Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Established Member
Posts: 1,358
Registered: ‎10-26-2013
Kudos: 293
Solutions: 59

List of ALL outbound ports needed by a Cloud Key?

Hello!

 

I have my CK behind a firewall that filters outbound as well as inbound. I have found that opening the following outbound ports allows the https://unifi.ubnt.com site to see the controller, with all but 3478 and 8080 blocked inbound, and those only allowed from my clients' IP addresses.

 

Outbound:
53 udp
8543 tcp


When the CK starts after being unplugged, it hits port 80 a lot to Amazon and Georgia Tech for Debian, so I allowed it.

 

Outbound:

80 tcp


Clicking on Launch Site fails at "Establishing Communications" until I allow STUN.

 

Outbound:
3478 udp


So, with just the 53/udp, 80/tcp, 3478/udp, and 8543/tcp allowed outbound, I can see it on https://unifi.ubnt.com and connect to the sites. It shows outbound attempts to 11143/tcp, 4343/udp, and 62901/udp, but seems to function with them still blocked. Mostly to 11143/tcp to 54.153.84.228 on Amazon.


It would be nice to get a complete list from UBNT of outbound ports needed by a CK for complete functionality.

 

Gregg

Member
Posts: 209
Registered: ‎07-05-2014
Kudos: 332
Solutions: 3

Re: List of ALL outbound ports needed by a Cloud Key?

I second this.  I'm having trouble getting the Cloud Key to be seen remotely cause i have a restricted outboud firewall.. I tried the ports listed above and it still isn't seen.  Only when I open all outboud traffic does it appear.

 

Please post this list!  Thank you.

Ubiquiti Employee
Posts: 299
Registered: ‎01-18-2011
Kudos: 105
Solutions: 21

Re: List of ALL outbound ports needed by a Cloud Key?

[ Edited ]

@greggmh123:

 

port 53 is for DNS, it depends on your network environment, it may not be needed to open this on firewall.

 

port 80/tcp, 3478/udp, 8543/tcp and 11143/tcp are needed for UniFi Cloud access (you won't need them if you disable Cloud Access).

When administrator access this controller via unifi.ubnt.com, there will be some outbound UDP traffic when remote access is ongoing (via WebRTC), and the port numbers are dynamic.

 

Other than that, UniFi CloudKey system checks and install security update from upstream Debian source daily.

That needs 80/tcp, too.

 

BTW, inbound 3478 and 8080 are needed only if you have devices managed by this Controller/CloudKey, and they are outside of your firewall.

If you don't have plan do manage devices outside of your firewall, you may not need them.

 

I hope I didn't miss something, I will come back to add them if I do.

 

Thanks.

-KM

 

 

 

New Member
Posts: 26
Registered: ‎01-09-2016
Kudos: 2
Solutions: 3

Re: List of ALL outbound ports needed by a Cloud Key?

Thanks - I'm going to install mine over the weekend and this helps a lot.  

Member
Posts: 209
Registered: ‎07-05-2014
Kudos: 332
Solutions: 3

Re: List of ALL outbound ports needed by a Cloud Key?

Thanks @UBNT-KM Adding port 53 seemed to do the trick.  

New Member
Posts: 1
Registered: ‎04-05-2016
Kudos: 2

Re: List of ALL outbound ports needed by a Cloud Key?

thi seems like a lot of uncessecary ports. why can't this just operate over 443? I punch a bunch of firewall ports just for this????

New Member
Posts: 1
Registered: ‎11-21-2014
Kudos: 2

Re: List of ALL outbound ports needed by a Cloud Key?

What ports are required to launch the dashboard for a site via unifi.ubnt.com?  I'm trying to administer a remote site managed by a cloud key and I'm getting "Cannot connect to controller due to unknown error. Please try again later."

 

-Brandon

New Member
Posts: 3
Registered: ‎05-10-2017

Re: List of ALL outbound ports needed by a Cloud Key?

Im going to resurrect this dead thread because I'm having the same issue and every time I contact support, I am pointed to this post.

