Knowledge Base

Reset Search



NetCloud Manager: Configure Your Firewall to Allow Cradlepoints Access to NCM on Private Network

« Go Back



NetCloud Manager: Configure Your  Firewall to Allow Other Cradlepoints on the Network to Access NCM

Products Supported: Series 3. See Identify Cradlepoint Products to identify your router.

NCOS Version: 6.0* - for information on upgrading NCOS Versions, see Firmware Policy FAQ.

*Instructions specific to pre v6.0 firmware versions are noted, where applicable.

Quick Links



Use Cases


Related Articles


In some cases your Cradlepoint router may reside on a private network. This can require different approaches for connecting your router to NCM, depending on your network firewall and the level of NCM service you require. In order for the Cradlepoint to have full access to NCM, the Cradlepoint must be able to do the following:

  • Resolve time via an NTP server,
  • Resolve host name via a DNS server, and
  • Have access to the FQDN's of the ECM servers.

You must either allow NTP traffic through your firewall to the Cradlepoint, or configure the Cradlepoint to use an NTP server on your network. This is the same for DNS as well.

The Cradlepoint router must be able to resolve and/or access:

stream.cradlepointecm.comTCP 8001OutboundThe fully-qualified domain name for NCM.Yes
DNSUDP 53OutboundProvides name resolution for NCM stream protocol and CDN hosted updates. DNS must be configured for NTP to function.Yes
UDP 123OutboundProvides time synchronization between NCM, your firewall, and the Cradlepoint router.Yes
firmware.cradlepointecm.comTCP 443OutboundAllows firmware updates from NCM to your Cradlepoint router.No
modem-firmware.cradlepointecm.comTCP 443OutboundAllows modem firmware updates from NCM to your Cradlepoint router.No
ips.cradlepointecm.com1TCP 443OutboundAllows IPS signature updates from NCM to your Cradlepoint router.No
wanperf.cradlepointecm.com9001OutboundProvides a throughput test via NCM’s netperf servers (Note: limit 100 test per router).No
NCM Remote Connect30000-32767OutboundProvides remote access directly to the Cradlepoint router’s UI or CLI.No
d3qxst45pf6gg2.cloudfront.net3TCP 443OutboundAllows the Cradlepoint to download Remote Connect and SDK Apps.Yes
For firmware versions earlier than v6.0, use on port 80.
 For firmware versions v6.0 and newer.
3  Required only if using Remote Connect or SDK Apps.


Configuration Difficulty: Intermediate

The following methods are recommended, in order, for connecting to NCM:

1. Connect to NCM Using FQDNs

This connection method is recommended when your firewall is not on a Cradlepoint router.

Configure your firewall rules* to allow access to the following fully-qualified domain names and ports:
  • on port 8001
  • An NTP server 
  • on port 443
  • on port 443
  • ports 30000 through 32767
  • port 9100

Once these settings are configured on your firewall, your router can connect to NCM.

* DNS-based rules require a firewall capable of inserting DNS A records into rules. All other firewalls that are not capable of using DNS-based rules must resolve the supplied Fully-Qualified Domain Name and use the IP address(es) discovered in the DNS lookup for all IP-based firewall rules. This configuration for firewalls not capable of DNS-based rules must be repeated whenever the Cradlepoint's NCOS or modem firmware is updated, IDS signature updates are made, or SDK applications are installed or updated. 

2. Connect to NCM Using a Web Proxy Server

Connecting to NCM using a proxy server is recommended when your firewall is on a Cradlepoint router. Configure your Cradlepoint router to use a proxy server for NCM connections using the instructions in NCOS: Content Filtering - Upstream Web Proxy.


3. Connect to NCM Using IP Addresses

If your firewall is on a Cradlepoint router, and you do not have access to a proxy server to connect to NCM, you can connect to the NCM services listed below using their IP addresses. Using IP addresses to connect to NCM provides only limited access to NCM services, via, and is the least recommended option for connecting.
  • (
  • (
  • (
  • (  
  • ( 
  • (Speed Test - East Coast; v6.0 and newer firmware versions)
  • (Speed Test - East Coast; v6.0 and newer firmware versions)
  • (Speed Test - West Coast; v6.0 and newer firmware versions)
  • (Speed Test - West Coast; v6.0 and newer firmware versions)
  • (reserved for future use)
  • (reserved for future use)
  • (reserved for future use)

Create filter policies for your Cradlepoint router to allow it to connect to the above IP addresses. See Zone Firewall for more information on creating and using filter policies.

4.  Allowing NCM/Updates through a Firewall without Using FQDN

When a Cradlepoint is installed in an environment where a firewall is in in place between it and the Internet it is required to open up ports to allow NCM and updates to occur.  This can be done using FQDN rules but some firewalls don't update their DNS frequent enough and others might not resolve the correct IP address.   Update services operate in a load balanced environment which cause destination IP addresses to differ between the Cradlepoint and the address resolved by the firewall.  To deal with this IP addresses can be statically defined on the Cradlepoint.


  • In order to create the Cradlepoint configuration IP addresses are needed for the following FQDNs.  A utility such as DIG or NSLOOKUP can be used. NSLOOKUP will be used for this write up.
                      NSLOOKUP Example
  • Access to the Cradlepoints configuration locally, remotely, or through Netcloud Manager

Configuration :

From the Navigation bar.
  1. Select Networking > DNS Servers and scroll down to the "Known Hosts Configuration"
​           Known Hosts
  1. Select "Add Host" and enter the first FQDN
  2. Select "IPv4"
  3. Enter the IP Address that was outputted by the DNS query.
  4. Click Save
  5. Repeat this for the remaining FQDNs
           Add hosts
You should now have a list of the FQDNs associated with an IP address.  This will cause the Cradlepoint to direct traffic destined for those FQDNs to use only the specified IP address.
  1. On the corporate firewall now allow those IP addresses outbound on port 443

Use Cases

The Cradlepoint Router is receiving its WAN source from a private network, yet the Cradlepoint needs to be able to communicate with NCM. The Following topologies shows an example of this.

Network topology for NCM connections without using a proxy server

Network topology for NCM connections using a proxy server


Time Resolution

If the Cradlepoint is not able to resolve time via NTP, then the Cradlepoint will not connect to NCM. Be sure the Cradlepoint is able to access its configured NTP server.

Domain Name Resolution

If the Cradlepoint is not able to resolve the FQDNs described in the previous steps, then the Cradlepoint will not connect to NCM. Be sure the Cradlepoint can resolve the specified FQDNs, if not please be sure the firewall is configured to allow these FQDNs access to the Cradlepoint, and/or point the Cradlepoint to different DNS server.

Related Articles/Links

Updated: 10/30/2018

This article not have what you need?  Not find what you were looking for?  Think this article can be improved?  Please let us know at



Was this article helpful?



Please tell us how we can make this article more useful.

Characters Remaining: 255