NetCloud Manager: Configure Your Firewall to Allow Other Cradlepoints on the Network to Access NCM
Products Supported: Series 3. See Identify Cradlepoint Products to identify your router.
NCOS Version: 6.0* - for information on upgrading NCOS Versions, see Firmware Policy FAQ.
*Instructions specific to pre v6.0 firmware versions are noted, where applicable.
In some cases your Cradlepoint router may reside on a private network. This can require different approaches for connecting your router to NCM, depending on your network firewall and the level of NCM service you require. In order for the Cradlepoint to have full access to NCM, the Cradlepoint must be able to do the following:
- Resolve time via an NTP server,
- Resolve host name via a DNS server, and
- Have access to the FQDN's of the ECM servers.
You must either allow NTP traffic through your firewall to the Cradlepoint, or configure the Cradlepoint to use an NTP server on your network. This is the same for DNS as well.
The Cradlepoint router must be able to resolve and/or access:
|stream.cradlepointecm.com||TCP 8001||Outbound||The fully-qualified domain name for NCM.||Yes|
|DNS||UDP 53||Outbound||Provides name resolution for NCM stream protocol and CDN hosted updates. DNS must be configured for NTP to function.||Yes|
|UDP 123||Outbound||Provides time synchronization between NCM, your firewall, and the Cradlepoint router.||Yes|
|firmware.cradlepointecm.com||TCP 443||Outbound||Allows firmware updates from NCM to your Cradlepoint router.||No|
|modem-firmware.cradlepointecm.com||TCP 443||Outbound||Allows modem firmware updates from NCM to your Cradlepoint router.||No|
|ips.cradlepointecm.com1||TCP 443||Outbound||Allows IPS signature updates from NCM to your Cradlepoint router.||No|
|wanperf.cradlepointecm.com||9001||Outbound||Provides a throughput test via NCM’s netperf servers (Note: limit 100 test per router).||No|
|NCM Remote Connect2 ||30000-32767||Outbound||Provides remote access directly to the Cradlepoint router’s UI or CLI.||No|
|d3qxst45pf6gg2.cloudfront.net3||TCP 443||Outbound||Allows the Cradlepoint to download Remote Connect and SDK Apps.||Yes|
For firmware versions earlier than v6.0, use ips.cradlepoint.com on port 80.2
For firmware versions v6.0 and newer.3
Required only if using Remote Connect or SDK Apps.
Configuration Difficulty: Intermediate
The following methods are recommended, in order, for connecting to NCM:
1. Connect to NCM Using FQDNs
This connection method is recommended when your firewall is not
on a Cradlepoint router.
Configure your firewall rules* to allow access to the following fully-qualified domain names and ports:
- cradlepointecm.com on port 8001
- An NTP server
- firmware.cradlepoint.com on port 443
- modem-firmware.cradlepoint.com on port 443
- ports 30000 through 32767
- port 9100
Once these settings are configured on your firewall, your router can connect to NCM.* DNS-based rules require a firewall capable of inserting DNS A records into rules. All other firewalls that are not capable of using DNS-based rules must resolve the supplied Fully-Qualified Domain Name and use the IP address(es) discovered in the DNS lookup for all IP-based firewall rules. This configuration for firewalls not capable of DNS-based rules must be repeated whenever the Cradlepoint's NCOS or modem firmware is updated, IDS signature updates are made, or SDK applications are installed or updated.
2. Connect to NCM Using a Web Proxy Server
Connecting to NCM using a proxy server is recommended when your firewall is
on a Cradlepoint router. Configure your Cradlepoint router to use a proxy server for NCM connections using the instructions in NCOS: Content Filtering - Upstream Web Proxy
3. Connect to NCM Using IP Addresses
If your firewall is on a Cradlepoint router, and you do not have access to a proxy server to connect to NCM, you can connect to the NCM services listed below using their IP addresses. Using IP addresses to connect to NCM provides only limited
access to NCM services, via stream.cradlepoint.com, and is the least recommended option for connecting.
- 18.104.22.168 (stream.cradlepoint.com)
- 22.214.171.124 (stream.cradlepoint.com)
- 126.96.36.199 (stream.cradlepoint.com)
- 188.8.131.52 (stream.cradlepoint.com)
- 184.108.40.206 (stream.cradlepoint.com)
- 220.127.116.11 (Speed Test - East Coast; v6.0 and newer firmware versions)
- 18.104.22.168 (Speed Test - East Coast; v6.0 and newer firmware versions)
- 22.214.171.124 (Speed Test - West Coast; v6.0 and newer firmware versions)
- 126.96.36.199 (Speed Test - West Coast; v6.0 and newer firmware versions)
- 188.8.131.52 (reserved for future use)
- 184.108.40.206 (reserved for future use)
- 220.127.116.11 (reserved for future use)
Create filter policies for your Cradlepoint router to allow it to connect to the above IP addresses. See Zone Firewall for more information on creating and using filter policies.
4. Allowing NCM/Updates through a Firewall without Using FQDN
When a Cradlepoint is installed in an environment where a firewall is in in place between it and the Internet it is required to open up ports to allow NCM and updates to occur. This can be done using FQDN rules but some firewalls don't update their DNS frequent enough and others might not resolve the correct IP address. Update services operate in a load balanced environment which cause destination IP addresses to differ between the Cradlepoint and the address resolved by the firewall. To deal with this IP addresses can be statically defined on the Cradlepoint.
- In order to create the Cradlepoint configuration IP addresses are needed for the following FQDNs. A utility such as DIG or NSLOOKUP can be used. NSLOOKUP will be used for this write up.
- Access to the Cradlepoints configuration locally, remotely, or through Netcloud Manager
From the Navigation bar.
- Select Networking > DNS Servers and scroll down to the "Known Hosts Configuration"
- Select "Add Host" and enter the first FQDN
- Select "IPv4"
- Enter the IP Address that was outputted by the DNS query.
- Click Save
- Repeat this for the remaining FQDNs
You should now have a list of the FQDNs associated with an IP address. This will cause the Cradlepoint to direct traffic destined for those FQDNs to use only the specified IP address.
- On the corporate firewall now allow those IP addresses outbound on port 443
The Cradlepoint Router is receiving its WAN source from a private network, yet the Cradlepoint needs to be able to communicate with NCM. The Following topologies shows an example of this.
If the Cradlepoint is not able to resolve time via NTP, then the Cradlepoint will not connect to NCM. Be sure the Cradlepoint is able to access its configured NTP server.
Domain Name Resolution
If the Cradlepoint is not able to resolve the FQDNs described in the previous steps, then the Cradlepoint will not connect to NCM. Be sure the Cradlepoint can resolve the specified FQDNs, if not please be sure the firewall is configured to allow these FQDNs access to the Cradlepoint, and/or point the Cradlepoint to different DNS server.
This article not have what you need? Not find what you were looking for? Think this article can be improved? Please let us know at email@example.com.