External Firewall Configuration. Aruba M3MK1, 7024, 7240, 620, 7280, 650, ArubaOS 6.5.3.x, 3200

Chapter 29

External Firewall Configuration

In many deployment scenarios, an external firewall is situated between Aruba devices. This chapter describes the network ports that need to be configured on the external firewall to allow proper operation of the Aruba network. You can also use this information to configure session ACLs to apply to physical ports on the controller for enhanced security. However, this chapter does not describe requirements for allowing specific types of user traffic on the network.

A controller uses both its loopback address and VLAN addresses for communications with other network elements. If the firewall uses host-specific ACLs, those ACLs must specify all IP addresses used on the controller.

Topics in this chapter include: n n n n

Understanding Firewall Port Configuration Among Aruba Devices on page 689

Enabling Network Access on page 690

Ports Used for Virtual Intranet Access (VIA) on page 690

Configuring Ports to Allow Other Traffic Types on page 692

Understanding Firewall Port Configuration Among Aruba Devices

This section describes the network ports that need to be configured on the firewall to allow proper operation of the network.

Communication Between Controllers

Configure the following ports to enable communication between any two controllers: n n n n n n

IPSec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controller is encapsulated in IPSec.

IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled

GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller

IKE (UDP 500)

ESP (protocol 50)

NAT-T (UDP 4500)

Communication Between APs and the Controller

APs use Trivial File Transfer Protocol (TFTP) during their initial boot to grab their software image and configuration from the controller. After the initial boot, the APs use FTP to retrieve their software images and configurations from the controller. In many deployment scenarios, an external firewall is situated between various Aruba devices.

Configure the following ports to enable communication between an AP and the controller: n n n

PAPI (UDP port 8211). If the AP uses DNS to discover the LMS controller, the AP first attempts to connect to the master controller. (Also allow DNS (UDP port 53) traffic from the AP to the DNS server.)

PAPI (UDP port 8211). All APs running as Air Monitors (AMs) require a permanent PAPI connection to the master controller.

FTP (TCP port 21)

ArubaOS 6.5.3.x

| User Guide External Firewall Configuration | 689

n n n n n

TFTP (UDP port 69) all campus APs, if there is no local image on the AP or if the image needs to be upgrade

(for example, a new AP), the AP will use TFTP to retrieve the initial image. For remote APs, upgrade the image only by FTP and not TFTP.

SYSLOG (UDP port 514)

PAPI (UDP port 8211)

GRE (protocol 47)

Control Plane Security (CPSec) uses UDP port 4500

Communication Between Remote APs and the Controller

Configure the following ports to enable communication between a Remote AP (IPSec) and a controller: n n

NAT-T (UDP port 4500)

TFTP (UDP port 69)

TFTP is not needed for normal operation. If the remote AP loses its local image for any reason, it will use TFTP to download the latest image.

Enabling Network Access

This section describes the network ports that need to be configured on the firewall to manage the Aruba network.

For WebUI access between the network administrator’s computer (running a Web browser) and a controller: n n

HTTP (TCP ports 80 and 8888) or HTTPS (TCP ports 443 and 4343).

SSH (TCP port 22 or TELNET (TCP port 23).

n n n

Ports Used for Virtual Intranet Access (VIA)

The following ports are used with Aruba VIA 3.2.x and later releases.

TCP 443 : During the initialization phase, VIA uses HTTPS connections to perform trusted network and captive portal checks. It is mandatory that you enable port 443 on your network to allow VIA to perform these checks.

UDP 4500 : This port is used for the IPsec connection and NAT-Traversal (NAT-T).

Custom Port/Port 8085 : If you have enabled the Client-certificate based authentication feature in the VIA authentication profile, you can define the port used for profile downloads in the Web server

Configuration profile. The supported range is port 1025-65535, and the default value is 8085.

The port configured for VIA client certificate-based authentication must also be added to the ACL whitelist using the firewall cp command or the Configuration > Stateful Firewall> ACL White List page of the controller WebUI. If the port is not configured on the control plane firewall, all packets sent to the controller port will be dropped, and the

HTTPS connection will not be established.

690 | External Firewall Configuration ArubaOS 6.5.3.x  | User Guide

Table 154:  VIA Features Requiring TCP Port 443 Access

Functionality TCP Port 443

Windows Linux Android Mac

Web Auth

Download VIA client software

Credential based connectionprofile download

Certificate based connectionprofile download

Trusted network check

SSL fallback

Captive portal detect iOS

Table 155: VIA Features Requiring UDP Port 4500 Access

Functionality

Windows Linux

IKE exchange

ESP

VPN Connection

(primary approach)

VPN Connection

(failover)

NAT (controller behind

NAT)

UDP port 4500

Android Mac

Table 156: Features Supporting a Custom Port

Functionality

Windows Linux

Custom Port <1025-65535>

Android Mac

Certificate based connectionprofile download (default, port

8085) iOS iOS

ArubaOS 6.5.3.x

| User Guide External Firewall Configuration |   691

n n n n n n n n n n n n n

Configuring Ports to Allow Other Traffic Types

This section describes the network ports that need to be configured on the firewall to allow other types of traffic in the Aruba network. You should only allow traffic as needed from these ports.

For logging: SYSLOG (UDP port 514) between the controller and syslog servers.

For software upgrade or retrieving system logs: TFTP (UDP port 69) or FTP (TCP ports 21 and 22) between the controller and a software distribution server.

If the controller is a PPTP VPN server, allow PPTP (UDP port 1723) and GRE (protocol 47) to the controller.

If the controller is an L2TP VPN server, allow NAT-T (UDP port 4500), ISAKMP (UDP port 500) and ESP

(protocol 50) to the controller.

If a third-party network management system is used, allow SNMP (UDP ports 161 and 162) between the network management system and all controllers.

For authentication with a RADIUS server: RADIUS (typically, UDP ports 1812 and 813, or 1645 and 1646) between the controller and the RADIUS server.

For authentication with an LDAP server: LDAP (UDP port 389) or LDAPS (UDP port 636) between the controller and the LDAP server.

For authentication with a TACACS+ server: TACACS (TCP port 49) between the controller and the TACACS+ server.

For NTP clock setting: NTP (UDP port 123) between all controllers and NTP server.

For packet captures: UDP port 5555 from an AP to an Ethereal packet-capture station; UDP port 5000 from an AP to a Wildpackets packet-capture station.

For telnet access: Telnet (TCP port 23) from the network administrator's computer to any AP, if “telnet enable” is present in the “ap location 0.0.0" section of the controller configuration.

For External Services Interface (ESI): ICMP (protocol 1) and syslog (UDP port 514) between a controller and any ESI servers.

For XML API: HTTP (TCP port 80) or HTTPS (TCP port 443) between a controller and an XML-API client.

692 | External Firewall Configuration ArubaOS 6.5.3.x  | User Guide