Knowledge Base

 
Reset Search
 

 

Article

NetCloud Manager: Configure Your Firewall to Allow Other Cradlepoints on the Network to Access NCM

« Go Back

Information

 
Content

NetCloud Manager: Configure Your  Firewall to Allow Other Cradlepoints on the Network to Access NCM

Products Supported: Series 3. See Identify Cradlepoint Products to identify your router.

NCOS Version: 6.0* - for information on upgrading NCOS Versions, see Firmware Policy FAQ.

*Instructions specific to pre v6.0 firmware versions are noted, where applicable.


Quick Links

Summary

Configuration

Use Cases

Troubleshooting

Related Articles


Summary

In some cases your Cradlepoint router may reside on a private network. This can require different approaches for connecting your router to NCM, depending on your network firewall and the level of NCM service you require. In order for the Cradlepoint to have full access to NCM, the Cradlepoint must be able to do the following:

  • Resolve time via an NTP server,
  • Resolve host name via a DNS server, and
  • Have access to the FQDN's of the ECM servers.

You must either allow NTP traffic through your firewall to the Cradlepoint, or configure the Cradlepoint to use an NTP server on your network. This is the same for DNS as well.

The Cradlepoint router must be able to resolve and/or access:

ServicePortDirectionDescriptionRequired?
stream.cradlepointecm.comTCP 8001OutboundThe fully-qualified domain name for NCM.Yes
DNSUDP 53OutboundProvides name resolution for NCM stream protocol and CDN hosted updates. DNS must be configured for NTP to function.Yes
NTPUDP 123OutboundProvides time synchronization between NCM, your firewall, and the Cradlepoint router.Yes
firmware.cradlepointecm.comTCP 443OutboundAllows firmware updates from NCM to your Cradlepoint router.No
modem-firmware.cradlepointecm.comTCP 443OutboundAllows modem firmware updates from NCM to your Cradlepoint router.No
ips.cradlepointecm.com1TCP 443OutboundAllows IPS signature updates from NCM to your Cradlepoint router.No
wanperf.cradlepointecm.com9001OutboundProvides a throughput test via NCM’s netperf servers (Note: limit 100 test per router).No
NCM Remote Connect30000-32767OutboundProvides remote access directly to the Cradlepoint router’s UI or CLI.No
For firmware versions earlier than v6.0, use ips.cradlepoint.com on port 80.
 For firmware versions v6.0 and newer.

Configuration

Configuration Difficulty: Intermediate

The following methods are recommended, in order, for connecting to NCM:
 

1. Connect to NCM Using FQDNs


This connection method is recommended when your firewall is not on a Cradlepoint router.

Configure your firewall rules* to allow access to the following fully-qualified domain names and ports:
 
  • cradlepointecm.com on port 8001
  • An NTP server 
  • firmware.cradlepoint.com on port 443
  • modem-firmware.cradlepoint.com on port 443
  • ips.cradlepoint.com 
  • ports 30000 through 32767
  • port 9100

Once these settings are configured on your firewall, your router can connect to NCM.

* DNS-based rules require a firewall capable of inserting DNS A records into rules. All other firewalls that are not capable of using DNS-based rules must resolve the supplied Fully-Qualified Domain Name and use the IP address(es) discovered in the DNS lookup for all IP-based firewall rules. This configuration for firewalls not capable of DNS-based rules must be repeated whenever the Cradlepoint's NCOS or modem firmware is updated, IDS signature updates are made, or SDK applications are installed or updated. 
 

2. Connect to NCM Using a Web Proxy Server


Connecting to NCM using a proxy server is recommended when your firewall is on a Cradlepoint router. Configure your Cradlepoint router to use a proxy server for NCM connections using the instructions in NCOS: Content Filtering - Upstream Web Proxy.

 

3. Connect to NCM Using IP Addresses


If your firewall is on a Cradlepoint router, and you do not have access to a proxy server to connect to NCM, you can connect to the NCM services listed below using their IP addresses. Using IP addresses to connect to NCM provides only limited access to NCM services, via stream.cradlepoint.com, and is the least recommended option for connecting.
 
  • 52.24.50.2 (stream.cradlepoint.com)
  • 52.25.11.64 (stream.cradlepoint.com)
  • 52.24.203.54 (stream.cradlepoint.com)
  • 52.25.11.71 (stream.cradlepoint.com)  
  • 52.35.187.6 (stream.cradlepoint.com) 
  • 54.210.67.16 (Speed Test - East Coast; v6.0 and newer firmware versions)
  • 52.23.171.8 (Speed Test - East Coast; v6.0 and newer firmware versions)
  • 52.8.196.129 (Speed Test - West Coast; v6.0 and newer firmware versions)
  • 52.8.63.60 (Speed Test - West Coast; v6.0 and newer firmware versions)
  • 34.216.65.13 (reserved for future use)
  • 35.167.197.172 (reserved for future use)
  • 54.70.62.28 (reserved for future use)


Create filter policies for your Cradlepoint router to allow it to connect to the above IP addresses. See Zone Firewall for more information on creating and using filter policies.


Use Cases

The Cradlepoint Router is receiving its WAN source from a private network, yet the Cradlepoint needs to be able to communicate with NCM. The Following topologies shows an example of this.

Network topology for NCM connections without using a proxy server

Network topology for NCM connections using a proxy server


Troubleshooting

Time Resolution

If the Cradlepoint is not able to resolve time via NTP, then the Cradlepoint will not connect to NCM. Be sure the Cradlepoint is able to access its configured NTP server.

Domain Name Resolution

If the Cradlepoint is not able to resolve the FQDNs described in the previous steps, then the Cradlepoint will not connect to NCM. Be sure the Cradlepoint can resolve the specified FQDNs, if not please be sure the firewall is configured to allow these FQDNs access to the Cradlepoint, and/or point the Cradlepoint to different DNS server.


Related Articles/Links


Published Date: 07/13/2017

This article not have what you need?  Not find what you were looking for?  Think this article can be improved?  Please let us know at suggestions@cradlepoint.com

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255