Ports to enable on your firewall

Mist Cloud

Service Type Global 01 Global 02 Global 03
Admin Portal manage.mist.com/signin.html
api-ws.mist.com
api.mist.com(TCP 443)
manage.gc1.mist.com
api-ws.gc1.mist.com
api.gc1.mist.com(TCP 443)
manage.ac2.mist.com
api-ws.ac2.mist.com
api.ac2.mist.com(TCP 443)
Guest Wi-Fi Portal portal.mist.com
(TCP 443)
portal.gc1.mist.com
(TCP 443)
portal.ac2.mist.com
(TCP 443)
Webhooks source
IP Addresses
54.193.71.17
54.215.237.20
34.94.120.8
35.236.34.24
35.236.92.224
34.231.34.177
54.235.187.11
18.233.33.230

 

Service Type Global 04 Europe 01
Admin Portal manage.gc2.mist.com (TCP 443)
api-ws.gc2.mist.com (TCP 443)
api.gc2.mist.com (TCP 443)
manage.eu.mist.com
api-ws.eu.mist.com
api.eu.mist.com(TCP 443)
Guest Wi-Fi Portal portal.gc2.mist.com
(TCP 443)
portal.eu.mist.com
(TCP 443)
Webhooks source
IP Addresses
34.152.4.85
35.203.21.42
34.152.7.156
3.122.172.223
3.121.19.146
3.120.167.1

 

Device to Mist Cloud Communication

Service Type Global 01 Global 02
Mist AP / Mist Edge ep-terminator.mistsys.net (TCP 443)
portal.mist.com (TCP 443)
redirect.mist.com (TCP 443)
ep-terminator.mistsys.net (TCP 443)
ep-terminator.gc1.mist.com (TCP 443)
portal.gc1.mist.com (TCP 443)
redirect.mist.com (TCP 443)
EX Switch redirect.juniper.net (TCP 443)
ztp.mist.com (TCP 443)
oc-term.mistsys.net (TCP 2200)
redirect.juniper.net (TCP 443)
ztp.gc1.mist.com (TCP 443)
oc-term.gc1.mist.com (TCP 2200)
SRX Gateway redirect.juniper.net (TCP 443)
ztp.mist.com (TCP 443)
oc-term.mistsys.net (TCP 2200)
srx-log-terminator.mist.com (TCP 6514)
redirect.juniper.net (TCP 443)
ztp.gc1.mist.com (TCP 443)
oc-term.gc1.mist.com (TCP 2200)
srx-log-terminator.gc1.mist.com (TCP 6514)

Service Type Global 03 Global 04
Mist AP / Mist Edge ep-terminator.mistsys.net (TCP 443)
ep-terminator.ac2.mist.com (TCP 443)
portal.ac2.mist.com (TCP 443)
redirect.mist.com (TCP 443)
ep-terminator.mistsys.net (TCP 443)
ep-terminator.gc2.mist.com (TCP 443)
portal.gc2.mist.com (TCP443)
redirect.mist.com (TCP 443)
EX Switch redirect.juniper.net (TCP 443)
ztp.ac2.mist.com (TCP 443)
oc-term.ac2.mist.com (TCP 2200)
redirect.juniper.net (TCP 443)
ztp.gc2.mist.com (TCP 443)
oc-term.gc2.mist.com (TCP 2200)
SRX Gateway redirect.juniper.net (TCP 443)
ztp.ac2.mist.com (TCP 443)
oc-term.ac2.mist.com (TCP 2200)
srx-log-terminator.ac2.mist.com (TCP 6514)
redirect.juniper.net (TCP 443)
ztp.gc2.mist.com (TCP 443)
oc-term.gc2.mist.com (TCP 2200)
srx-log-terminator.gc2.mist.com (TCP 6514)

 

Service Type Europe 01
Mist AP / Mist Edge ep-terminator.mistsys.net (TCP 443)
ep-terminator.eu.mist.com (TCP 443)
portal.eu.mist.com (TCP 443)
redirect.mist.com (TCP 443)
EX Switch redirect.juniper.net (TCP 443)
ztp.eu.mist.com (TCP 443)
oc-term.eu.mist.com (TCP 2200)
SRX Gateway redirect.juniper.net (TCP 443)
ztp.eu.mist.com (TCP 443)
oc-term.eu.mist.com (TCP 2200)
srx-log-terminator.eu.mist.com (TCP 6514)

Documentation Embedded URL

Some documentation pages when accessed , if it results in auth error;
Request to change the ‘Admin portal’ URL to include the right api or UI URL.

