Prerequisites to Deployment

The following prerequisites must be met before you can register your devices:

Network Requirements

You must meet the following network requirements:
  • Make sure your company has configured one or more Dynamic Host Configuration Protocol (DHCP) servers that can issue IP addresses and a Domain Name System (DNS) server address to ExtremeCloud-managed APs, switches, and both wired and wireless users.
  • HTTPS traffic must be allowed through your firewall on port 443 towards This allows ExtremeCloud-managed APs and switches to connect to ExtremeCloud to receive configuration and software updates, and to send analytics.
  • Make sure that your content filter is allowing access to Amazon Web Services (AWS).
  • Verify that Network Time Protocol (NTP) is allowed out through your firewall on port 123 so that the APs can submit NTP queries to to set their clocks.
  • Each site must have L2 connectivity. The APs within a site operate within a single RF domain and therefore must have L2 connectivity to function properly.
  • The best practice is to use a single VLAN for all the APs in a site instead of distributing the site's APs over multiple VLANs. If you decide to distribute a site's APs over multiple VLANs, then you must allow either routing or forwarding of SIAPP multicast between those VLANS.

ExtremeCloud-enabled devices need to be able to access several different application servers in order to provide their full functionality. Verify that your firewall is allowing ExtremeCloud-enabled devices behind it to access to the following domains and ports:

Click to expand in new window

Firewall Requirements and Port List

Component Ports for AP/Cloud Communication
Source Destination / Domain Name Protocol Src Port Dest Port Service Remark Open Firewall
Admin Console TCP Any 443 HTTPS Access the ExtremeCloud management application. Required
Admin Console / API integrated systems TCP Any 443 HTTPS Application access to the backend services managing ExtremeCloud-enabled devices. Required
Access Point & Switches TCP Any 443 HTTPS Management Tunnel between AP and ExtremeCloud (configuration, image, statistics, upgrade, traces). Required
Access Points & Switches NTP Server UDP Any 123 NTP Clock synchronization. Required
Access Points UDP Any 1812, 1813 RADIUS The integrated captive portal solution requires a cloud RADIUS lookup for each wireless client authentication using the captive portal. Required if using the built-in captive portal
Access Points TCP Any 443, 80 HTTP, HTTPS Used by the integrated captive portal solution hosted at Access to the portal is required to ensure wireless clients can authenticate using the captive portal. Required if using the built-in captive portal
Access Points & Switches TCP Any 443 HTTPS Used by ExtremeCloud-enabled devices that, on command, may upload tech support files to storage managed by this application. Required
Access Points & Switches TCP Any 443 HTTPS Required to successfully upgrade ExtremeCloud managed devices. The IP range for the S3 bucket is: { "ip_prefix": "", "region": "eu-central-1", "service": "S3" }, { "ip_prefix": "", "region": "eu-central-1", "service": "S3" } { "ip_prefix": "", "region": "eu-central-1", "service": "S3" }, { "ip_prefix": "", "region": "eu-central-1", "service": "S3" }, Required
Any Access Point TCP Any 2002, 2003 RCAPD Collect WireShark traces using AP Real Capture, if enabled. Optional

Management tunnel between WiNG AP and ExtremeCloud

Required - Allows outbound connections from devices to ExtremeCloud over the various ports listed. This is typically not an issue as these ports are usually open already.