Firewall Ports to Open for RUCKUS Cloud
The following table lists the ports that must be opened in the network firewall to ensure that managed APs, switches, guest users, DNS servers, and so on can communicate successfully with RUCKUS Cloud.
- To allow RUCKUS Cloud to properly fuction,
configure your firewall according to the following guidelines. These URLs must
always be available.
Outbound HTTPS (TCP 443) from APs and switches to:
- https://ap-registrar.ruckuswireless.com
- https://sw-registrar.ruckuswireless.com
- https://ocsp.comodoca.com
- https://ocsp.entrust.net
- https://ruckus.cloud
- https://eu.ruckus.cloud
- https://asia.ruckus.cloud
- https://device.ruckus.cloud
- https://device.eu.ruckus.cloud
- https://device.asia.ruckus.cloud
- https://storage.googleapis.com
Outbound SSH (TCP 22) from APs and switches to:
- device.ruckus.cloud
- device.eu.ruckus.cloud
- device.asia.ruckus.cloud
Make sure that you have a DNS server configured for your network infrastructure devices. DNS is required for the access points to resolve the RUCKUS Cloud controller names and perform the upgrade successfully.
Note: APs and switches require the following
DNS entries to be reachable to establish secure connectivity to RUCKUS Cloud. Ensure
that the following DNS entries are whitelisted in your firewall:
- AP registrar FQDN ap-registrar.ruckuswireless.com
- CA FQDN ocsp.comodoca.com
| From (Sender) | To (Listener) | Port | Purpose | Symptoms When Blocked |
|---|---|---|---|---|
| Admin | Any | TCP:443 | Login and access tenant account for managing tenant APs or switches | RUCKUS Cloud portal is inaccessible. |
| AP/Switch | RUCKUS Cloud | TCP:22 | SSH tunnel between the AP or switch and RUCKUS Cloud for management and control traffic | The AP or switch is unable to connect to RUCKUS Cloud,
DIR (newer models have CTL) LED is off. Tenant account shows that AP or switch is disconnected. |
| AP /Switch | RUCKUS Cloud | TCP:443 | Discovery of vSZ | This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP or switch will be unable to connect to RUCKUS Cloud. |
| AP/Switch | RUCKUS AP Registrar | TCP:443 | Query vSZ associated with registered AP | This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP or switch will be unable to connect to RUCKUS Cloud. |
| AP/Switch | RUCKUS NTP Server (ntp.ruckuswireless.com) | UDP:123 | Synchronization of the AP or switch clock with the NTP server | |
| AP/Switch | DNS server (provided by local DHCP) | TCP/UDP:53 | Query to resolve RUCKUS AP/switch Registrar's FQDN | This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP switch will be unable to connect to RUCKUS Cloud. |
| Guest | RUCKUS Cloud (Guest Portal) | TCP:443 | Guest authentication | Guest portal is unreachable |
| Guest | RUCKUS Cloud (Guest Portal) | TCP:8090 | Enabling guest access to a tenant network | Guest authentication does not work and guest is unable to connect to the network |
| Guest | RUCKUS Cloud (Guest Portal) | TCP:8099 | Enabling guest access to a tenant network | Guest authentication does not work and guest is unable to connect to the network |
UDP 1812-1813 :: Proxy mode networks depend on the your own RADIUS server. It is usually
the RADIUS standard port 1812/1813 but you can change the port. You must allow the
above-listed ranges to reach the customer RADIUS server and port to match your
proxy-mode configuration.
| Protocols and ports | Firewall Flow | Purpose |
|---|---|---|
| UDP 1812/1813 (RADIUS) | Cloud allowed IP ranges to customer RADIUS Server | RADIUS AAA traffic proxied by the Cloud controller. |
| UDP User Defined (RADIUS) | Cloud allowed IP ranges to customer RADIUS Server | RADIUS AAA traffic proxied by the Cloud controller on a user defined port. |