUS Cloud (Guest Portal) TCP:443 Guest authentication Guest portal is unreachable
Guest RUCKUS Cloud (Guest Portal) TCP:8090 Enabling guest access to a tenant network Guest authentication does not work and guest is unable to connect to the network
Guest RUCKUS Cloud (Guest Portal) TCP:8099 Enabling guest access to a tenant network Guest authentication does not work and guest is unable to connect to the network
UDP 1812-1813 :: Proxy mode networks depend on the your own RADIUS server. It is usually the RADIUS standard port 1812/1813 but you can change the port. You must allow the above-listed ranges to reach the customer RADIUS server and port to match your proxy-mode configuration.
Protocols and ports Firewall Flow Purpose
UDP 1812/1813 (RADIUS) Cloud allowed IP ranges to customer RADIUS Server RADIUS AAA traffic proxied by the Cloud controller.
UDP User Defined (RADIUS) Cloud allowed IP ranges to customer RADIUS Server RADIUS AAA traffic proxied by the Cloud controller on a user defined port.