Firewall Ports to Open for RUCKUS One

To allow RUCKUS One to properly function, configure your firewall according to the following guidelines. These URLs must always be available.

Make sure that you have a DNS server configured for your network infrastructure devices. DNS is required for the access points to resolve the RUCKUS One controller names and perform the upgrade successfully.

Note: APs and switches require the following DNS entries to be reachable to establish secure connectivity to RUCKUS One. Ensure that the following DNS entries are whitelisted in your firewall:
  • ap-registrar.ruckuswireless.com (this is the AP registrar FQDN)
  • sw-registrar.ruckuswireless.com (this is the SWITCH registrar FQDN)
  • ocsp.comodoca.com (this is the CA FQDN)
  • ocsp.ocsp.entrust.net (this is the CA FQDN)
  • ocsp.godaddy.com (this is the CA FQDN)

The following table lists the ports that must be opened in the network firewall to ensure that managed APs, switches, guest users, DNS servers, and so on, can communicate successfully with RUCKUS One.

Table 1. Ports Required for RUCKUS One Communication
From (Sender) To (Listener) Port Purpose Symptoms When Blocked
Admin Any TCP:443 Login and access tenant account for managing tenant APs or switches RUCKUS One portal is inaccessible.
AP/Switch RUCKUS One TCP:22

SSH tunnel between the AP and RUCKUS One when the AP is running on standalone or SmartZone firmware.

After the RUCKUS One AP image is upgraded, the AP uses HTTP/HTTPS for management and control traffic

The AP or switch is unable to connect to RUCKUS One. On the AP, the DIR (newer models are labeled CTL) LED is off.

Tenant account shows that AP or switch is disconnected.

AP/Switch RUCKUS One TCP:443

Handles all traffic between AP or switch and RUCKUS One

The AP or switch will be unable to connect to RUCKUS One.
AP/Switch RUCKUS AP Registrar TCP:443

Handles all traffic between AP or switch and RUCKUS One

The AP or switch will be unable to connect to RUCKUS One.
AP/Switch RUCKUS NTP Server (ntp.ruckuswireless.com) UDP:123 Synchronization of the AP or switch clock with the NTP server The network device clock will be inaccurate.
AP/Switch DNS server (provided by local DHCP) TCP/UDP:53 Query to resolve RUCKUS AP/switch Registrar's FQDN This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP switch will be unable to connect to RUCKUS One.
Guest RUCKUS One (Guest Portal) TCP:443 Guest authentication Guest portal is unreachable.
Guest RUCKUS One (Guest Portal) TCP:8090 Enabling guest access to a tenant network Guest authentication does not work and the guest is unable to connect to the network.
Guest RUCKUS One (Guest Portal) TCP:8099 Enabling guest access to a tenant network Guest authentication does not work and the guest is unable to connect to the network.
RUCKUS One/AP Location Server TCP:8883 (default) After authentication, the Location Server exchanges location messages with the Sender, which may be either RUCKUS One or the AP. RUCKUS One or the AP will be unable to connect to the Location Server and obtain location information.
AP RUCKUS NATS Server with MQTT enabled TCP:443 For secure messaging, the AP communicates with the NATS Server with MQTT enabled in RUCKUS One. Securely handles communication between the AP and the RUCKUS One NATS Server with MQTT enabled.
UDP 1812-1813: Proxy mode networks depend the customer-supplied RADIUS server. It is usually the RADIUS standard port 1812/1813 but you can change the port. You must allow the above-listed port ranges to reach the customer RADIUS server and port to match your proxy-mode configuration.
Table 2. Protocols and Ports Required for RADIUS Server Communication
Protocols and ports Firewall Flow Purpose
UDP 1812/1813 (RADIUS) Cloud-allowed IP ranges to customer RADIUS Server RADIUS AAA traffic proxied by the Cloud controller.
UDP User-Defined (RADIUS) Cloud-allowed IP ranges to customer RADIUS Server RADIUS AAA traffic proxied by the Cloud controller on a user-defined port.