Firewall Ports to Open for RUCKUS One
To allow RUCKUS One to properly function, configure your firewall according to the following guidelines. These URLs must always be available.
- Outbound HTTPS (TCP 443) from APs and switches to:
- Outbound HTTP (TCP 80) from APs and switches to:
- Outbound SSH (TCP 22) from APs and
switches to:
- device.ruckus.cloud
- device.eu.ruckus.cloud
- device.asia.ruckus.cloud
Make sure that you have a DNS server configured for your network infrastructure devices. DNS is required for the access points to resolve the RUCKUS One controller names and perform the upgrade successfully.
Note: APs and switches require the following DNS
entries to be reachable to establish secure connectivity to RUCKUS One. Ensure that the
following DNS entries are whitelisted in your firewall:
- ap-registrar.ruckuswireless.com (this is the AP registrar FQDN)
- sw-registrar.ruckuswireless.com (this is the SWITCH registrar FQDN)
- ocsp.comodoca.com (this is the CA FQDN)
- ocsp.ocsp.entrust.net (this is the CA FQDN)
- ocsp.godaddy.com (this is the CA FQDN)
The following table lists the ports that must be opened in the network firewall to ensure that managed APs, switches, guest users, DNS servers, and so on, can communicate successfully with RUCKUS One.
| From (Sender) | To (Listener) | Port | Purpose | Symptoms When Blocked |
|---|---|---|---|---|
| Admin | Any | TCP:443 | Login and access tenant account for managing tenant APs or switches | RUCKUS One portal is inaccessible. |
| AP/Switch | RUCKUS One | TCP:22 | SSH tunnel between the AP or switch and RUCKUS One for management and control traffic | The AP or switch is unable to connect to RUCKUS One. On
the AP, the DIR (newer models are labeled CTL) LED is off. Tenant account shows that AP or switch is disconnected. |
| AP /Switch | RUCKUS One | TCP:443 | Discovery of cloud-based RUCKUS One | This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP or switch will be unable to connect to RUCKUS One. |
| AP/Switch | RUCKUS AP Registrar | TCP:443 | Query RUCKUS One associated with registered AP | This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP or switch will be unable to connect to RUCKUS One. |
| AP/Switch | RUCKUS NTP Server (ntp.ruckuswireless.com) | UDP:123 | Synchronization of the AP or switch clock with the NTP server | — |
| AP/Switch | DNS server (provided by local DHCP) | TCP/UDP:53 | Query to resolve RUCKUS AP/switch Registrar's FQDN | This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP switch will be unable to connect to RUCKUS One. |
| Guest | RUCKUS One(Guest Portal) | TCP:443 | Guest authentication | Guest portal is unreachable. |
| Guest | RUCKUS One(Guest Portal) | TCP:8090 | Enabling guest access to a tenant network | Guest authentication does not work and the guest is unable to connect to the network. |
| Guest | RUCKUS One(Guest Portal) | TCP:8099 | Enabling guest access to a tenant network | Guest authentication does not work and the guest is unable to connect to the network. |
UDP 1812-1813 :: Proxy mode networks depend the
customer-supplied RADIUS server. It is usually the RADIUS standard port 1812/1813 but
you can change the port. You must allow the above-listed port ranges to reach the
customer RADIUS server and port to match your proxy-mode configuration.
| Protocols and ports | Firewall Flow | Purpose |
|---|---|---|
| UDP 1812/1813 (RADIUS) | Cloud-allowed IP ranges to customer RADIUS Server | RADIUS AAA traffic proxied by the Cloud controller. |
| UDP User-Defined (RADIUS) | Cloud-allowed IP ranges to customer RADIUS Server | RADIUS AAA traffic proxied by the Cloud controller on a user-defined port. |