Ports to Open for AP-Controller Communication
The table below lists the ports that must be opened in the network firewall to ensure that the vSZ-D/SZ/vSZ (controller), managed APs, and RADIUS servers can communicate with each other successfully.
| Port Number | Layer 4 Protocol | From (Sender) | To (Listener) | Configurable from Web Interface? | Purpose |
|---|---|---|---|---|---|
| 21 | TCP | AP | Control plane of
|
No | ZD/Solo APs can download SZ AP firmware and converting themselves to SZ APs. |
| 22 | TCP |
|
vSZ control plane | No | SSH tunnel |
| Port 91 (AP firmware version 2.0 to 3.1.x) and 443 (AP firmware version 3.2 and later) | TCP | AP | vSZ control plane | No | AP firmware upgrade
APs need Port 91 to download the Guest Logo and to update the signature package for the ARC feature. NOTE Starting in release 3.2, the controller uses an HTTPS connection and an encrypted path for the firmware download. The port used for AP firmware downloads has also been changed from port 91 to 443 to distinguish between the two methods. To ensure that all APs can be upgraded successfully to the new firmware, open both ports 443 and 91 in the network firewall.
|
| 161 | TCP | SNMP Client | SZ | No | Simple Network Management Protocol (SNMP) |
| 9997 | TCP | Client Device | SZ control Plane | No | Internal Subscriber Portal in HTTP protocol |
| 443 | TCP |
|
vSZ control plane | No | Access to the vSZ/SZ control plane over secure HTTPS |
| 8443
NOTE The Public API port has changed from 7443 to 8443.
|
TCP | Any | vSZ management plane | No | Access to the controller web interface via HTTPS |
| 12223 | UDP | AP | vSZ control plane | No | LWAPP discovery, send image upgrade request to ZD-APs via LWAPP (rfc5412).
NOTE
|
| 8022 | No (SSH) | Any | Management interface | Yes |
When the management ACL is enabled, you must use port 8022 (instead of the default port 22) to log on to the CLI or to use SSH. |
| 8090 | TCP | Any | vSZ control plane | No | Allows unauthorized UEs to browse to an HTTP website |
| 8099 | TCP | Any | vSZ control plane | No | Allows unauthorized UEs to browse to an HTTPS website |
| 8100 | TCP | Any | vSZ control plane | No | Allows unauthorized UEs to browse using a proxy UE |
| 8200 | TCP |
|
SZ | No | Captive Portal OAuth service port for HTTP |
| 8222 | TCP |
|
SZ | No | Captive Portal OAuth service port for HTTPS |
| 8280 | TCP |
|
SZ | No | Captive Portal Web Proxy service port for HTTPS |
| 9080 | HTTP | Any | vSZ control plane | No | Northbound Portal Interface for hotspots |
| 9191 | TCP | AP-MD | SZ-MD | No | Communication between AP-MD and SZ-MD |
| 9300-9400 | TCP | SZ | SZ | No | Internal communication between nodes within the cluster (ElasticSearch database) |
| 9443 | HTTPS | Any | vSZ control plane | No | Northbound Portal Interface for hotspots. |
| 9998 | TCP | Any | vSZ control plane | No | Hotspot WISPr subscriber portal login/logout over HTTPSl |
| 3799 | UDP | External AAA Server (free Radius) | SZ-RAC ( vSZ control plane) | No | Supports Disconnect Message and CoA (Change Of Authorization) which allows dynamic changes to a user session such as disconnecting users and changing authorizations applicable to a user session. |
| 443 | HTTPS | Controller | License server | No | Cloud license server |
| 7000 | TCP/UDP | SZ | SZ | No | Cassandra (database) cluster communication and data replication |
| 7800 | TCP/UDP | SZ | SZ | No | Cluster node communication for cluster's operations |
| 7801 | TCP | SZ | SZ | No | A protocol stack using TCP on JGroups library for node to node communication on SZ |
| 10514 | TCP | SZ Local Modules (apart from Logmgr) | Logmgr | No | Logclients (internal SZ modules) to log into Logmgr |
| 11211 | TCP | memproxy | |||
| 11311 | TCP | memcached | |||
| 12311 | TCP | SZ (Domain JNI command) | SZ (ShellAgent) | No | ShellAgent is an executor to receive command from Domain JNI. Use the following command to avoid forking a process from Domain that will occupy high memory usage:
java -Xms16m -Xmx32m -cp shellagent.jar:./lib/*:config com.ruckuswireless.scg.shellagent.Server |
| 18301 | TCP |
|
SZ | No | SpeedFlex tests the network performance between AP, UE,and SZ |
| 2083 (Radsec) | TCP | AAA server | SZ | No | The default destination port number for RADIUS over TLS is TCP/2083 (As per RFC-6614) |
NOTE
The destination interfaces are meant for three interface deployments. In a single interface deployment, all the destination ports must be forwarded to the combined management/control interface IP address.
NOTE
Communication between APs is not possible across NAT servers.