topic Re: Ports needed open for remote connection to ZD1100 in ZoneDirector

Ports needed open for remote connection to ZD1100

mark_young_6200 — Mon, 06 Jan 2014 14:52:33 GMT

Which ports need to be left open for the ZD to communicate remotely?.

Is the port needed hard coded in the Ruckus OS?

Re: Ports needed open for remote connection to ZD1100

mark_young_6200 — Tue, 07 Jan 2014 06:14:23 GMT

This is strange...if i close TCP ports above 49152 i lose remote connectivity to the ZD (that is - i am off site and connecting to ZD remotely)

When i remove the TCP blocks on ports above 49152 ...i can get back in to the ZD.

Is the port we are communicating with the ZD through configurable?

Ideally i would like the port used to be below 1024. Is this possible?

Re: Ports needed open for remote connection to ZD1100

keith_redfield — Tue, 07 Jan 2014 17:02:34 GMT

Hi Mark, this is a weak KB article, but probably will give some insight.

https://support.ruckuswireless.com/an...
(found with query "ports" - 4th result)

The ZD was not designed as a cloud service and so you'll find it a bit limited in terms of flexibility in ports/protocols.

But from your description above it sounds like you are just using SSH or web UI from the remote site? In that case, you have a well-known (< 1024) going in, but TCP uses a random high port (w established bit set) coming back - so you can't block those, but they should be outbound (and thus not much of a security concern anyway...). You can filter on whether the established bit is set however (for TCP at least..)

You don't really want well-known ports in both directions - that would be a security concern.

The best practice model would be to tunnel all AP/ZD traffic inside a VPN tunnel provided by another device.

Re: Ports needed open for remote connection to ZD1100

mark_young_6200 — Tue, 07 Jan 2014 20:15:01 GMT

Yes that is exactly it - i am remote from site and logging into web UI from far away. I blocked all outgoing ports above 10000 TCP and UDP. This service is running in a hotel - not a corporate office, so no real need to support every little obscure service. What i found was that every time i opened port range 49152 - 65535 things worked again. So i concluded the ZD was using high range ports - just not sure why it was doing that.

So what you say above makes perfect sense. Cant tunnel traffic in a VPN as we go over satellite for the WAN link - too much of a performance hit unless we get into expensive WAN accelerators on both ends of the link.