Ports to enable on your firewall

Mist Cloud

Service Type Global 01 Global 02 Global 03
Admin Portal manage.mist.com/signin.html (TCP 443)
api-ws.mist.com (TCP 443)
api.mist.com(TCP 443)
manage.gc1.mist.com (TCP 443)
api-ws.gc1.mist.com (TCP 443)
api.gc1.mist.com(TCP 443)
manage.ac2.mist.com (TCP 443)
api-ws.ac2.mist.com (TCP 443)
api.ac2.mist.com(TCP 443)
API api.mist.com(TCP 443) api.gc1.mist.com(TCP 443) api.ac2.mist.com(TCP 443)
Guest Wi-Fi Portal portal.mist.com(TCP 443) portal.gc1.mist.com(TCP 443) portal.ac2.mist.com(TCP 443)
Webhooks source
IP Addresses
54.193.71.17
54.215.237.20
34.94.226.48/28
(34.94.226.48-34.94.226.63)
34.231.34.177
54.235.187.11
18.233.33.230

 

 

Service Type Global 04 EMEA 01 EMEA 02 EMEA 03 APAC 01
Admin Portal manage.gc2.mist.com (TCP 443)
api-ws.gc2.mist.com (TCP 443)
api.gc2.mist.com (TCP 443)
manage.eu.mist.com (TCP 443)
api-ws.eu.mist.com (TCP
manage.gc3.mist.com
api-ws.gc3.mist.com
api.gc3.mist.com(TCP 443)
manage.ac6.mist.com (TCP 443)
api-ws.ac6.mist.com (TCP 443)
manage.ac5.mist.com (TCP 443)
api-ws.ac5.mist.com (TCP 443)
api.ac5.mist.com (TCP 443)
API api.gc2.mist.com(TCP 443) api.eu.mist.com(TCP 443) api.gc3.mist.com(TCP443) api.ac6.mist.com (TCP 443) >/td> api.ac5.mist.com(TCP 443)
Guest Wi-Fi Portal portal.gc2.mist.com
(TCP 443)
portal.eu.mist.com
(TCP 443)
portal.gc3.mist.com (TCP 443) portal.ac6.mist.com (TCP 443) portal.ac5.mist.com
(TCP 443)
Webhooks source
IP Addresses (Static)
34.152.4.85
35.203.21.42
34.152.7.156
3.122.172.223
3.121.19.146
3.120.167.1
Enable these source IP addresses on your firewall which are used to send out the API stream from the Mist cloud 51.112.15.151 51.112.76.109 51.112.86.222 Enable these source IP addresses on your firewall which are used to send out the API stream from the Mist cloud
54.206.226.168
13.238.77.6
54.79.134.226
Please note that the source IPs for Webhooks are Static IP Addresses
Enable these source IP addresses on your firewall which are used to send out the API stream from the Mist cloud
35.234.156.66
Please note that the source IPs for Webhooks are Static IP Addresses

Device to Mist Cloud Communication

 

Service Type Global 1 Global 2
Mist AP / Mist Edge ep-terminator.mistsys.net (TCP 443)
portal.mist.com (TCP 443)
redirect.mist.com (TCP 443)
ep-terminator.mistsys.net (TCP 443)
ep-terminator.gc1.mist.com (TCP 443)
portal.gc1.mist.com (TCP 443)
redirect.mist.com (TCP 443)
EX Switch redirect.juniper.net (TCP 443)
jma-terminator.mistsys.net(TCP 443)
ztp.mist.com (TCP 443)
oc-term.mistsys.net (TCP 2200)
cdn.juniper.net (TCP 443)
redirect.juniper.net (TCP 443)
jma-terminator.gc1.mist.com(TCP 443)
ztp.gc1.mist.com (TCP 443)
oc-term.gc1.mist.com (TCP 2200)
cdn.juniper.net (TCP 443)
SRX Gateway redirect.juniper.net (TCP 443)
ztp.mist.com (TCP 443)
oc-term.mistsys.net (TCP 2200)
srx-log-terminator.mist.com (TCP 6514)
redirect.juniper.net (TCP 443)
ztp.gc1.mist.com (TCP 443)
oc-term.gc1.mist.com (TCP 2200)
srx-log-terminator.gc1.mist.com (TCP 6514)
SSR ep-terminator.mistsys.net (TCP 443)
portal.mist.com (TCP 443)
redirect.mist.com (TCP 443)
software.128technology.com (TCP 443)
rp.cloud.threatseeker.com (TCP 443)
ep-terminator.mistsys.net (TCP 443)
ep-terminator.gc1.mist.com (TCP 443)
portal.gc1.mist.com (TCP 443)
redirect.mist.com (TCP 443)
software.128technology.com (TCP 443)
rp.cloud.threatseeker.com (TCP 443)

