Ports Required for Aerohive AP to communicate with HiveManager behind a Firewall device.

  • 2
  • Question
  • Updated 11 months ago
Unable to push changes/updates to Aerohive AP's which are currently behind a Firewall device.
Kindly advise the inbound/outbound ports required to be opened on the Firewall for the Aerohive AP's to communicate with HiveManager/HiveManager Online.
Photo of AtomGate Aerohive

AtomGate Aerohive

  • 5 Posts
  • 0 Reply Likes

Posted 11 months ago

  • 2
Photo of Hans

Hans

  • 68 Posts
  • 8 Reply Likes
Hello AtomGate

This should be:
- UDP 12222 (CAPWAP)
- TCP 443
- TCP 2083 (RadSecProxy)
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
The requirements are slightly different for HiveManager Classic/HMOL or HiveManager NG.

For HiveManager Classic:
- Either TCP 80 or UDP 12222
- TCP 443
- TCP 22

TCP 2083 is only necessary if you use ID Manager.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
I assume you are using HiveManager Online. TCP 22 needs to be open to your particular HMOL server. You can see the server name in your web browser nabigation bar when logged in.  Keep in mind that your HMOL server can and will change when you decide to upgrade to a new version.
Photo of AtomGate Aerohive

AtomGate Aerohive

  • 5 Posts
  • 0 Reply Likes
Thanks Andrew - using Hive Manager NG - the cloud version.
Would SSH be required? As I currently cannot update/push changes to the devices and they showing red.
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
Please be more succinct with your requests in the future. HiveManager NG and HiveManager Online are different management products, with different requirements.

The documentation about firewall requirements for operation with HiveManager NG can he found here. Opening TCP 22 outbound from the APs is not required for basic operation with HiveManager NG, but is needed if you wish to use the SSH troubleshooting feature.

When you say the APs are showing red, I assume you mean the hexagon in the status column is red. That means the APs are not CAPWAP connected, and that is why you can not push a job. 

Ensure your APs are getting an IP address that works for the VLAN they are in. Ensure that your APs can resolve DNS. Ensure that the APs can reach the internet on TCP 443 and either UDP 12222 or TCP 80. 
Photo of AtomGate Aerohive

AtomGate Aerohive

  • 5 Posts
  • 0 Reply Likes
Thanks Andrew.

Currently we have the devices behind a Proxy Server and we are able to establish CAPWAP connection as the status on HiveManager NG is showing green (connected) - however when we attempt to push a config change (Delta or Full) - it fails.

Do you think there is a specific rule that needs to be created on the Proxy Server to allow the config changes to be pushed from HiveManager NG to the AP's?
Photo of Andrew Garcia

Andrew Garcia, Official Rep

  • 368 Posts
  • 120 Reply Likes
We have some known issues when sending CAPWAP and AP management traffic through certain proxy servers like ZScaler at the moment. It would be ideal if you could exempt the management traffic from APs from your proxy server policy, allowing UDP 12222 and TCP 443 from APs to go directly to internet.