Reply
Highlighted
New Member
Posts: 39
Registered: ‎12-05-2016
Kudos: 3
Solutions: 4

Upgrading not working, unless...

Hi.

 

So I've run into a upgrade problem on some unifi devices, sitting behind a NGFW(Next generation firewall) which has a https proxy that scans. amongst other things, HTTPS-traffic. All of a sudden upgrading the unifi devices is an issue.

 

I went through the Firewall logs and saw some traffic to the off site Unifi Controller on port 8080(duh), but also traffic to 52.85.253.51 on port 443. nslookups thats a IP at cloudfront.

 

I went ahead whitelisting the unificontroller wanip, that did not help on upgrading the AP's. Then I went whitelisting 52.85.253.51 and the AP's is upgrading just fine.

 

Do you guys know, if there is a FQDN i can whitelist instead? dl.ubnt.com did not help, nut it did show a single time in the logs, never to be seen again Man Happy

Emerging Member
Posts: 61
Registered: ‎01-05-2018
Kudos: 19
Solutions: 4

Re: Upgrading not working, unless...

I've had a similar issue with NTP and Lightspeed on our school network. Our Apple devices would never get NTP from time.apple.com and our UAPs wouldn't get NTP on boot. Ended up getting a list of IPs that Apple uses for NTP and having to approve IPs instead of FQDNs in the filter and then I changed my UniFi controller to just use several of the approved IPs for NTP.

 

Someone from UBNT will have to comment as to whether that update IP is static or not for this. You might also consider putting your UBNT devices into a specific VLAN, or address range and excuse those devices from SSL inspection. I've had to do that for certain devices, or even certain domains from certain devices (some Android devices will always think they have no internet connection on wifi if I don't give *.google.com a SSL scan exception from that domain. Which sucks, because I then lose the ability to see search queries from those devices).

New Member
Posts: 39
Registered: ‎12-05-2016
Kudos: 3
Solutions: 4

Re: Upgrading not working, unless...

Thanks for the input.

 

I guess I will have to write directly to UBNT support then Man Happy

Reply