Opening Firewall Ports for Device Communication

Aruba Central can be accessed from the HPE GreenLake portal using the following URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet.:

The URL redirects to https://auth.hpe.com/ to present the HPE GreenLake login page.

For more information about accessing the HPE GreenLake portal and adding the Aruba Central app, see Creating an Aruba Central Account.

Most of the communication between devices on the remote site and Aruba Central server in the cloud is carried out through HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. (TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. 443). To allow devices to communicate over a network firewall Firewall is a network security system used for preventing unauthorized access to or from a private network., ensure that the following domain names and ports are open.

This section includes the following topics:

Domain Names for Streaming Telemetry

Domain names to be allow listed for streaming telemetry.

Table 1: Domain Names for Streaming Telemetry

Region

Domain Name

Protocol

US-1

app1.hybrid.central.arubanetworks.com

HTTPS

TCP port 443

US-2

hc-prod2.central.arubanetworks.com

HTTPS

TCP port 443

US West

uswest4-hc.central.arubanetworks.com

HTTPS

TCP port 443

EU-1

central-eu-hc.central.arubanetworks.com

HTTPS

TCP port 443

EU-2

eucentral2-hc.central.arubanetworks.com

HTTPS

TCP port 443

EU-3

eucentral3-hc.central.arubanetworks.com

HTTPS

TCP port 443

CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. Central

ca-hc.central.arubanetworks.com

HTTPS

TCP port 443

AP South

apac-hc.central.arubanetworks.com

HTTPS

TCP port 443

AP Northeast

apaceast-hc.central.arubanetworks.com

HTTPS

TCP port 443

AP-SouthEast

apacsouth-hc.central.arubanetworks.com

HTTPS

TCP port 443

UAE North

uaenorth1.central.arubanetworks.com

HTTPS

TCP port 443

Domain Names for Device Communication with Aruba Central

The Aruba Central URLs mentioned the following table, and the HPE GreenLake portal URL mentioned in the beginning of this chapter are for region-wise administrator (or management) access to the Aruba Central UI.

The URLs in the following table are not applicable to AOS-CX switches.

Table 2: Domain Names for Device Communication with Aruba Central

Region

Aruba Central URL

URL for Device Connectivity

Protocol

FQDNs for Overlay Route Orchestrator (ORO) and Overlay Tunnel Orchestrator (OTO) Services

US-1

app.central.arubanetworks.com

app1.central.arubanetworks.com

HTTPS

TCP port 443

app1-h2.central.arubanetworks.com

US-2

app-prod2.central.arubanetworks.com

device-prod2.central.arubanetworks.com

HTTPS

TCP port 443

device-prod2-h2.central.arubanetworks.com

US West

app-uswest4.central.arubanetworks.com

device-uswest4.central.arubanetworks.com

HTTPS

TCP port 443

device-uswest4-h2.central.arubanetworks.com

EU-1

app2-eu.central.arubanetworks.com

device-eu.central.arubanetworks.com

HTTPS

TCP port 443

device-eu-h2.central.arubanetworks.com

EU-2

app-eucentral2.central.arubanetworks.com

device-eucentral2.central.arubanetworks.com

HTTPS

TCP port 443

device-eucentral2-h2.central.arubanetworks.com

EU-3

eucentral3.central.arubanetworks.com

device-eucentral3.central.arubanetworks.com

HTTPS

TCP port 443

device-eucentral3-h2.central.arubanetworks.com

CA Central

app-ca.central.arubanetworks.com

device-ca.central.arubanetworks.com

HTTPS

TCP port 443

device-ca-h2.central.arubanetworks.com

CN Common Name. CN is the primary name used to identify a certificate.  North

app.central.arubanetworks.com.cn

device.central.arubanetworks.com.cn

HTTPS

TCP port 443

device-h2.central.arubanetworks.com.cn

AP South

app2-ap.central.arubanetworks.com

app1-ap.central.arubanetworks.com

HTTPS

TCP port 443

app1-ap-h2.central.arubanetworks.com

AP Northeast

app-apaceast.central.arubanetworks.com

device-apaceast.central.arubanetworks.com

HTTPS

TCP port 443

device-apaceast-h2.central.arubanetworks.com

AP SouthEast

app-apacsouth.central.arubanetworks.com

device-apacsouth.central.arubanetworks.com

HTTPS

TCP port 443

device-apacsouth-h2.central.arubanetworks.com

UAE North

app-uaenorth1.central.arubanetworks.com

device-uaenorth1.central.arubanetworks.com

HTTPS

TCP port 443

device-uaenorth1-h2.central.arubanetworks.com

Domain Names for AOS-CX Device Communication with Aruba Central

The Aruba Central URLs mentioned the following table are applicable to AOS-CX switches only.

