Showing results for 
Search instead for 
Did you mean: 

ZoneDirector behind a firewall - AP upgrade broken

Contributor II

Is there updated guidance for firewall ports to open, for ZoneDirector 10.5.1?

I did an upgrade to, and all of my APs (R600s, H510s, R650s) failed to upgrade.

I reverted to, turned on Secured AP Image Upgrade, and re-attempted the upgrade. Now all the APs updated, but the APs at remote sites kept rebooting with config sync errors: "Configuration update request failed".

I notice in the release notes for, the new feature:-

Replace FTP with HTTPS
As a security enhancement, File Transfer Protocol (FTP) is replaced with Hypertext Transfer Protocol Secure (HTTPS).

Do I need to let port 443 traffic through my firewall for the configuration upgrade to succeed?
(I have a reverse proxy on port 443 of the firewall currently, so this would be a significant infrastructure change).


Since I have websites on port 443, and don't want to give these up, I figured out which URL needed to be forwarded to the ZoneDirector (/firmwares/avpport), and documented the firewall setup (pfSense) here: .

View solution in original post


New Contributor III

There's a workaround: you can enable "Legacy AP Image Upgrade" to perform the upgrade via FTP and not with HTTPS (cfr.

If you use HTTPS: TCP 11443 must be open between the AP and the ZoneDirector ( 

Contributor II

Yes, I had TCP 11443 whitelisted and this got the APs upgraded.

But the config sync seems to use some other mechanism.


Except for 11443, you need to enable HTTPs default port 443 for AP configuration after upgrading to ZD10.5.1.

As I said, it's really inconvenient to have the firewall send all 443 traffic to the ZoneDirector. My intranet currently lives there.

This is a major change from previous releases.

Unless this is part of a plan to make ZoneDirector unattractive & force owners towards SmartZone/Cloud, then I hope Ruckus reconsider for the next release.