Mist Cloud
| Service Type | Global 01 | Global 02 | Global 03 |
| Admin Portal | manage.mist.com/signin.html (TCP 443) api-ws.mist.com (TCP 443) api.mist.com(TCP 443) |
manage.gc1.mist.com (TCP 443) api-ws.gc1.mist.com (TCP 443) api.gc1.mist.com(TCP 443) |
manage.ac2.mist.com (TCP 443) api-ws.ac2.mist.com (TCP 443) api.ac2.mist.com(TCP 443) |
| API | api.mist.com(TCP 443) | api.gc1.mist.com(TCP 443) | api.ac2.mist.com(TCP 443) |
| Guest Wi-Fi Portal | portal.mist.com(TCP 443) | portal.gc1.mist.com(TCP 443) | portal.ac2.mist.com(TCP 443) |
| Webhooks source IP Addresses |
54.193.71.17 54.215.237.20 |
34.94.226.48/28 (34.94.226.48-34.94.226.63) |
34.231.34.177 54.235.187.11 18.233.33.230 |
| Service Type | Global 04 | Europe 01 | APAC 01 |
| Admin Portal | manage.gc2.mist.com (TCP 443) api-ws.gc2.mist.com (TCP 443) api.gc2.mist.com (TCP 443) |
manage.eu.mist.com api-ws.eu.mist.com api.eu.mist.com(TCP 443) |
manage.ac5.mist.com (TCP 443) api-ws.ac5.mist.com (TCP 443) api.ac5.mist.com (TCP 443) |
| API | api.gc2.mist.com(TCP 443) | api.eu.mist.com(TCP 443) | api.ac5.mist.com(TCP 443) |
| Guest Wi-Fi Portal | portal.gc2.mist.com (TCP 443) |
portal.eu.mist.com (TCP 443) |
portal.ac5.mist.com (TCP 443) |
| Webhooks source IP Addresses (Static) |
34.152.4.85 35.203.21.42 34.152.7.156 |
3.122.172.223 3.121.19.146 3.120.167.1 |
Enable these source IP addresses on your firewall which are used to send out the API stream from the Mist cloud 54.206.226.168 13.238.77.6 54.79.134.226 Please note that the source IPs for Webhooks are Static IP Addresses |
Device to Mist Cloud Communication
| Service Type | Global 1 | Global 2 |
| Mist AP / Mist Edge | ep-terminator.mistsys.net (TCP 443) portal.mist.com (TCP 443) redirect.mist.com (TCP 443) |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc1.mist.com (TCP 443) portal.gc1.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Switch | redirect.juniper.net (TCP 443) jma-terminator.mistsys.net ztp.mist.com (TCP 443) oc-term.mistsys.net (TCP 2200) cdn.juniper.net (TCP 443) |
redirect.juniper.net (TCP 443) jma-terminator.gc1.mist.com ztp.gc1.mist.com (TCP 443) oc-term.gc1.mist.com (TCP 2200) cdn.juniper.net (TCP 443) |
| SRX Gateway | redirect.juniper.net (TCP 443) ztp.mist.com (TCP 443) oc-term.mistsys.net (TCP 2200) srx-log-terminator.mist.com (TCP 6514) |
redirect.juniper.net (TCP 443) ztp.gc1.mist.com (TCP 443) oc-term.gc1.mist.com (TCP 2200) srx-log-terminator.gc1.mist.com (TCP 6514) |
| SSR | ep-terminator.mistsys.net (TCP 443) portal.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc1.mist.com (TCP 443) portal.gc1.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
| Service Type | Global 03 | Global 04 |
| Mist AP / Mist Edge | ep-terminator.mistsys.net (TCP 443) ep-terminator.ac2.mist.com (TCP 443) portal.ac2.mist.com (TCP 443) redirect.mist.com (TCP 443) |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc2.mist.com (TCP 443) portal.gc2.mist.com (TCP443) redirect.mist.com (TCP 443) |
| EX Switch | redirect.juniper.net (TCP 443) jma-terminator.ac2.mist.com ztp.ac2.mist.com (TCP 443) oc-term.ac2.mist.com (TCP 2200) cdn.juniper.net (TCP 443) |
redirect.juniper.net (TCP 443) jma-terminator.gc2.mist.com ztp.gc2.mist.com (TCP 443) oc-term.gc2.mist.com (TCP 2200) cdn.juniper.net (TCP 443) |
| SRX Gateway | redirect.juniper.net (TCP 443) ztp.ac2.mist.com (TCP 443) oc-term.ac2.mist.com (TCP 2200) srx-log-terminator.ac2.mist.com (TCP 6514) |
redirect.juniper.net (TCP 443) ztp.gc2.mist.com (TCP 443) oc-term.gc2.mist.com (TCP 2200) srx-log-terminator.gc2.mist.com (TCP 6514) |
| SSR | ep-terminator.mistsys.net (TCP 443) ep-terminator.ac2.mist.com (TCP 443) portal.ac2.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc2.mist.com (TCP 443) portal.gc2.mist.com (TCP443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
| Service Type | Europe 01 | APAC 01 |
| Mist AP / Mist Edge | ep-terminator.mistsys.net (TCP 443) ep-terminator.eu.mist.com (TCP 443) portal.eu.mist.com (TCP 443) redirect.mist.com (TCP 443) |
