Ports to Open for AP-Controller Communication The table below lists the ports that must be opened in the network firewall to ensure that the vSZ-D/SZ/vSZ (controller), managed APs, and RADIUS servers can communicate with each other successfully. Table 1. Ports to open for AP-Controller Communication Port Number Layer 4 Protocol From (Sender) To (Listener) Configurable from Web Interface? Purpose 21 TCP AP Control plane of SZ100 SZ300 SCG200 vSZ No ZD/Solo APs can download SZ AP firmware and converting themselves to SZ APs. 22 TCP AP vSZ-D vSZ control plane No SSH tunnel 49 TCP TACACS+ server vSZ control plane Yes TACACS+ based authentication of controller administrators Port 91 (AP firmware version 2.0 to 3.1.x) and 443 (AP firmware version 3.2 and later) TCP AP vSZ control plane No AP firmware upgrade APs need Port 91 to download the Guest Logo and to update the signature package for the ARC feature. Note: Starting in release 3.2, the controller uses an HTTPS connection and an encrypted path for the firmware download. The port used for AP firmware downloads has also been changed from port 91 to 443 to distinguish between the two methods. To ensure that all APs can be upgraded successfully to the new firmware, open both ports 443 and 91 in the network firewall. 9997 TCP Client Device SZ control Plane No Internal Subscriber Portal in HTTP protocol 443 TCP AP vSZ-D vSZ control plane No Access to the vSZ/SZ control plane over secure HTTPS 6868 TCP vSZ-D vSZ No Internal communication port 8443 Note: The Public API port has changed from 7443 to 8443. TCP Any vSZ management plane No Access to the controller web interface via HTTPS 23232 TCP AP controller (data plane) No GRE tunnel 23233 UDP and TCP AP Data plane Yes GRE tunnel (required only when tunnel mode is GRE over UDP) Note: On the vSZ-D, this port is used for both data and control in both UDP and TCP. 12222/12223 UDP AP vSZ control plane No LWAPP discovery Note: If your AP is within the same subnet as the controller, disable nat-ip-translation to establish a connection between the AP and the controller so that AP firmware upgrade progresses. If your AP is on the side of the NAT server and if the NAT server does not support PASV-Mode FTP, enable nat-ip-translation. If the NAT server supports PASV-Mode FTP, then disable nat-ip-translation for AP firmware upgrade to progress 1812/1813 UDP AP Radius servers (s) Yes AAA authentication and accounting 8022 No (SSH) Any Management interface Yes When the management ACL is enabled, you must use port 8022 (instead of the default port 22) to log on to the CLI or to use SSH. 8090 TCP Any vSZ control plane No Allows unauthorized UEs to browse to an HTTP website 8099 TCP Any vSZ control plane No Allows unauthorized UEs to browse to an HTTPS website 8100 TCP Any vSZ control plane No Allows unauthorized UEs to browse using a proxy UE 8111 TCP Any vSZ control plane No Allows authorized UEs to browse using a proxy UE 9080 HTTP Any vSZ control plane No Northbound Portal Interface for hotspots 9443 HTTPS Any vSZ control plane No Northbound Portal Interface for hotspots 9998 TCP Any vSZ control plane No Hotspot WISPr subscriber portal login/logout over HTTPSl 3333 TCP Controller License server No Local license server 3799 UDP External AAA Server (free Radius) SZ-RAC ( vSZ control plane) No Supports Disconnect Message and CoA (Change Of Authorization) which allows dynamic changes to a user session such as disconnecting users and changing authorizations applicable to a user session. 443 HTTPS Controller License server No Cloud license server 9996 TCP Client Controller interface No HotSpot 2.0 portal for onboarding and remediation 9999 TCP Client Controller interface No HotSpot 2.0 trust CA verification 7000 TCP/UDP SZ SZ No Cassandra (database) cluster communication and data replication 7800 TCP/UDP SZ SZ No Cluster node communication for cluster's operations Note: The destination interfaces are meant for three interface deployments. In a single interface deployment, all the destination ports must be forwarded to the combined management/control interface IP address. Note: Communication between APs is not possible across NAT servers.