Ports to Open for AP-Controller Communication

The table below lists the ports that must be opened in the network firewall to ensure that the vSZ-D/SZ/vSZ (controller), managed APs, and RADIUS servers can communicate with each other successfully.

Table 1. Ports to open for AP-Controller Communication
Port Number Layer 4 Protocol From (Sender) To (Listener) Configurable from Web Interface? Purpose
21 TCP AP Control plane of
  • SZ100
  • SZ300
  • SCG200
  • vSZ
No ZD/Solo APs can download SZ AP firmware and converting themselves to SZ APs.
22 TCP
  • AP
  • vSZ-D
vSZ control plane No SSH tunnel
49 TCP TACACS+ server vSZ control plane Yes TACACS+ based authentication of controller administrators
Port 91 (AP firmware version 2.0 to 3.1.x) and 443 (AP firmware version 3.2 and later) TCP AP vSZ control plane No AP firmware upgrade

APs need Port 91 to download the Guest Logo and to update the signature package for the ARC feature.

Note: Starting in release 3.2, the controller uses an HTTPS connection and an encrypted path for the firmware download. The port used for AP firmware downloads has also been changed from port 91 to 443 to distinguish between the two methods. To ensure that all APs can be upgraded successfully to the new firmware, open both ports 443 and 91 in the network firewall.
9997 TCP Client Device SZ control Plane No Internal Subscriber Portal in HTTP protocol
443 TCP
  • AP
  • vSZ-D
vSZ control plane No Access to the vSZ/SZ control plane over secure HTTPS
6868 TCP vSZ-D vSZ No Internal communication port
8443
Note: The Public API port has changed from 7443 to 8443.
TCP Any vSZ management plane No Access to the controller web interface via HTTPS
23232 TCP AP controller (data plane) No GRE tunnel
23233 UDP and TCP AP Data plane Yes GRE tunnel (required only when tunnel mode is GRE over UDP)
Note: On the vSZ-D, this port is used for both data and control in both UDP and TCP.
12222/12223 UDP AP vSZ control plane No LWAPP discovery
Note:

If your AP is within the same subnet as the controller, disable nat-ip-translation to establish a connection between the AP and the controller so that AP firmware upgrade progresses.

If your AP is on the side of the NAT server and if the NAT server does not support PASV-Mode FTP, enable nat-ip-translation. If the NAT server supports PASV-Mode FTP, then disable nat-ip-translation for AP firmware upgrade to progress

1812/1813 UDP AP Radius servers (s) Yes AAA authentication and accounting
8022 No (SSH) Any Management interface Yes

When the management ACL is enabled, you must use port 8022 (instead of the default port 22) to log on to the CLI or to use SSH.

8090 TCP Any vSZ control plane No Allows unauthorized UEs to browse to an HTTP website
8099 TCP Any vSZ control plane No Allows unauthorized UEs to browse to an HTTPS website
8100 TCP Any vSZ control plane No Allows unauthorized UEs to browse using a proxy UE
8111 TCP Any vSZ control plane No Allows authorized UEs to browse using a proxy UE
9080 HTTP Any vSZ control plane No Northbound Portal Interface for hotspots
9443 HTTPS Any vSZ control plane No Northbound Portal Interface for hotspots
9998 TCP Any vSZ control plane No Hotspot WISPr subscriber portal login/logout over HTTPSl
3333 TCP Controller License server No Local license server
3799 UDP External AAA Server (free Radius) SZ-RAC ( vSZ control plane) No Supports Disconnect Message and CoA (Change Of Authorization) which allows dynamic changes to a user session such as disconnecting users and changing authorizations applicable to a user session.
443 HTTPS Controller License server No Cloud license server
9996 TCP Client Controller interface No HotSpot 2.0 portal for onboarding and remediation
9999 TCP Client Controller interface No HotSpot 2.0 trust CA verification
7000 TCP/UDP SZ SZ No Cassandra (database) cluster communication and data replication
7800 TCP/UDP SZ SZ No Cluster node communication for cluster's operations
Note: The destination interfaces are meant for three interface deployments. In a single interface deployment, all the destination ports must be forwarded to the combined management/control interface IP address.
Note: Communication between APs is not possible across NAT servers.