Example:
https://api.ac2.mist.com/api/v1/docs/Site?_ga=2.41192420.798341990.1655364635-1045699083.1655364635#insights

for Global3 instead of

https://api.mist.com/api/v1/docs/Site?_ga=2.41192420.798341990.1655364635-1045699083.1655364635#insights

which is for Global 1.

 

Mist APs need the following ports to be enabled on your Internet Firewall to work properly:

  • 443/TCP to our cloud is required. It can optionally be tunneled in L2TP.
  • DNS (53/UDP) to lookup our cloud hostname is required, but it does not need to be a public DNS server.
  • DHCP (67&68/UDP) is required initially. After that you can configure a static IP if you would like.

Everything else (443/UDP to cloud, 123/UDP NTP, 80/TCP to cloud) is optional.  The AP does not require them to be enabled, but it does help.

Proxy settings are supported and the proxy setting is used if available, but if not the AP will still try and direct connect.

It is possible that some popular firewalls  (example – Palo Alto Networks) might not be able to accept the recently increased number of records (IP) returned for the FQDN ep-terminator.mistsys.net.  The AP’s DNS server may resolve different addresses than the PAN has stored, causing AP management traffic to be dropped, resulting in random AP disconnects.

Adding a line to the existing Mist rule on the PAN to “allow access to ep-terminator.mistsys.net based on HTTP(L7) address being accessed, for SSL traffic that is based on the SSL SNI” would help to mitigate this.

Additional ports and hosts to enable for Wired/WAN Assurance

This is the terminator needed for Wired/WAN Assurance.  Please note IP addresses for the terminators will change.  Please use FQDN based firewall rules.

oc-term.mistsys.net
oc-term.gc1.mist.com
oc-term.ac2.mist.com
oc-term.eu.mist.com

  • 2200/TCP

srx-log-terminator.mist.com
srx-log-terminator.gc1.mist.com
srx-log-terminator.ac2.mist.com
srx-log-terminator.eu.mist.com

  • 6514/TCP

ep-terminator.mist.com
ep-terminator.gc1.mist.com
ep-terminator.ac2.mist.com
ep-terminator.eu.mist.com
redirect.juniper.net
ztp.mist.com
ztp.gc1.mist.com
ztp.ac2.mist.com
ztp.eu.mist.com

  • 443/TCP

Where the AP’s need to reach?

ep-terminator.mistsys.net

The terminator is hosted on AWS and we cannot guarantee the IP addresses won’t change and it may resolve to something like this:

ep-terminator-production-839577302.us-west-1.elb.amazonaws.com.

but these change about once every 2 months or sometimes more frequently.

Additional hosts to allow are

  • portal.mist.com for WiFi captive portal
  • manage.mist.com/signin.html for Admin UI access
  • api.mist.com for Admin API access
  • api-ws.mist.com for Admin websocket API access
  • support-portal.mist.com for Admin Support Portal access

THIS IS AS OF 8/1/2018 AND IS SUBJECT TO CHANGE. WE RECOMMEND YOU CHECK YOUR RELEASE NOTES OR THIS PAGE FOR UPDATES.

Along with Firewall, SSL cert checkers come into play and will be detected as a ‘man-in-the-middle” attack.

The AP’s will initially need an IP address using DHCP. Once APs are connected, the cloud pushes down the AP configuration (configured through UI or API) and APs will then switch (upon reboot) to use static IP addresses if so configured.

IPs needed for Webhooks

Enable these source IP addresses on your firewall which are used to send out the API stream from the Mist cloud.

For Global 01, please enable these IP addresses on your firewall:

  • 54.193.71.17
  • 54.215.237.20

For Global 02, please enable these IP addresses on your firewall:

  • 34.94.120.8
  • 35.236.34.24
  • 35.236.92.224

For Global 03, please enable these IP addresses on your firewall:

  • 34.231.34.177
  • 54.235.187.11
  • 18.233.33.230

For Global 04, please enable these IP addresses on your firewall:

  • 34.152.4.85
  • 35.203.21.42
  • 34.152.7.156

For Europe 01, please enable these IP addresses on your firewall:

  • 3.122.172.223
  • 3.121.19.146
  • 3.120.167.1

Please note that the source IPs for Webhooks are Static IP Addresses and will not change.