 

I have port forwarding turned on for this massive list of ports but am still getting the same error as the person above me.

 

Looking through the forums it seems that this problem is still affecting many users.

 

Does anyone have a solution? I'm not an expert networking guru by any means but I understand what I need to do if given clear enough direction. I can access the Cloud Key via the iOS app when off of the LAN but when trying to open the Cloud Key via Cloud Controller I get the unknown reason error. 

 

I'm running Untangle as my home firewall and have a Cloud Key. My browser logs are below and start where I see the first error/fail.

 

{
"level": "error",
"messages": [
"39715.8850ms",
"Sat, 20 May 2017 07:53:26 GMT",
"WEBRTC_ICE_CONNECTION_STATE_ERROR",
"failed"
]
},
{
"level": "info",
"messages": [
"64714.4550ms",
"Sat, 20 May 2017 07:53:51 GMT",
"WEBRTC_ICE_CANDIDATE",
null
]
},
{
"level": "info",
"messages": [
"64714.6600ms",
"Sat, 20 May 2017 07:53:51 GMT",
"WEBRTC_ICE_GATHERING_STATE",
"complete"
]
},
{
"level": "info",
"messages": [
"65715.9950ms",
"Sat, 20 May 2017 07:53:52 GMT",
"WEBRTC_ICE_CANDIDATES_GATHERED"
]
},
{
"level": "info",
"messages": [
"65726.8750ms",
"Sat, 20 May 2017 07:53:52 GMT",
"WEBRTC_SDP_SENDING",
"v=0\r\no=- 6103265956117963874 2 IN IP4 127.0.0.1\r\ns=-\r\nt=0 0\r\na=msid-semantic: WMS\r\nm=application 60294 DTLS/SCTP 5000\r\nc=IN IP4 24.214.108.92\r\nb=AS:30\r\na=candidate:2187211828 1 udp 2113937151 192.168.2.128 60294 typ host generation 0 network-cost 50\r\na=candidate:842163049 1 udp 1677729535 24.214.108.92 60294 typ srflx raddr 192.168.2.128 rport 60294 generation 0 network-cost 50\r\na=ice-ufrag:c3+q\r\na=ice-pwd:eq9vf+eleNzKRoH8dNoJV2VG\r\na=fingerprint:sha-256 0E:99:40:7C:FC:F3:28:BF:17:C7Man Very Happy0:3C:2B:0E:40:8A:79:72:9F:CD:27:A8:6C:40:02:72:ED:77:F2:C3:2DMan Very HappyE\r\na=setup:active\r\na=mid:data\r\na=sctpmap:5000 webrtc-datachannel 1024\r\n"
]
},
{
"level": "info",
"messages": [
"65974.3400ms",
"Sat, 20 May 2017 07:53:52 GMT",
"WEBRTC_SDP_SENT",
{
"rc": 0
}
]
},
{
"level": "info",
"messages": [
"65975.2150ms",
"Sat, 20 May 2017 07:53:52 GMT",
"WEBRTC_DATA_CHANNELS_OPEN",
[
"api",
"update_default"
]
]
},
{
"level": "info",
"messages": [
"65975.9050ms",
"Sat, 20 May 2017 07:53:52 GMT",
"WEBRTC_DATA_CHANNEL_OPENING",
"api"
]
},
{
"level": "info",
"messages": [
"65977.1050ms",
"Sat, 20 May 2017 07:53:52 GMT",
"WEBRTC_DATA_CHANNEL_OPENING",
"update_default"
]
},
{
"level": "info",
"messages": [
"65997.0200ms",
"Sat, 20 May 2017 07:53:52 GMT",
"WEBRTC_DATA_CHANNEL_READY",
"api"
]
},
{
"level": "info",
"messages": [
"65998.6500ms",
"Sat, 20 May 2017 07:53:52 GMT",
"WEBRTC_DATA_CHANNEL_READY",
"update_default"
]
},
{
"level": "info",
"messages": [
"66000.2250ms",
"Sat, 20 May 2017 07:53:52 GMT",
"WEBRTC_INITIALIZED"
]
},
{
"level": "error",
"messages": [
"66001.4800ms",
"Sat, 20 May 2017 07:53:52 GMT",
"WEBRTC_CONNECTION_ERROR",
"failed"
]
},
{
"level": "info",
"messages": [
"66714.9200ms",
"Sat, 20 May 2017 07:53:53 GMT",
"WEBRTC_ICE_CONNECTION_STATE",
"connected"
]
},
{
"level": "info",
"messages": [
"245422.3350ms",
"Sat, 20 May 2017 07:56:51 GMT",
"WEBRTC_WS_CLOSED"

