Firewall Ports to Open for RUCKUS One
To allow RUCKUS One to properly function, configure your firewall according to the following guidelines. These URLs must always be available.
- Outbound HTTPS (TCP 443) from APs and switches to:
- Outbound HTTP (TCP 80) from APs and switches to:
- Outbound SSH (TCP 22) from APs and
switches to:
- device.ruckus.cloud
- device.eu.ruckus.cloud
- device.asia.ruckus.cloud
Make sure that you have a DNS server configured for your network infrastructure devices. DNS is required for the access points to resolve the RUCKUS One controller names and perform the upgrade successfully.
- ap-registrar.ruckuswireless.com (this is the AP registrar FQDN)
- sw-registrar.ruckuswireless.com (this is the SWITCH registrar FQDN)
- ocsp.comodoca.com (this is the CA FQDN)
- ocsp.ocsp.entrust.net (this is the CA FQDN)
- ocsp.godaddy.com (this is the CA FQDN)
The following table lists the ports that must be opened in the network firewall to ensure that managed APs, switches, guest users, DNS servers, and so on, can communicate successfully with RUCKUS One.
| From (Sender) | To (Listener) | Port | Purpose | Symptoms When Blocked |
|---|---|---|---|---|
| Admin | Any | TCP:443 | Login and access tenant account for managing tenant APs or switches | RUCKUS One portal is inaccessible. |
| AP/Switch | RUCKUS One | TCP:22 |
SSH tunnel between the AP and RUCKUS One when the AP is running on standalone or SmartZone firmware. After the RUCKUS One AP image is upgraded, the AP uses HTTP/HTTPS for management and control traffic |
The AP or switch is unable to connect to RUCKUS One. On the AP, the DIR (newer models are labeled CTL) LED is
off. Tenant account shows that AP or switch is disconnected. |
| AP/Switch | RUCKUS One | TCP:443 |
Handles all traffic between AP or switch and RUCKUS One |
The AP or switch will be unable to connect to RUCKUS One. |
| AP/Switch | RUCKUS AP Registrar | TCP:443 |
Handles all traffic between AP or switch and RUCKUS One |
The AP or switch will be unable to connect to RUCKUS One. |
| AP/Switch | RUCKUS NTP Server (ntp.ruckuswireless.com) | UDP:123 | Synchronization of the AP or switch clock with the NTP server | The network device clock will be inaccurate. |
| AP/Switch | DNS server (provided by local DHCP) | TCP/UDP:53 | Query to resolve RUCKUS AP/switch Registrar's FQDN | This port is only used when an AP or switch is first added to a tenant account. If this port is blocked, any factory-reset AP switch will be unable to connect to RUCKUS One. |
| Guest | RUCKUS One (Guest Portal) | TCP:443 | Guest authentication | Guest portal is unreachable. |
| Guest | RUCKUS One (Guest Portal) | TCP:8090 | Enabling guest access to a tenant network | Guest authentication does not work and the guest is unable to connect to the network. |
| Guest | RUCKUS One (Guest Portal) | TCP:8099 | Enabling guest access to a tenant network | Guest authentication does not work and the guest is unable to connect to the network. |
| RUCKUS One/AP | Location Server | TCP:8883 (default) | After authentication, the Location Server exchanges location messages with the Sender, which may be either RUCKUS One or the AP. | RUCKUS One or the AP will be unable to connect to the Location Server and obtain location information. |
| AP | RUCKUS NATS Server with MQTT enabled | TCP:443 | For secure messaging, the AP communicates with the NATS Server with MQTT enabled in RUCKUS One. | Securely handles communication between the AP and the RUCKUS One NATS Server with MQTT enabled. |
| Protocols and ports | Firewall Flow | Purpose |
|---|---|---|
| UDP 1812/1813 (RADIUS) | Cloud-allowed IP ranges to customer RADIUS Server | RADIUS AAA traffic proxied by the Cloud controller. |
| UDP User-Defined (RADIUS) | Cloud-allowed IP ranges to customer RADIUS Server | RADIUS AAA traffic proxied by the Cloud controller on a user-defined port. |