This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
RUCKUS Self Help |   ASK the Pack
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ZoneDirector 10.5.1.0.124 behind a firewall - AP upgrade broken

Go to solution
ms264556
Contributor II

‎12-30-2021 06:26 AM

Is there updated guidance for firewall ports to open, for ZoneDirector 10.5.1?

I did an upgrade to 10.5.1.0.124, and all of my APs (R600s, H510s, R650s) failed to upgrade.

I reverted to 10.5.0.0.212, turned on Secured AP Image Upgrade, and re-attempted the upgrade. Now all the APs updated, but the APs at remote sites kept rebooting with config sync errors: "Configuration update request failed".

I notice in the release notes for 10.5.1.0.124, the new feature:-

Replace FTP with HTTPS
As a security enhancement, File Transfer Protocol (FTP) is replaced with Hypertext Transfer Protocol Secure (HTTPS).

Do I need to let port 443 traffic through my firewall for the configuration upgrade to succeed?
(I have a reverse proxy on port 443 of the firewall currently, so this would be a significant infrastructure change).

0 Kudos
1 ACCEPTED SOLUTION

Go to solution
ms264556
Contributor II
In response to ms264556

‎06-16-2023 12:06 AM - edited ‎08-01-2023 01:41 AM

Since I have websites on port 443, and don't want to give these up, I figured out which URL needed to be forwarded to the ZoneDirector (/firmwares/avpport), and documented the firewall setup (pfSense) here: https://ms264556.net/pages/ZD1200OpenPfsensePorts .

View solution in original post

0 Kudos
5 REPLIES 5

Go to solution
pieter_schepens
New Contributor III

‎12-30-2021 06:48 AM

There's a workaround: you can enable "Legacy AP Image Upgrade" to perform the upgrade via FTP and not with HTTPS (cfr. https://docs.commscope.com/bundle/zd-10.5.1-userguide/page/GUID-68CEB800-AFC8-4944-838F-9696921BD6FF...).

If you use HTTPS: TCP 11443 must be open between the AP and the ZoneDirector (https://docs.commscope.com/bundle/zd-10.5.1-userguide/page/GUID-0CF2BF2B-7D54-4C73-B492-99A5423D3E14...). 

Go to solution
ms264556
Contributor II

‎12-30-2021 04:02 PM

Yes, I had TCP 11443 whitelisted and this got the APs upgraded.

But the config sync seems to use some other mechanism.

0 Kudos

Go to solution
ken_liu
New Contributor
In response to ms264556

‎01-04-2022 07:14 PM

@anthony_rielly 

Except for 11443, you need to enable HTTPs default port 443 for AP configuration after upgrading to ZD10.5.1.

0 Kudos

Go to solution
ms264556
Contributor II
In response to ms264556

‎01-04-2022 08:52 PM

As I said, it's really inconvenient to have the firewall send all 443 traffic to the ZoneDirector. My intranet currently lives there.

This is a major change from previous releases.

Unless this is part of a plan to make ZoneDirector unattractive & force owners towards SmartZone/Cloud, then I hope Ruckus reconsider for the next release.

0 Kudos
Copyright © 2024 Khoros, LLC