Mist APs need the following ports to be enabled on your Internet Firewall to work properly:
- 443/TCP to our cloud is required. It can optionally be tunneled in L2TP.
- DNS (53/UDP) to lookup our cloud hostname is required, but it does not need to be a public DNS server.
- DHCP (67&68/UDP) is required initially. After that you can configure a static IP if you would like.
Everything else (443/UDP to cloud, 123/UDP NTP, 80/TCP to cloud) is optional. The AP does not require them to be enabled, but it does help.
Proxy settings are supported and the proxy setting is used if available, but if not the AP will still try and direct connect.
Where the AP’s need to reach?
The terminator is hosted on AWS and we cannot guarantee the IP addresses won’t change and it may resolve to something like this:
but these change about once every 2 months or sometimes more frequently.
Additional hosts to allow are
- portal.mist.com for WiFi captive portal
- manage.mist.com for Admin UI access
- api.mist.com for Admin API access
- api-ws.mist.com for Admin websocket API access
- support-portal.mist.com for Admin Support Portal access
THIS IS AS OF 8/1/2018 AND IS SUBJECT TO CHANGE. WE RECOMMEND YOU CHECK YOUR RELEASE NOTES OR THIS PAGE FOR UPDATES.
Along with Firewall, SSL cert checkers come into play and will be detected as a ‘man-in-the-middle” attack.
The AP’s will initially need an IP address using DHCP. Once APs are connected, the cloud pushes down the AP configuration (configured through UI or API) and APs will then switch (upon reboot) to use static IP addresses if so configured.
IPs needed for Webhooks
Enable these source IP addresses on your firewall which are used to send out the API stream from the Mist cloud.
For EU, please enable these IP addresses on your firewall:
Please note that the source IPs for Webhooks are Static IP Addresses and will not change.