New Member
Posts: 3
Registered: ‎05-10-2017

Re: List of ALL outbound ports needed by a Cloud Key?

Also, here are my port forward rules and the error message. Any help is greatly appreciated. I'm going on three weeks of free time rebuilding my network with Untangle and new equipment and this is driving me mad. I need to move on to learning and implementing something other than a plug-n-play device that takes this much configuration. Icon Cry

 

VagueControllerError.PNGPort forward rules.png

New Member
Posts: 3
Registered: ‎05-16-2017
Kudos: 1

Re: List of ALL outbound ports needed by a Cloud Key?

I was having the same issue even after adding the suggested ports. I decided to add TCP 443 as well and then it suddenly started working. Maybe communications are now using HTTPS and this list hasn't been updated?

New Member
Posts: 3
Registered: ‎05-10-2017

Re: List of ALL outbound ports needed by a Cloud Key?

Thank you, thank you, thank you!

 

I turned off all port forwarding and bypass ports previously mentioned in this forum post and only bypass 443 now and everything works perfectly!

 

I'll definitely update Ubiquiti support with this information. Currently they are passing out bad info.

New Member
Posts: 3
Registered: ‎06-02-2016

Re: List of ALL outbound ports needed by a Cloud Key?

Hi I'm new to this site and have read through the thread. I have installed a new system in a primary school run by the local authority. They control the router on site and all the firewalls between there and the central data centre. I need to tell them which ports i need access to in order for CK to work. Again as above i can see my site at unifi.ubnt.com but when i try to connect it comes up with the unknown error message. So from what i can see above all i  need to do is get the local authority to open up port 443 in bound?

 

Thanks


Raz

New Member
Posts: 3
Registered: ‎05-16-2017
Kudos: 1

Re: List of ALL outbound ports needed by a Cloud Key?

[ Edited ]

Hi Razt,

 

So for my working setup, (with cloud access enabled) the firewall is configured to allow the IP address of my CK to access the following ports OUTBOUND:

 

Port 53 UDP (DNS)

Port 80 TCP (HTTP)

Port 3478 UDP

Port 8543 TCP

Port 11143 TCP

Port 443 TCP (HTTPS)

 

Before I added port 443, I wasn't able to enable cloud access in the controller (unknown error) and I could see the CK in the ubnt web console, but it appeared offline/couldn't launch. When I added 443, it started working.

 

Hope that helps.

New Member
Posts: 3
Registered: ‎06-02-2016

Re: List of ALL outbound ports needed by a Cloud Key?

Hi Armshousegroup,

 

Thanks for the reply, it's a little different in my case in that I can see the CK and it is showing as online, however it fails to launch. I'm pretty sure that 443 is open outbound, but I'm guessing that an inbound port does need to be open too?

 

Thanks
Raz

New Member
Posts: 3
Registered: ‎05-16-2017
Kudos: 1

Re: List of ALL outbound ports needed by a Cloud Key?

I'm not sure Razt, those are the only ones I opened specifically.

If you've been doing a bit of experimenting and changing of settings, you can try giving your browser cache a clear to get rid of any old session data, cookies etc. (Sorry if that's obvious or you've tried already).
New Member
Posts: 3
Registered: ‎06-02-2016

Re: List of ALL outbound ports needed by a Cloud Key?

Hey no worries, thanks for the tips tho!

Reply