 

 

Service Type Global 03 Global 04
Mist AP / Mist Edge ep-terminator.mistsys.net (TCP 443)
ep-terminator.ac2.mist.com (TCP 443)
portal.ac2.mist.com (TCP 443)
redirect.mist.com (TCP 443)
ep-terminator.mistsys.net (TCP 443)
ep-terminator.gc2.mist.com (TCP 443)
portal.gc2.mist.com (TCP443)
redirect.mist.com (TCP 443)
EX Switch redirect.juniper.net (TCP 443)
jma-terminator.ac2.mist.com(TCP 443)
ztp.ac2.mist.com (TCP 443)
oc-term.ac2.mist.com (TCP 2200)
cdn.juniper.net (TCP 443)
redirect.juniper.net (TCP 443)
jma-terminator.gc2.mist.com(TCP 443)
ztp.gc2.mist.com (TCP 443)
oc-term.gc2.mist.com (TCP 2200)
cdn.juniper.net (TCP 443)
SRX Gateway redirect.juniper.net (TCP 443)
ztp.ac2.mist.com (TCP 443)
oc-term.ac2.mist.com (TCP 2200)
srx-log-terminator.ac2.mist.com (TCP 6514)
redirect.juniper.net (TCP 443)
ztp.gc2.mist.com (TCP 443)
oc-term.gc2.mist.com (TCP 2200)
srx-log-terminator.gc2.mist.com (TCP 6514)
SSR ep-terminator.mistsys.net (TCP 443)
ep-terminator.ac2.mist.com (TCP 443)
portal.ac2.mist.com (TCP 443)
redirect.mist.com (TCP 443)
software.128technology.com (TCP 443)
rp.cloud.threatseeker.com (TCP 443)
ep-terminator.mistsys.net (TCP 443)
ep-terminator.gc2.mist.com (TCP 443)
portal.gc2.mist.com (TCP443)
redirect.mist.com (TCP 443)
software.128technology.com (TCP 443)
rp.cloud.threatseeker.com (TCP 443)

 

 

 

Service Type EMEA 01 EMEA 02 EMEA 03 APAC 01
Mist AP / Mist Edge ep-terminator.mistsys.net (TCP 443)
ep-terminator.eu.mist.com (TCP 443)
portal.eu.mist.com (TCP 443)
redirect.mist.com (TCP 443)
ep-terminator.mistsys.net(TCP 443)
ep-terminator.gc3.mist.com(TCP 443)
portal.gc3.mist.com (TCP 443)
redirect.mist.com (TCP 443)
ep-terminator.mistsys.net (TCP 443) ep-terminator.ac6.mist.com (TCP 443) portal.ac6.mist.com (TCP 443) redirect.mist.com (TCP 443) ep-terminator.mistsys.net (TCP 443)
ep-terminator.ac5.mist.com (TCP 443)
portal.ac5.mist.com (TCP 443)
redirect.mist.com (TCP 443)
EX Switch redirect.juniper.net (TCP 443)
jma-terminator.eu.mist.com(TCP 443)
ztp.eu.mist.com (TCP 443)
oc-term.eu.mist.com (TCP 2200)
cdn.juniper.net (TCP 443)
redirect.juniper.net (TCP 443)
ztp.gc3.mist.com(TCP 443)
oc-term.gc3.mist.com (TCP 2200)
cdn.juniper.net (TCP 443)
redirect.juniper.net (TCP 443) jma-terminator.ac6.mist.com (TCP 443) ztp.ac6.mist.com (TCP 443) oc-term.ac6.mist.com (TCP 2200) cdn.juniper.net (TCP 443) redirect.juniper.net (TCP 443)
jma-terminator.ac5.mist.com(TCP 443)
ztp.ac5.mist.com (TCP 443)
oc-term.ac5.mist.com (TCP 2200)
cdn.juniper.net (TCP 443)
SRX Gateway redirect.juniper.net (TCP 443)
ztp.eu.mist.com (TCP 443)
oc-term.eu.mist.com (TCP 2200)
srx-log-terminator.eu.mist.com (TCP 6514)
redirect.juniper.net (TCP 443)
ztp.gc3.mist.com (TCP 443)
oc-term.gc3.mist.com (TCP 2200)
srx-log-terminator.gc3.mist.com (TCP 6514)
redirect.juniper.net (TCP 443) ztp.ac6.mist.com (TCP 443) oc-term.ac6.mist.com (TCP 2200) srx-log-terminator.ac6.mist.com (TCP 6514) redirect.juniper.net (TCP 443)
ztp.ac5.mist.com (TCP 443)
oc-term.ac5.mist.com (TCP 2200)
srx-log-terminator.ac5.mist.com (TCP 6514)
SSR ep-terminator.mistsys.net (TCP 443)
ep-terminator.eu.mist.com (TCP 443)
portal.eu.mist.com (TCP 443)
redirect.mist.com (TCP 443)
software.128technology.com (TCP 443)
rp.cloud.threatseeker.com (TCP 443)
ep-terminator.mistsys.net (TCP 443)
ep-terminator.gc3.mist.com (TCP 443)
portal.gc3.mist.com (TCP 443)
redirect.mist.com (TCP 443)
software.128technology.com (TCP 443)
rp.cloud.threatseeker.com (TCP 443)
ep-terminator.mistsys.net (TCP 443) ep-terminator.ac6.mist.com (TCP 443) portal.ac6.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) ep-terminator.mistsys.net (TCP 443)
ep-terminator.ac5.mist.com (TCP 443)
portal.ac5.mist.com (TCP 443)
redirect.mist.com (TCP 443)
software.128technology.com (TCP 443)
rp.cloud.threatseeker.com (TCP 443)