Table 3: Domain Names for AOS-CX Device Communication with Aruba Central

Region

Aruba Central URL

URL for Device Connectivity

Protocol

US-1

app.central.arubanetworks.com

device-prod2-d2.central.arubanetworks.com

HTTPS

TCP port 443

US-2

app-prod2.central.arubanetworks.com

device-prod2.central.arubanetworks.com

HTTPS

TCP port 443

US West

app-uswest4.central.arubanetworks.com

device-uswest4-d2.central.arubanetworks.com

HTTPS

TCP port 443

EU-1

app2-eu.central.arubanetworks.com

device-eu.central.arubanetworks.com

HTTPS

TCP port 443

EU-2

app-eucentral2.central.arubanetworks.com

device-eucentral2.central.arubanetworks.com

HTTPS

TCP port 443

EU-3

app-eucentral3.central.arubanetworks.com

device-eucentral3-d2.central.arubanetworks.com

HTTPS

TCP port 443

CA Central

app-ca.central.arubanetworks.com

device-ca.central.arubanetworks.com

HTTPS

TCP port 443

CN North

app.central.arubanetworks.com

device.central.arubanetworks.com

HTTPS

TCP port 443

AP South

app2-ap.central.arubanetworks.com

app1-ap.central.arubanetworks.com

HTTPS

TCP port 443

AP Northeast

app-apaceast.central.arubanetworks.com

device-apaceast.central.arubanetworks.com

HTTPS

TCP port 443

AP-SouthEast

app-apacsouth.central.arubanetworks.com

device-apacsouth.central.arubanetworks.com

HTTPS

TCP port 443

UAE North

app-uaenorth1.central.arubanetworks.com

device-uaenorth1-d2.central.arubanetworks.com

HTTPS

TCP port 443

Domain Names for Device Communication with Aruba Activate

Table 4: Domain Names for Device Communication with Aruba Activate

Domain Name

Protocol

device.arubanetworks.com

HTTPS

TCP port 443

devices-v2.arubanetworks.com

est.arubanetworks.com *

* Required for Aruba 2530 switches to provision certificate using the EST server in activate.

The device.arubanetworks.com URL is not applicable for AOS-CX switches.

For the switches to establish connection with the Activate server, when a proxy server is configured on the network, the URLs in this table must be added to the list of allowed URLs on the proxy server.

Cloud Guest Server Domains for Guest Access Service

Table 5: Domain Names for Cloud Guest Server Access

Region

Domain Name

Protocol

US-1

 

naw2.cloudguest.central.arubanetworks.com

TCP port 2083

TCP port 443

naw2-elb.cloudguest.central.arubanetworks.com

TCP port 443

US-2

 

nae1.cloudguest.central.arubanetworks.com

TCP port 2083

TCP port 443

nae1-elb.cloudguest.central.arubanetworks.com

TCP port 443

US West

uswest4.cloudguest.central.arubanetworks.com

TCP port 2083

TCP port 443

uswest4-elb.cloudguest.central.arubanetworks.com

TCP port 443

EU-1

euw1.cloudguest.central.arubanetworks.com

TCP port 2083

TCP port 443

euw1-elb.cloudguest.central.arubanetworks.com

TCP port 443

EU-2

euw2.cloudguest.central.arubanetworks.com

TCP port 2083

TCP port 443

euw2-elb.cloudguest.central.arubanetworks.com TCP port 443

EU-3

euw3.cloudguest.central.arubanetworks.com

TCP port 2083

TCP port 443

euw3-elb.cloudguest.central.arubanetworks.com

TCP port 443

CA Central

 

ca.cloudguest.central.arubanetworks.com

TCP port 2083

TCP port 443

ca-elb.cloudguest.central.arubanetworks.com

TCP port 443

AP South

 

ap1.cloudguest.central.arubanetworks.com

TCP port 2083

TCP port 443

ap1-elb.cloudguest.central.arubanetworks.com

TCP port 443

AP NorthEast

 

apaceast.cloudguest.central.arubanetworks.com

TCP port 2083

TCP port 443

apaceast-elb.cloudguest.central.arubanetworks.com

TCP port 443

AP SouthEast

 

