How to let the EWC be able to view and access the b@AP in the remote site for future configurations?

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
Currently we have remote deployments of AP3825i for our remote offices. And one of our requirement is to let the EWC to be able to configure the b@AP in the remote sites in the future to be able to see the availability of the APs. As of now we are able to access the EWC remotely thru port forwarding but on the controller side it couldnt detect the remote AP. Please attached diagram for reference.

Is there anything we need to do in the controller for us to able to acces the remote APs? We need to do this because we have remote offices that are too far for us to do routine visits.
Photo of Carlo Alviar

Carlo Alviar

  • 680 Points 500 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Vellachery, Sumeesh

Vellachery, Sumeesh, Employee

  • 3,288 Points 3k badge 2x thumb
Carlo,

Could you please open the below-mentioned ports reffered in the KB Article and check if it's helpful.

https://gtacknowledge.extremenetworks.com/articles/Q_A/What-are-the-tcp-udp-ports-used-between-Ident...
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 10,186 Points 10k badge 2x thumb
In general the AP must be able to reach EWC. You need to "tell" the AP where the EWC is = through DNS or DHCP or statically.

Once AP reach the EWC, the tunnel is established and you can reconfigure & monitor the AP from controller.

For your deployment you can consider use of secure tunnel = the communication between AP and EWC is encrypted by IPsec.
Photo of Pala, Zdenek

Pala, Zdenek, Employee

  • 10,186 Points 10k badge 2x thumb
For troubleshooting you can ssh to the AP and check the log /tmp/log/ap.log. You should see there attempts to connect, authentication...
Photo of Gareth Mitchell

Gareth Mitchell, Extreme Escalation Support Engineer

  • 5,994 Points 5k badge 2x thumb
Carlos

The controller needs to have a public IP itself, please take a look at this artcle: https://gtacknowledge.extremenetworks.com/articles/Q_A/Access-points-in-a-NAT-configuration

-Gareth
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
I do many of these. The way that I deploy this scenario, In the same NAT policy as you have given for the remote management, also allow port UDP 500 and UDP 4500. Set the AP to encrypt all traffic between AP and Controller. Set the authip manually unless you have an outside "A" record to Controller.example.com and set the MTU to 1400

cset authipaddr 1 <controller public ip>

cset staticMTU 1400

cset

csave

 Reboot the AP and it will associate, pull its firmware and settings, then broadcast. It will act like it is local as far as connected client, stats, channel reports, everything.

If you run into any issues with this, please let us know and we will help with what you need :)
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Sure, I can help with anything you need. So have you set the Controller Public IP statically in the AP or are you running a DNS "A" record for it?
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Also, what firewall and version of code are you running at HQ?
Photo of Carlo Alviar

Carlo Alviar

  • 680 Points 500 badge 2x thumb
We have already placed the public ip in the APs. 

We are currently using two firewalls in the Head Office.
Watchguard with a classification of Layer 7 and PfSense.

We would give you more details later.
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
do you have your NAT policies and ACL's in place to let the AP's Tunnel through the firewall's?
Photo of Carlo Alviar

Carlo Alviar

  • 680 Points 500 badge 2x thumb
Hi Joseph,

I need to put enable first the "allow all traffic between AP and controller". Thats the part of the step i havent done in the remote AP. If i configure the APs in allowing the said traffic and changed the setting of the UDP of the firewall would i be able to see the remote APs already in the controller?
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,266 Points 50k badge 2x thumb
What isn't clear to me in the diagram is the Mgmt IP - which port is that on the controller.
APs are not able to connect to the Admin/Mgmt port - the port is only to access the controller GUI.

If you use ESA0 to register the APs could you check if "AP registration" on the interface is enabled (=checkmark is set).

-Ron
Photo of Carlo Alviar

Carlo Alviar

  • 680 Points 500 badge 2x thumb
Hi Ron,

So we need to NAT the IP of the esa0 to the public IP to be able gain access to the remote APs? I already checked the interfaces and the "AP Registration" is checked.
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Yes, you will need a NAT for ESA0 to the public IP on your firewall allowing UDP 500 and UDP 4500.

Please be sure to change the setting on the AP to encrypt all traffic between AP and controller
Photo of Carlo Alviar

Carlo Alviar

  • 680 Points 500 badge 2x thumb
Hi Joseph,

Is there a CLI code we could use to enable "encrypt all traffic between AP and controller". We are going to change the settings of the APs remotely without the use of the controller.
Photo of Joseph Burnsworth

Joseph Burnsworth

  • 2,328 Points 2k badge 2x thumb
Yes,

The commands are

cset secureTunnel enable        (secureTunnel is Case Sensitive)

capply

csave
(Edited)
Photo of Ronald Dvorak

Ronald Dvorak, Embassador

  • 51,266 Points 50k badge 2x thumb
Please also add again the default route - you've wrote that you've removed it...

https://community.extremenetworks.com/extreme/topics/how-to-let-the-ewc-be-able-to-view-and-access-t...