12-30-2021 06:26 AM
Is there updated guidance for firewall ports to open, for ZoneDirector 10.5.1?
I did an upgrade to 10.5.1.0.124, and all of my APs (R600s, H510s, R650s) failed to upgrade.
I reverted to 10.5.0.0.212, turned on Secured AP Image Upgrade, and re-attempted the upgrade. Now all the APs updated, but the APs at remote sites kept rebooting with config sync errors: "Configuration update request failed".
I notice in the release notes for 10.5.1.0.124, the new feature:-
Replace FTP with HTTPS
As a security enhancement, File Transfer Protocol (FTP) is replaced with Hypertext Transfer Protocol Secure (HTTPS).
Do I need to let port 443 traffic through my firewall for the configuration upgrade to succeed?
(I have a reverse proxy on port 443 of the firewall currently, so this would be a significant infrastructure change).
12-30-2021 06:48 AM
There's a workaround: you can enable "Legacy AP Image Upgrade" to perform the upgrade via FTP and not with HTTPS (cfr. https://docs.commscope.com/bundle/zd-10.5.1-userguide/page/GUID-68CEB800-AFC8-4944-838F-9696921BD6FF...).
If you use HTTPS: TCP 11443 must be open between the AP and the ZoneDirector (https://docs.commscope.com/bundle/zd-10.5.1-userguide/page/GUID-0CF2BF2B-7D54-4C73-B492-99A5423D3E14...).
12-30-2021 04:02 PM
Yes, I had TCP 11443 whitelisted and this got the APs upgraded.
But the config sync seems to use some other mechanism.
01-04-2022 07:14 PM
Except for 11443, you need to enable HTTPs default port 443 for AP configuration after upgrading to ZD10.5.1.
01-04-2022 08:52 PM
As I said, it's really inconvenient to have the firewall send all 443 traffic to the ZoneDirector. My intranet currently lives there.
This is a major change from previous releases.
Unless this is part of a plan to make ZoneDirector unattractive & force owners towards SmartZone/Cloud, then I hope Ruckus reconsider for the next release.