apacsouth.cloudguest.central.arubanetworks.com

TCP port 2083

TCP port 443

apacsouth-elb.cloudguest.central.arubanetworks.com

TCP port 443

UAE North

asw1.cloudguest.central.arubanetworks.com

TCP port 2083

TCP port 443

asw1-elb.cloudguest.central.arubanetworks.com

TCP port 443

Domain Names for OpenFlow

Table 6: Domain Names for OpenFlow

Region

Domain Name

US-1

https://app2-ofc.central.arubanetworks.com

US-2

https://ofc-prod2.central.arubanetworks.com

US West

https://ofc-uswest4.central.arubanetworks.com

EU-1

https://app2-eu-ofc.central.arubanetworks.com

EU-2

https://ofc-eucentral2.central.arubanetworks.com

EU-3

https://ofc-eucentral3.central.arubanetworks.com

CA Central

https://ofc-ca.central.arubanetworks.com

CN North

https://ofc.central.arubanetworks.com.cn

AP South

https://app2-ap-ofc.central.arubanetworks.com

APNorthEast

https://ofc-apaceast.central.arubanetworks.com

AP SouthEast

https://ofc-apacsouth.central.arubanetworks.com

UAE North

https://ofc-uaenorth1.central.arubanetworks.com

Domain Names for RCS

Table 7: Domain Names and URLs for RCS

Region

Domain Name

Protocol

US-1

rcs-ng-prod.central.arubanetworks.com

SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. port 443

rcs-ng-xp-prod.central.arubanetworks.com

US-2

 

rcs-ng-central-prod2.central.arubanetworks.com

SSH port 443

 

rcs-ng-xp-central-prod2.central.arubanetworks.com

US West

 

rcs-ng-uswest4.central.arubanetworks.com

SSH port 443

 

rcs-ng-xp-uswest4.central.arubanetworks.com

EU-1

rcs-ng-eu.central.arubanetworks.com

SSH port 443

 

rcs-ng-xp-eu.central.arubanetworks.com

EU-2

rcs-ng-eucentral2.central.arubanetworks.com

SSH port 443

rcs-ng-xp-eucentral2.central.arubanetworks.com

EU-3

rcs-ng-eucentral3.central.arubanetworks.com

SSH port 443

 

rcs-ng-xp-eucentral3.central.arubanetworks.com

CA Central

 

rcs-ng-starman.central.arubanetworks.com

SSH port 443

 

rcs-ng-xp-starman.central.arubanetworks.com

CN North

rcs-ng-china-prod.central.arubanetworks.com.cn

SSH port 443

AP South

 

rcs-ng-apac.central.arubanetworks.com

SSH port 443

 

rcs-ng-xp-apac.central.arubanetworks.com

AP NorthEast

 

rcs-ng-apaceast.central.arubanetworks.com

SSH port 443

 

rcs-ng-xp-apaceast.central.arubanetworks.com

AP SouthEast

 

rcs-ng-apacsouth.central.arubanetworks.com

SSH port 443

 

rcs-ng-xp-apacsouth.central.arubanetworks.com

UAE North

rcs-ng-uaenorth1.central.arubanetworks.com

SSH port 443

Other Domain Names

Table 8: Other Domain Names

Domain Name

Protocol

Description

sso.arubanetworks.com

TCP port 443

Allows users to access their accounts on the internal server.

internal.central.arubanetworks.com

internal2.central.arubanetworks.com

TCP port 443

Allows users to access the Aruba Central Internal portal.

pool.ntp.org

UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 123

Allows the device to update the internal clock and configure time zone when a factory default device comes up.

By default, the Aruba devices contact pool.ntp.org and use NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. to synchronize their system clocks.

activate.arubanetworks.com

TCP port 443

Allows the device to configure provisioning rules in Activate.

stun.pqm.arubanetworks.com

UDP or TCP port 3478 and 3479

Allows the device to discover public IP over the WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. uplinks configured on devices.

pqm.arubanetworks.com

ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. or UDP port 4500

Allows the device to check the health of WAN uplinks configured on Branch Gateways.

common.cloud.hpe.com/ccssvc/ccs-system-firmware-registry

TCP port 80 and TCP port 443

Allows the device to access the CloudFront server for locating all device type software images.

https://d20kce0f6gvxjn.cloudfront.net

TCP port 443

Allows the device to access the CloudFront server while Aruba IDPS is enabled in Aruba Central gateways.

NOTE: This URL can be invoked only by gateways that have IDPS Intrusion Detection and Prevention System (IDPS) monitors, detects, and prevents threats in the inbound and outbound traffic. Aruba IDPS provides an extra layer of protection that actively analyzes the network and takes actions on the traffic flows based on the defined rules. It inspects data packets, and if any threat is identified, acts real-time to prevent it. security enabled. The URL cannot be enabled manually.

cloud.arubanetworks.com

TCP port 80

Allows users to open the Aruba Central evaluation sign-up page.

aruba.brightcloud.com

TCP port 443

Enables devices to access the Webroot Brightcloud  server for application, application categories, and website content classification.

bcap15-dualstack.brightcloud.com

TCP port 443

Allows Aruba devices to look up the Webroot Brightcloud server for Website categories.

api-dualstack.bcti.brightcloud.com

TCP port 443

Allows Aruba devices to access the IP Reputation and IP Geolocation service on the Webroot Brightcloud server.

database-dualstack.brightcloud.com

TCP port 443

Allows Aruba devices to download the website classification database from the Webroot Brightcloud server.