Prerequisites to Deployment

The following prerequisites must be met before you can register your devices:

• Purchase and receive a supported device.
• Locate the Welcome email with a service contract number.
  

  Note

  Former Azara users do not receive or require a contract number.
• Forward the Welcome email to your network administrator.
• Identify the location and site where the device will be deployed.
• Meet the network requirements.
• Meet the additional requirements stated in the ExtremeCloud Release Notes.
  

  Note

  If your existing network is also using Extreme Networks wireless controllers, you must configure the controllers to accept only the manually approved access points (APs). This action prevents the cloud-enabled APs from connecting to the controller. Note that the AP connection is not predicted in the case of both an on-premise controller and the cloud server accepting an AP.

Network Requirements

You must meet the following network requirements:

• Make sure your company has configured one or more Dynamic Host Configuration Protocol (DHCP) servers that can issue IP addresses and a Domain Name System (DNS) server address to ExtremeCloud-managed APs, switches, and both wired and wireless users.
• HTTPS traffic must be allowed through your firewall on port 443 towards devices.extremenetworks.com. This allows ExtremeCloud-managed APs and switches to connect to ExtremeCloud to receive configuration and software updates, and to send analytics.
• Make sure that your content filter is allowing access to Amazon Web Services (AWS).
• Verify that Network Time Protocol (NTP) is allowed out through your firewall on port 123 so that the APs can submit NTP queries to pool.ntp.org to set their clocks.

• Each site must have L2 connectivity. The APs within a site operate within a single RF domain and therefore must have L2 connectivity to function properly.
• The best practice is to use a single VLAN for all the APs in a site instead of distributing the site's APs over multiple VLANs. If you decide to distribute a site's APs over multiple VLANs, then you must allow either routing or forwarding of SIAPP multicast between those VLANS.

ExtremeCloud-enabled devices need to be able to access several different application servers in order to provide their full functionality. Verify that your firewall is allowing ExtremeCloud-enabled devices behind it to access to the following domains and ports:

Firewall Requirements and Port List

Component		Ports for AP/Cloud Communication
Source	Destination / Domain Name	Protocol	Src Port	Dest Port	Service	Remark	Open Firewall
Admin Console	ezcloudx.com	TCP	Any	443	HTTPS	Access the ExtremeCloud management application.	Required
Admin Console / API integrated systems	api.ezcloudx.com	TCP	Any	443	HTTPS	Application access to the backend services managing ExtremeCloud-enabled devices.	Required
Access Point & Switches	devices.extremenetworks.com	TCP	Any	443	HTTPS	Management Tunnel between AP and ExtremeCloud (configuration, image, statistics, upgrade, traces).	Required
Access Points & Switches	NTP Server	UDP	Any	123	NTP	Clock synchronization.	Required
Access Points	radius.ezcloudx.com	UDP	Any	1812, 1813	RADIUS	The integrated captive portal solution requires a cloud RADIUS lookup for each wireless client authentication using the captive portal.	Required if using the built-in captive portal
Access Points	cp.ezcloudx.com	TCP	Any	443, 80	HTTP, HTTPS	Used by the integrated captive portal solution hosted at cp.ezcloudx.com. Access to the portal is required to ensure wireless clients can authenticate using the captive portal.	Required if using the built-in captive portal
Access Points & Switches	http://aptransient-eu-central-1.s3.eu-central-1.amazonaws.com/	TCP	Any	443	HTTPS	Used by ExtremeCloud-enabled devices that, on command, may upload tech support files to storage managed by this application.	Required
Access Points & Switches	http://extremeimages.s3.amazonaws.com/	TCP	Any	443	HTTPS	Required to successfully upgrade ExtremeCloud managed devices. The IP range for the S3 bucket is: { "ip_prefix": "52.219.72.0/22", "region": "eu-central-1", "service": "S3" }, { "ip_prefix": "52.219.44.0/22", "region": "eu-central-1", "service": "S3" } { "ip_prefix": "52.92.68.0/22", "region": "eu-central-1", "service": "S3" }, { "ip_prefix": "54.231.192.0/20", "region": "eu-central-1", "service": "S3" },	Required
Any	Access Point	TCP	Any	2002, 2003	RCAPD	Collect WireShark traces using AP Real Capture, if enabled.	Optional
WiNG APs	mgmt.devices.extremenetworks.com	TCP	Any	443	HTTPS	Management tunnel between WiNG AP and ExtremeCloud	Required - Allows outbound connections from devices to ExtremeCloud over the various ports listed. This is typically not an issue as these ports are usually open already.