Ports to Open for AP-Controller Communication

The table below lists the ports that must be opened in the network firewall to ensure that the vSZ-D/SZ/vSZ (controller), managed APs, and RADIUS servers can communicate with each other successfully.

Table 1. Ports to open for AP-Controller Communication
Port Number Layer 4 Protocol From (Sender) To (Listener) Interface Configurable from Web Interface? Purpose
21 TCP AP Control plane of
  • SZ100
  • SZ300
  • SCG200
  • vSZ
No ZD/Solo APs can download SZ AP firmware and converting themselves to SZ APs.
22 TCP
  • AP
  • vSZ-D
vSZ control plane No SSH tunnel
49 TCP TACACS+ server vSZ control plane Yes TACACS+ based authentication of controller administrators
67,68 UDP DHCP Server SZ Control, Cluster, Management No DHCP Protocol
69 UDP ZD AP SZ Control No ZD Migration
Port 91 (AP firmware version 2.0 to 3.1.x) and 443 (AP firmware version 3.2 and later) TCP AP vSZ control plane No AP firmware upgrade

APs need Port 91 to download the Guest Logo and to update the signature package for the ARC feature.

Note: Starting in release 3.2, the controller uses an HTTPS connection and an encrypted path for the firmware download. The port used for AP firmware downloads has also been changed from port 91 to 443 to distinguish between the two methods. To ensure that all APs can be upgraded successfully to the new firmware, open both ports 443 and 91 in the network firewall.
123 UDP ZD AP SZ Cluster No ZD Migration
161 UDP SNMP Client SZ Management No SNMP
546 ,547 UDP DHCP v6 Server SZ Control, Cluster, Management No DHCP v6 Protocol
7500 UDP SZ SZ Cluster No SZ Clustering Operation
9997 TCP Client Device SZ control Plane No Internal Subscriber Portal in HTTP protocol
443 TCP
  • AP
  • vSZ-D
vSZ control plane No Access to the vSZ/SZ control plane over secure HTTPS
4443 TCP JITC CAC SZ Control No JITC CAC Auth
6868 TCP vSZ-D vSZ No Internal communication port
8443
Note: The Public API port has changed from 7443 to 8443.
TCP Any vSZ management plane No Access to the controller web interface via HTTPS
23232 TCP AP controller (data plane) No GRE tunnel
23233 UDP and TCP AP Data plane Yes GRE tunnel (required only when tunnel mode is GRE over UDP)
Note: On the vSZ-D, this port is used for both data and control in both UDP and TCP.
12222/12223 UDP AP vSZ control plane No LWAPP discovery
Note:

If your AP is within the same subnet as the controller, disable nat-ip-translation to establish a connection between the AP and the controller so that AP firmware upgrade progresses.

If your AP is on the side of the NAT server and if the NAT server does not support PASV-Mode FTP, enable nat-ip-translation. If the NAT server supports PASV-Mode FTP, then disable nat-ip-translation for AP firmware upgrade to progress

1812/1813 UDP AP Radius servers (s) Yes AAA authentication and accounting
8022 No (SSH) Any Management interface Yes

When the management ACL is enabled, you must use port 8022 (instead of the default port 22) to log on to the CLI or to use SSH.

8090 TCP Any vSZ control plane No Allows unauthorized UEs to browse to an HTTP website
8099 TCP Any vSZ control plane No Allows unauthorized UEs to browse to an HTTPS website
8100 TCP Any vSZ control plane No Allows unauthorized UEs to browse using a proxy UE
8111 TCP Any vSZ control plane No Allows authorized UEs to browse using a proxy UE
9080 HTTP Any vSZ control plane No Northbound Portal Interface for hotspots
9443 HTTPS Any vSZ control plane No Northbound Portal Interface for hotspots
9998 TCP Any vSZ control plane No Hotspot WISPr subscriber portal login/logout over HTTPSl
3333 TCP Controller License server No Local license server
3799 UDP External AAA Server (free Radius) SZ-RAC ( vSZ control plane) No Supports Disconnect Message and CoA (Change Of Authorization) which allows dynamic changes to a user session such as disconnecting users and changing authorizations applicable to a user session.
443 HTTPS Controller License server No Cloud license server
9996 TCP Client Controller interface No HotSpot 2.0 portal for onboarding and remediation
9999 TCP Client Controller interface No HotSpot 2.0 trust CA verification
6379,6380 TCP SZ SZ Cluster No Internal communication among SZ nodes
7000 TCP/UDP SZ SZ No Cassandra (database) cluster communication and data replication
7800 TCP/UDP SZ SZ No Cluster node communication for cluster's operations
7800-7805,7810-7812 TCP SZ SZ Cluster No A protocol stack using TCP on JGroups library for node to node communication
9300-9311 TCP SZ SZ Cluster No Internal communication between nodes within the cluster (ElasticSearch database)
11211 TCP SZ SZ Cluster No Internal communication among SZ nodes
65534, 65535 TCP SZ CS DP Management No DP Debug
Note: The destination interfaces are meant for three interface deployments. In a single interface deployment, all the destination ports must be forwarded to the combined management/control interface IP address.
Note: Communication between APs is not possible across NAT servers.