ep-terminator.mistsys.net (TCP 443) ep-terminator.ac5.mist.com (TCP 443) portal.ac5.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Switch | redirect.juniper.net (TCP 443) jma-terminator.eu.mist.com ztp.eu.mist.com (TCP 443) oc-term.eu.mist.com (TCP 2200) cdn.juniper.net (TCP 443) |
redirect.juniper.net (TCP 443) jma-terminator.ac5.mist.com ztp.ac5.mist.com (TCP 443) oc-term.ac5.mist.com (TCP 2200) cdn.juniper.net (TCP 443) |
| SRX Gateway | redirect.juniper.net (TCP 443) ztp.eu.mist.com (TCP 443) oc-term.eu.mist.com (TCP 2200) srx-log-terminator.eu.mist.com (TCP 6514) |
redirect.juniper.net (TCP 443) ztp.ac5.mist.com (TCP 443) oc-term.ac5.mist.com (TCP 2200) srx-log-terminator.ac5.mist.com (TCP 6514) |
| SSR | ep-terminator.mistsys.net (TCP 443) ep-terminator.eu.mist.com (TCP 443) portal.eu.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
ep-terminator.mistsys.net (TCP 443) ep-terminator.ac5.mist.com (TCP 443) portal.ac5.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
Please note IP addresses for the terminators will change. Please use FQDN based firewall rules.
Documentation Embedded URL
Some documentation pages when accessed , if it results in auth error;
Request to change the ‘Admin portal’ URL to include the right api or UI URL.
for Global3 instead of
which is for Global 1.
Mist APs need the following ports to be enabled on your Internet Firewall to work properly:
- 443/TCP to our cloud is required. It can optionally be tunneled in L2TP.
- DNS (53/UDP) to lookup our cloud hostname is required, but it does not need to be a public DNS server.
- DHCP (67&68/UDP) is required initially. After that you can configure a static IP if you would like.
- NTP (123/UDP) is suggested so the AP can retrieve time, which may be required in some environments. The AP will by default attempt to receive NTP from pool.ntp.org. It can also receive time via DHCP option 42.
Everything else (443/UDP to cloud, 80/TCP to cloud) is optional. The AP does not require them to be enabled, but it does help.
Proxy settings are supported and the proxy setting is used if available, but if not the AP will still try and direct connect.
It is possible that some popular firewalls (example – Palo Alto Networks) might not be able to accept the recently increased number of records (IP) returned for the FQDN ep-terminator.mistsys.net. The AP’s DNS server may resolve different addresses than the PAN has stored, causing AP management traffic to be dropped, resulting in random AP disconnects.
Adding a line to the existing Mist rule on the PAN to “allow access to ep-terminator.mistsys.net based on HTTP(L7) address being accessed, for SSL traffic that is based on the SSL SNI” would help to mitigate this.
Where the AP’s need to reach?
ep-terminator.mistsys.net
The terminator is hosted on AWS and we cannot guarantee the IP addresses won’t change and it may resolve to something like this:
ep-terminator-production-839577302.us-west-1.elb.amazonaws.com.
but these change about once every 2 months or sometimes more frequently.
Additional hosts to allow are
- portal.mist.com for WiFi captive portal
- manage.mist.com/signin.html for Admin UI access
- api.mist.com for Admin API access
- api-ws.mist.com for Admin websocket API access
- support-portal.mist.com for Admin Support Portal access
THIS IS AS OF 8/1/2023 AND IS SUBJECT TO CHANGE. WE RECOMMEND YOU CHECK YOUR RELEASE NOTES OR THIS PAGE FOR UPDATES.
Along with Firewall, SSL cert checkers come into play and will be detected as a ‘man-in-the-middle” attack.
The AP’s will initially need an IP address using DHCP. Once APs are connected, the cloud pushes down the AP configuration (configured through UI or API) and APs will then switch (upon reboot) to use static IP addresses if so configured.
Port needed for Access Assurance
Firewall rule: Outbound connections destined to radsec.nac.mist.com over TCP Port 2083.