Category     

NetCloud Manager: Access via a Private Network

« Go Back

Information

 
Content

NetCloud Manager:  Access via a Private Network

Products Supported: Series 3. Click here to identify your router.

NCOSVersion: 6.0 - for information on upgrading NCOS Versions, click here.


Quick Links

Summary

Configuration

Use Cases

Troubleshooting

Related Articles


Summary

In some cases the Cradlepoint router may reside behind a private network, which can cause issues if NCM is needed to manage your device. This article describes the steps necessary to allow a Cradlepoint router that is on or behind a private network to communicate with NCM.

In order for the Cradlepoint to have full access to NCM, the Cradlepoint will need to be able to resolve time via an NTP server, resolve host name via a DNS server, and have access to the FQDN's of the ECM servers. You must either allow NTP traffic through your head end device to the Cradlepoint, or configure the Cradlepoint to use an NTP server on your network. This is the same for DNS as well.

The Cradlepoint router must be able to resolve and/or access:

  • cradlepointecm.com using TCP 8001 for NCM Access
  • time and date via an NTP server on the LAN or WAN NTP Access
  • firmware.cradlepointecm.com using TCP 443 for Router Firmware Access
  • modem-firmware.cradlepointecm.com using TCP 443 for Modem Firmware Access
  • ips.cradlepointecm.com for IPS Signature Access
  • ports 30000 through 32767 for NCM Remote Connect

Configuration

Configuration Difficulty: Intermediate

A majority of the configuration is going to reside at the head end device that has access to the internet.
Note: If the head end device is a Cradlepoint Router, you cannot input FQDNs. You will need to nslookup/ping the FQDN to find the appropriate IP address.

User-added image

  • Step 1: Mandatory for NCM access You need to allow NCM access through the head end device to the Cradlepoint downstream. The FQDN is cradlepointecm.com using TCP port 8001. If you cannot add FQDN's to your head end device you need to nslookup or ping cradlepointecm.com to find the IP address that you will need to allow.
  • Step 2: Mandatory for NCM access You need to allow NTP access through the head end device to the Cradlepoint downstream, or configure the Cradlepoint to point to a Local NTP server on the network.
  • Step 3: Optional for Cradlepoint Router Firmware For firmware updates you need to allow firmware.cradlepointecm.com using TCP port 443 through the head end device to the Cradlepoint downstream. If you cannot add FQDN's to your head end device you need to nslookup or ping firmware.cradlepointecm.com to find the IP address that you will need to allow.
  • Step 4: Optional for Cradlepoint Modem Firmware For Cradlepoint modem firmware updates you need to allow modem-firmware.cradlepointecm.com using TCP port 443 through the head end device to the Cradlepoint downstream. If you cannot add FQDN's to your head end device you need to nslookup or ping firmware.cradlepointecm.com to find the IP address that you will need to allow.
  • Step 5: Optional for IPS signature updates For IPS Signature updates you need to allow ips.cradlepointecm.com using TCP port 80 through the head end device to the Cradlepoint downstream. If you cannot add FQDN's to your head end device you need to nslookup or ping ips.cradlepointecm.com to find the IP address that you will need to allow.

Below is an example configuration from a Cradlepoint router acting as the head end device.

User-added image

  • Step 1: Either Create a new Filter policy or edit the existing "Default Deny All" Filter Policy.
  • Step 2: In the Deny all Filter policy, we are going to ALLOW the specific IP address and/or ports for NTP, DNS, and NCM traffic. Without these rules, the Cradlepoint will not be able to access NCM.

Use Cases

The Cradlepoint Router is receiving its WAN source from a private network, yet the Cradlepoint needs to be able to communicate with NCM. The Following topology shows an example of this.


Troubleshooting

Time Resolution

If the Cradlepoint is not able to resolve time via NTP, then the Cradlepoint will not connect to NCM. Be sure the Cradlepoint is able to access its configured NTP server.

Domain Name Resolution

If the Cradlepoint is not able to resolve the FQDNs described in the previous steps, then the Cradlepoint will not connect to NCM. Be sure the Cradlepoint can resolve the specified FQDNs, if not please be sure the head end device is configured to allow these FQDNs access to the Cradlepoint, and/or point the Cradlepoint to different DNS server.


Related Articles/Links


Published Date: 07/13/2017

This article not have what you need?  Not find what you were looking for?  Think this article can be improved?  Please let us know at suggestions@cradlepoint.com


 
Knowledge Home | Product