Mist Cloud
| Service Type | Global 01 | Global 02 | Global 03 |
| Admin Portal | manage.mist.com/signin.html api-ws.mist.com api.mist.com(TCP 443) |
manage.gc1.mist.com api-ws.gc1.mist.com api.gc1.mist.com(TCP 443) |
manage.ac2.mist.com api-ws.ac2.mist.com api.ac2.mist.com(TCP 443) |
| Guest Wi-Fi Portal | portal.mist.com (TCP 443) |
portal.gc1.mist.com (TCP 443) |
portal.ac2.mist.com (TCP 443) |
| Webhooks source IP Addresses |
54.193.71.17 54.215.237.20 |
34.94.120.8 35.236.34.24 35.236.92.224 |
34.231.34.177 54.235.187.11 18.233.33.230 |
| Service Type | Global 04 | Europe 01 |
| Admin Portal | manage.gc2.mist.com (TCP 443) api-ws.gc2.mist.com (TCP 443) api.gc2.mist.com (TCP 443) |
manage.eu.mist.com api-ws.eu.mist.com api.eu.mist.com(TCP 443) |
| Guest Wi-Fi Portal | portal.gc2.mist.com (TCP 443) |
portal.eu.mist.com (TCP 443) |
| Webhooks source IP Addresses |
34.152.4.85 35.203.21.42 34.152.7.156 |
3.122.172.223 3.121.19.146 3.120.167.1 |
Device to Mist Cloud Communication
| Service Type | Global 01 | Global 02 |
| Mist AP / Mist Edge | ep-terminator.mistsys.net (TCP 443) portal.mist.com (TCP 443) redirect.mist.com (TCP 443) |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc1.mist.com (TCP 443) portal.gc1.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Switch | redirect.juniper.net (TCP 443) ztp.mist.com (TCP 443) oc-term.mistsys.net (TCP 2200) |
redirect.juniper.net (TCP 443) ztp.gc1.mist.com (TCP 443) oc-term.gc1.mist.com (TCP 2200) |
| SRX Gateway | redirect.juniper.net (TCP 443) ztp.mist.com (TCP 443) oc-term.mistsys.net (TCP 2200) srx-log-terminator.mist.com (TCP 6514) |
redirect.juniper.net (TCP 443) ztp.gc1.mist.com (TCP 443) oc-term.gc1.mist.com (TCP 2200) srx-log-terminator.gc1.mist.com (TCP 6514) |
| Service Type | Global 03 | Global 04 |
| Mist AP / Mist Edge | ep-terminator.mistsys.net (TCP 443) ep-terminator.ac2.mist.com (TCP 443) portal.ac2.mist.com (TCP 443) redirect.mist.com (TCP 443) |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc2.mist.com (TCP 443) portal.gc2.mist.com (TCP443) redirect.mist.com (TCP 443) |
| EX Switch | redirect.juniper.net (TCP 443) ztp.ac2.mist.com (TCP 443) oc-term.ac2.mist.com (TCP 2200) |
redirect.juniper.net (TCP 443) ztp.gc2.mist.com (TCP 443) oc-term.gc2.mist.com (TCP 2200) |
| SRX Gateway | redirect.juniper.net (TCP 443) ztp.ac2.mist.com (TCP 443) oc-term.ac2.mist.com (TCP 2200) srx-log-terminator.ac2.mist.com (TCP 6514) |
redirect.juniper.net (TCP 443) ztp.gc2.mist.com (TCP 443) oc-term.gc2.mist.com (TCP 2200) srx-log-terminator.gc2.mist.com (TCP 6514) |
| Service Type | Europe 01 |
| Mist AP / Mist Edge | ep-terminator.mistsys.net (TCP 443) ep-terminator.eu.mist.com (TCP 443) portal.eu.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Switch | redirect.juniper.net (TCP 443) ztp.eu.mist.com (TCP 443) oc-term.eu.mist.com (TCP 2200) |
| SRX Gateway | redirect.juniper.net (TCP 443) ztp.eu.mist.com (TCP 443) oc-term.eu.mist.com (TCP 2200) srx-log-terminator.eu.mist.com (TCP 6514) |
Documentation Embedded URL
Some documentation pages when accessed , if it results in auth error;
Request to change the ‘Admin portal’ URL to include the right api or UI URL.
for Global3 instead of
which is for Global 1.
