7 Replies Latest reply on Jun 1, 2012 2:14 PM by kennethfernandes

    APs to Controller over public Internet and required TCP/UDP ports

    dbauman New Member

      Greetings,

       

      Has there been any issues with having the APs conntec to the Controller over a public Internet connection?  The TFTP protocol seems very troublesome as many ISPs block TFTP due to it's insecure nature.

       

      Has anyone encountered issues with any of the other ports (like the secure TLS channels) when the APs are behind a firewall operated by a 3rd partyou

       

      Thank you,

       

      Required TCP/UDP Ports

      The following TCP/UDP ports are required to be open between the BSAP and vWLAN Appliance. Please

      ensure any firewalls or Access Control Lists (ACL) between the BSAP and vWLAN Appliance allow the

      following TCP/UDP ports as applicable.

      1. UDP port 53 (DNS): AP discovery communication.

      2. TCP port 33333: Secure TLS control channel.

      3. UDP port 69 (TFTP): AP firmware.

      4. TCP port 28000: Secure TLS RFIDS channel.

      5. TCP port 80 (HTTP): Only required for captive portal and BlueProtect endpoint scanning.

      6. TCP port 443 (HTTPS): Only required for captive portal and BlueProtect endpoint scanning.

      7. UDP port 1812 (RADIUS): Only required for Internal 802.1X authentication. NOT required for

      External 802.1X authentication however may be required between BSAP and external RADIUS Server.

        • Re: APs to Controller over public Internet and required TCP/UDP ports
          kennethfernandes Employee

          As long as any firewalls/Access Control Lists between the APs and vWLAN allow the appropriate ports and protocols we haven't had any major issues. The APs can be behind NAT but the vWLAN cannot. The ability to have the vWLAN behind NAT will be available in a future release. Although the the vWLAN is a hardened appliance and or virtual appliance, it is recommended it be deployed behind a firewall only opening the ports/protocols necessary. We haven't run into any situations where ISPs have blocked TFTP however we are considering other more secure methods such as SCP/SFTP. TFTP can sometimes be problematic because it uses 69 to setup and then ephemeral ports thereafter but most firewalls automatically handle this with a fixup. As far as issues with other ports like the secure TLS channel when the APs are behind a firewall operated by a 3rd party, the appropriate ports and protocols would still need to be allowed in the 3rd party firewall. 

          1 of 1 people found this helpful
            • Re: APs to Controller over public Internet and required TCP/UDP ports
              dbauman New Member

              Thanks for the response.

               

              The TFTP is going to be a huge problem.  Many many ISPs block TFTP on their network for security reasons.  There are several dangerous viruses which use TFTP to transfer information.  It is also a very insecure protocol.

               

              How much is TFTP actually used for AP firmware data transfers?  Does this need to only happen once, or does it require AP firmware upon every AP reboot?

               

              My vWLAN controller will have a public IP on it, however my remote locations will be behind firewalls that I do not control, and will not really have the ability to influence firewall rules.  I don't see much issue with TCP based applications since the NAT tables on the AP side will be updated constantly.  DNS will work without issue, and I won't be using radius, I suspect if I was, it would not have issues behind a firewall either.

               

              So I guess my question is now really geared towards how often the AP will need to TFTP the firmware.  If only once, initially, I can probably configure the APs on the same network as the controller.