Please note IP addresses for the terminators will change.  Please use FQDN based firewall rules.

Documentation Embedded URL

Some documentation pages when accessed , if it results in auth error;
Request to change the ‘Admin portal’ URL to include the right api or UI URL.

Example:
https://api.ac2.mist.com/api/v1/docs/Site?_ga=2.41192420.798341990.1655364635-1045699083.1655364635#insights

for Global3 instead of

https://api.mist.com/api/v1/docs/Site?_ga=2.41192420.798341990.1655364635-1045699083.1655364635#insights

which is for Global 1.

 

Mist APs need the following ports to be enabled on your Internet Firewall to work properly:

  • 443/TCP to our cloud is required. It can optionally be tunneled in L2TP.
  • DNS (53/UDP) to lookup our cloud hostname is required, but it does not need to be a public DNS server.
  • DHCP (67&68/UDP) is required initially. After that you can configure a static IP if you would like.
  • NTP (123/UDP) is suggested so the AP can retrieve time, which may be required in some environments. The AP will by default attempt to receive NTP from pool.ntp.org. It can also receive time via DHCP option 42.

Everything else (443/UDP to cloud, 80/TCP to cloud) is optional.  The AP does not require them to be enabled, but it does help.

Proxy settings are supported and the proxy setting is used if available, but if not the AP will still try and direct connect.

It is possible that some popular firewalls  (example – Palo Alto Networks) might not be able to accept the recently increased number of records (IP) returned for the FQDN ep-terminator.mistsys.net.  The AP’s DNS server may resolve different addresses than the PAN has stored, causing AP management traffic to be dropped, resulting in random AP disconnects.

Adding a line to the existing Mist rule on the PAN to “allow access to ep-terminator.mistsys.net based on HTTP(L7) address being accessed, for SSL traffic that is based on the SSL SNI” would help to mitigate this.

 

Where the AP’s need to reach?

ep-terminator.mistsys.net

The terminator is hosted on AWS and we cannot guarantee the IP addresses won’t change and it may resolve to something like this:

ep-terminator-production-839577302.us-west-1.elb.amazonaws.com.

but these change about once every 2 months or sometimes more frequently.

Additional hosts to allow are

  • portal.mist.com for WiFi captive portal
  • manage.mist.com/signin.html for Admin UI access
  • api.mist.com for Admin API access
  • api-ws.mist.com for Admin websocket API access
  • support-portal.mist.com for Admin Support Portal access

THIS IS AS OF 8/1/2023 AND IS SUBJECT TO CHANGE. WE RECOMMEND YOU CHECK YOUR RELEASE NOTES OR THIS PAGE FOR UPDATES.

Along with Firewall, SSL cert checkers come into play and will be detected as a ‘man-in-the-middle” attack.

The AP’s will initially need an IP address using DHCP. Once APs are connected, the cloud pushes down the AP configuration (configured through UI or API) and APs will then switch (upon reboot) to use static IP addresses if so configured.

Port needed for Access Assurance

Firewall rule: Outbound connections destined to radsec.nac.mist.com over TCP Port 2083.