Before you Begin

Note the following licensing and port requirements before you begin configuring your VIA deployment.

License Requirements

Controllers running ArubaOS 8.x require one of two available license types to support VIA users, the PEFV license, or the VIA license.

The PEFV license allows a network administrator to apply firewall policies to clients using a VPN to connect to the controller. This PEFV license is purchased as a single controller-specific license that enabled the functionality up to the full user capacity of the controller.

ArubaOS 8.2.0.0 and later supports a sharable VIA license. Each VIA client or 3rd party VPN client consumes a single VIA license. (VIA licenses are not consumed by site-to-site VPNs.) If a standalone controller or a controller managed by Mobility Master has a PEFV license, that device will not consume VIA licenses from a licensing pool, as a single PEFV license supports all VIA and 3rd party VPN clients, up to the full user capacity for that controller.

 

For more information on purchasing, installing and managing licenses in ArubaOS 8.x, refer to the ArubaOS Licensing Guide for your ArubaOS version.

License Requirements

Controllers running ArubaOS 6.5.x.x require the PEFV license to support VIA users. The PEFV license allows a network administrator to apply firewall policies to clients using a VPN to connect to the controller. This PEFV license is purchased as a single controller-specific license that enabled the functionality up to the full user capacity of the controller.

 

For more information on purchasing, installing and managing licenses in ArubaOS 6.5.x.x, refer to the ArubaOS Licensing Guide for your ArubaOS version.

Port Access

VIA requires access to the following ports:

TCP 443: During the initialization phase, VIA uses HTTPS connections to perform trusted network and captive portal checks. It is mandatory that you enable port 443 on your network to allow VIA to perform these checks.

UDP 4500: This port is used for a VPN connection.

Custom Port/Port 8085: If you have enabled the Client-certificate based authentication feature in the VIA authentication profile, you can define the port used for profile downloads in the Web server Configuration profile. The supported range is port 1025-65535, and the default value is 8085.

The ports configured for VIA client certificate-based authentication must also be added to the controller or managed device ACL whitelist using one of the following methods:

the firewall cp command

the Configuration > Services > Firewall> ACL White List pages of the Mobility Master WebUI (with ArubaOS 8.x)

the Configuration > Advanced Services> Stateful Firewall> White List (ACL) pages of the controller WebUI (with ArubaOS 6.5.x)

If the port is not configured on the control plane firewall, all packets sent to the controller port will be dropped, and the HTTPS connection will not be established.

Table 1:  VIA Features Requiring TCP Port 443 Access

Functionality

TCP Port 443

 

Windows

MacOS

Linux

Android

iOS

Web Auth

Download VIA client software

N/A

N/A

Credential based connection-profile download

Certificate based connection-profile download

N/A

N/A

N/A

VPN Connection

 

 

Trusted network check

SSL fallback

N/A

N/A

Captive portal detect

N/A

N/A

N/A

N/A

 

Table 2: VIA Features Requiring UDP Port 4500 Access

Functionality

UDP port 4500

 

Windows

MacOS

Linux

Android

iOS

VPN Connection

 

Table 3: Features Supporting a Custom Port

Functionality

Custom Port <1025-65535>

 

Windows

MacOS

Linux

Android

iOS

Certificate based connection-profile download (default, port 8085)

N/A

N/A

N/A

N/A