Ports to Open for AP-Controller Communication
The table below lists the ports that must be opened in the network firewall to ensure that the vSZ-D/SZ/vSZ (controller), managed APs, and RADIUS servers can communicate with each other successfully.
|Port Number||Layer 4 Protocol||From (Sender)||To (Listener)||Configurable from Web Interface?||Purpose|
|21||TCP||AP||vSZ control plane||Yes||FTP upload of reports, statistics, and configuration backups|
||vSZ control plane||No||SSH tunnel|
|49||TCP||TACACS+ server||vSZ control plane||Yes||TACACS+ based authentication of controller administrators|
|Port 91 (AP firmware version 2.0 to 3.1.x) and 443 (AP firmware version 3.2 and later)||TCP||AP||vSZ control plane||No||AP firmware upgrade
APs need Port 91 to download the Guest Logo and to update the signature package for the ARC feature.
NOTEStarting in release 3.2, the controller uses an HTTPS connection and an encrypted path for the firmware download. The port used for AP firmware downloads has also been changed from port 91 to 443 to distinguish between the two methods. To ensure that all APs can be upgraded successfully to the new firmware, open both ports 443 and 91 in the network firewall.
|9997||TCP||Client Device||SZ control Plane||No||Internal Subscriber Portal in HTTP protocol|
||vSZ control plane||No||Access to the vSZ/SZ control plane over secure HTTPS|
|6868||TCP||vSZ-D||vSZ||No||Internal communication port|
NOTEThe Public API port has changed from 7443 to 8443.
|TCP||Any||vSZ management plane||No||Access to the controller web interface via HTTPS|
|23232||TCP||AP||controller (data plane)||No||GRE tunnel|
|23233||UDP and TCP||AP||Data plane||Yes||GRE tunnel (required only when tunnel mode is GRE over UDP)
NOTEOn the vSZ-D, this port is used for both data and control in both UDP and TCP.
|12222/12223||UDP||AP||vSZ control plane||No||LWAPP discovery
If your AP is within the same subnet as the controller, disable nat-ip-translation to establish a connection between the AP and the controller so that AP firmware upgrade progresses.
If your AP is on the side of the NAT server and if the NAT server does not support PASV-Mode FTP, enable nat-ip-translation. If the NAT server supports PASV-Mode FTP, then disable nat-ip-translation for AP firmware upgrade to progress
|1812/1813||UDP||AP||Radius servers (s)||Yes||AAA authentication and accounting|
|8022||No (SSH)||Any||Management interface||Yes||
When the management ACL is enabled, you must use port 8022 (instead of the default port 22) to log on to the CLI or to use SSH.
|8090||TCP||Any||vSZ control plane||No||Allows unauthorized UEs to browse to an HTTP website|
|8099||TCP||Any||vSZ control plane||No||Allows unauthorized UEs to browse to an HTTPS website|
|8100||TCP||Any||vSZ control plane||No||Allows unauthorized UEs to browse using a proxy UE|
|8111||TCP||Any||vSZ control plane||No||Allows authorized UEs to browse using a proxy UE|
|9080||HTTP||Any||vSZ control plane||No||Northbound Portal Interface for hotspots|
|9443||HTTPS||Any||vSZ control plane||No||Northbound Portal Interface for hotspots|
|9998||TCP||Any||vSZ control plane||No||Hotspot WISPr subscriber portal login/logout over HTTPSl|
|3333||TCP||Controller||License server||No||Local license server|
|3799||UDP||External AAA Server (free Radius)||SZ-RAC||No||Supports Disconnect Message and CoA (Change Of Authorization) which allows dynamic changes to a user session such as disconnecting users and changing authorizations applicable to a user session.|
|443||HTTPS||Controller||License server||No||Cloud license server|
|9996||TCP||Client||Controller interface||No||HotSpot 2.0 portal for onboarding and remediation|
|9999||TCP||Client||Controller interface||No||HotSpot 2.0 trust CA verification|