Mist APs need the following ports to be enabled on your Internet Firewall to work properly:
- 443/TCP to our cloud is required. It can optionally be tunneled in L2TP.
- DNS (53/UDP) to lookup our cloud hostname is required, but it does not need to be a public DNS server.
- DHCP (67&68/UDP) is required initially. After that you can configure a static IP if you would like.
Everything else (443/UDP to cloud, 123/UDP NTP, 80/TCP to cloud) is optional. The AP does not require them to be enabled, but it does help.
Proxy settings are supported and the proxy setting is used if available, but if not the AP will still try and direct connect.
It is possible that some popular firewalls (example – Palo Alto Networks) might not be able to accept the recently increased number of records (IP) returned for the FQDN ep-terminator.mistsys.net. The AP’s DNS server may resolve different addresses than the PAN has stored, causing AP management traffic to be dropped, resulting in random AP disconnects.
Adding a line to the existing Mist rule on the PAN to “allow access to ep-terminator.mistsys.net based on HTTP(L7) address being accessed, for SSL traffic that is based on the SSL SNI” would help to mitigate this.
Additional ports and hosts to enable for Wired/WAN Assurance
This is the terminator needed for Wired/WAN Assurance. Please note IP addresses for the terminators will change. Please use FQDN based firewall rules.
oc-term.mistsys.net
oc-term.gc1.mist.com
oc-term.ac2.mist.com
oc-term.eu.mist.com
- 2200/TCP
srx-log-terminator.mist.com
srx-log-terminator.gc1.mist.com
srx-log-terminator.ac2.mist.com
srx-log-terminator.eu.mist.com
- 6514/TCP
ep-terminator.mist.com
ep-terminator.gc1.mist.com
ep-terminator.ac2.mist.com
ep-terminator.eu.mist.com
redirect.juniper.net
ztp.mist.com
ztp.gc1.mist.com
ztp.ac2.mist.com
ztp.eu.mist.com
- 443/TCP
Where the AP’s need to reach?
ep-terminator.mistsys.net
The terminator is hosted on AWS and we cannot guarantee the IP addresses won’t change and it may resolve to something like this:
ep-terminator-production-839577302.us-west-1.elb.amazonaws.com.
but these change about once every 2 months or sometimes more frequently.
Additional hosts to allow are
- portal.mist.com for WiFi captive portal
- manage.mist.com/signin.html for Admin UI access
- api.mist.com for Admin API access
- api-ws.mist.com for Admin websocket API access
- support-portal.mist.com for Admin Support Portal access
THIS IS AS OF 8/1/2018 AND IS SUBJECT TO CHANGE. WE RECOMMEND YOU CHECK YOUR RELEASE NOTES OR THIS PAGE FOR UPDATES.
Along with Firewall, SSL cert checkers come into play and will be detected as a ‘man-in-the-middle” attack.
The AP’s will initially need an IP address using DHCP. Once APs are connected, the cloud pushes down the AP configuration (configured through UI or API) and APs will then switch (upon reboot) to use static IP addresses if so configured.
IPs needed for Webhooks
Enable these source IP addresses on your firewall which are used to send out the API stream from the Mist cloud.
For Global 01, please enable these IP addresses on your firewall:
- 54.193.71.17
- 54.215.237.20
For Global 02, please enable these IP addresses on your firewall:
- 34.94.120.8
- 35.236.34.24
- 35.236.92.224
For Global 03, please enable these IP addresses on your firewall:
- 34.231.34.177
- 54.235.187.11
- 18.233.33.230
For Global 04, please enable these IP addresses on your firewall:
- 34.152.4.85
- 35.203.21.42
- 34.152.7.156
For Europe 01, please enable these IP addresses on your firewall:
- 3.122.172.223
- 3.121.19.146
- 3.120.167.1
Please note that the source IPs for Webhooks are Static IP Addresses and will not change.