Ports and URLs for contentfilter AP250

  • 1
  • Question
  • Updated 1 year ago
We would like to integrate an Aerohive AP 250 into our school network. So far this has unfortunately failed, since the Aerohive can not communicate with the Hivemanager. This is because we have a content filter and a firewall in the network (TMG).

The
question is now: Which ports and URLs in the content filter must we release, so that the AP can communicate with the Hivemanager?

Alternative:
Is it possible to use the Aerohive Hivemanager so that it can be managed locally on the network?

Many Thanks!
Photo of J. Fee

J. Fee

  • 1 Post
  • 0 Reply Likes

Posted 1 year ago

  • 1
Photo of Johnny Matthews

Johnny Matthews

  • 34 Posts
  • 2 Reply Likes
I allow my AP management VLAN IP addresses full access to the IPs of HMNG. I believe it uses the CAPWAP ports in particular.

https://en.wikipedia.org/wiki/CAPWAP
Photo of Dan Ketchum

Dan Ketchum

  • 3 Posts
  • 3 Reply Likes
I run a web filter report for the IP address of one or a few of the APs. That gave me the IP addresses that they go to for CAPWAP. My inline web filter usually uses domains, but since these use other ports, it flags the address. I then add these into my ignore list and I am all set. Traffic that goes through them still gets filtered. When I had to update HMOL I then had to go through the process again. In my case, I had no firewall issues, it was just the web filter.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
The access points need:
  • CAPWAP (UDP 12222) for data transfer between the HiveManager and the access points.
  • Co-Operative Control (UDP 3001 by default) for the access points to communicate between themselves.
  • DNS (UDP/TCP 53) for access point name resolution.
  • HTTP/HTTPS (TCP 80/443) for users connecting to the access point's web GUI.
  • NTP (UDP 123) for access point time syncronization.  The is required to maintain the encryption protocols.
  • SCP (TCP 22) for complete configuration updates from the HiveManager.
Hopefully that covers it.
(Edited)
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
I should also add that delta configuration updates are sent down the CAPWAP tunnel.
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
Correction:

  • Co-Operative Control (UDP 3001 3000 by default) for the access points to communicate between themselves.
Photo of Franco Gobbetti

Franco Gobbetti

  • 45 Posts
  • 0 Reply Likes
You might also have problems in setting up AP to HM communications if HTTP and HTTPS inspection is enabled in your Firewall. Happened to me more than once, disabling hTTPS inspection in the firewall solved the issue