Opening Firewall Ports for Device Communication

Classic Central can be accessed from the HPE GreenLake portal using the following URL Uniform Resource Locator. URL is a global address used for locating web resources on the Internet.:

https://common.cloud.hpe.com/

The URL redirects to https://auth.hpe.com/ to present the HPE GreenLake login page.

For more information about accessing the HPE GreenLake portal and adding the WebUI, see Creating a Classic Central Account.

Most of the communication between devices on the remote site and Classic Central server in the cloud is carried out through HTTPS Hypertext Transfer Protocol Secure. HTTPS is a variant of the HTTP that adds a layer of security on the data in transit through a secure socket layer or transport layer security protocol connection. (TCP Transmission Control Protocol. TCP is a communication protocol that defines the standards for establishing and maintaining network connection for applications to exchange data. 443). To allow devices to communicate over a network firewall Firewall is a network security system used for preventing unauthorized access to or from a private network., ensure that the following domain names and ports are open.

This section includes the following topics:

Domain Names for Streaming Telemetry
Domain Names for Device Communication with Classic Central
Domain Names for AOS-CX Device Communication with Classic Central
Domain Names for Device Communication with HPE Aruba Networking Activate
Cloud Guest Server Domains for Guest Access Service
Domain Names for OpenFlow
Domain Names for RCS
Other Domain Names

Domain Names for Streaming Telemetry

Domain names to be allow listed for streaming telemetry.

Table 1: Domain Names for Streaming Telemetry
Region	Domain Name	Protocol
US-1	app1.hybrid.central.arubanetworks.com	HTTPS TCP port 443
US-2	hc-prod2.central.arubanetworks.com	HTTPS TCP port 443
US West 4	uswest4-hc.central.arubanetworks.com	HTTPS TCP port 443
US West 5	uswest5-hc.central.arubanetworks.com	HTTPS TCP port 443
EU-1	central-eu-hc.central.arubanetworks.com	HTTPS TCP port 443
EU-2	eucentral2-hc.central.arubanetworks.com	HTTPS TCP port 443
EU-3	eucentral3-hc.central.arubanetworks.com	HTTPS TCP port 443
CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. Central	ca-hc.central.arubanetworks.com	HTTPS TCP port 443
CN Common Name. CN is the primary name used to identify a certificate. North	china-prod-hc.central.arubanetworks.com.cn	HTTPS TCP port 443
CN-2	china2-hc.central.arubanetworks.com.cn	HTTPS TCP port 443
AP South	apac-hc.central.arubanetworks.com	HTTPS TCP port 443
AP Northeast	apaceast-hc.central.arubanetworks.com	HTTPS TCP port 443
AP-SouthEast	apacsouth-hc.central.arubanetworks.com	HTTPS TCP port 443
UAE North	uaenorth1.central.arubanetworks.com	HTTPS TCP port 443

Domain Names for Device Communication with Classic Central

The Classic Central URLs mentioned the following table, and the HPE GreenLake portal URL mentioned in the beginning of this chapter are for region-wise administrator (or management) access to the Classic Central UI.
The URLs in the following table are not applicable to AOS-CX switches.

Table 2: Domain Names for Device Communication with Classic Central
Region	Classic Central URL	URL for Device Connectivity	Protocol	FQDNs for Overlay Route Orchestrator (ORO) and Overlay Tunnel Orchestrator (OTO) Services
US-1	app.central.arubanetworks.com	app1.central.arubanetworks.com	HTTPS TCP port 443	app1-h2.central.arubanetworks.com
US-2	app-prod2.central.arubanetworks.com	device-prod2.central.arubanetworks.com	HTTPS TCP port 443	device-prod2-h2.central.arubanetworks.com
US West 4	app-uswest4.central.arubanetworks.com	device-uswest4.central.arubanetworks.com	HTTPS TCP port 443	device-uswest4-h2.central.arubanetworks.com
US West 5	app-uswest5.central.arubanetworks.com	device-uswest5.central.arubanetworks.com	HTTPS TCP port 443	device-uswest5-h2.central.arubanetworks.com
EU-1	app2-eu.central.arubanetworks.com	device-eu.central.arubanetworks.com	HTTPS TCP port 443	device-eu-h2.central.arubanetworks.com
EU-2	app-eucentral2.central.arubanetworks.com	device-eucentral2.central.arubanetworks.com	HTTPS TCP port 443	device-eucentral2-h2.central.arubanetworks.com
EU-3	eucentral3.central.arubanetworks.com	device-eucentral3.central.arubanetworks.com	HTTPS TCP port 443	device-eucentral3-h2.central.arubanetworks.com
CA Central	app-ca.central.arubanetworks.com	device-ca.central.arubanetworks.com	HTTPS TCP port 443	device-ca-h2.central.arubanetworks.com
CN North	app.central.arubanetworks.com.cn	device.central.arubanetworks.com.cn	HTTPS TCP port 443	device-h2.central.arubanetworks.com.cn
CN-2	app-china2.central.arubanetworks.com.cn	device-china2.central.arubanetworks.com.cn	HTTPS TCP port 443	device-china2-h2.central.arubanetworks.com.cn
AP South	app2-ap.central.arubanetworks.com	app1-ap.central.arubanetworks.com	HTTPS TCP port 443	app1-ap-h2.central.arubanetworks.com
AP Northeast	app-apaceast.central.arubanetworks.com	device-apaceast.central.arubanetworks.com	HTTPS TCP port 443	device-apaceast-h2.central.arubanetworks.com
AP SouthEast	app-apacsouth.central.arubanetworks.com	device-apacsouth.central.arubanetworks.com	HTTPS TCP port 443	device-apacsouth-h2.central.arubanetworks.com
UAE North	app-uaenorth1.central.arubanetworks.com	device-uaenorth1.central.arubanetworks.com	HTTPS TCP port 443	device-uaenorth1-h2.central.arubanetworks.com

Domain Names for AOS-CX Device Communication with Classic Central

The Classic Central URLs mentioned the following table are applicable to AOS-CX switches only.

Table 3: Domain Names for AOS-CX Device Communication with Classic Central
Region	Classic Central URL	URL for Device Connectivity	Protocol
US-1	app.central.arubanetworks.com	device-prod-d2.central.arubanetworks.com	HTTPS TCP port 443
US-2	app-prod2.central.arubanetworks.com	device-central-prod2-d2.central.arubanetworks.com	HTTPS TCP port 443
US West 4	app-uswest4.central.arubanetworks.com	device-uswest4-d2.central.arubanetworks.com	HTTPS TCP port 443
US West 5	app-uswest5.central.arubanetworks.com	device-uswest5-d2.central.arubanetworks.com	HTTPS TCP port 443
EU-1	app2-eu.central.arubanetworks.com	device-eu-d2.central.arubanetworks.com	HTTPS TCP port 443
EU-2	app-eucentral2.central.arubanetworks.com	device-eucentral2-d2.central.arubanetworks.com	HTTPS TCP port 443
EU-3	app-eucentral3.central.arubanetworks.com	device-eucentral3-d2.central.arubanetworks.com	HTTPS TCP port 443
CA Central	app-ca.central.arubanetworks.com	device-ca.central.arubanetworks.com	HTTPS TCP port 443
CN North	app.central.arubanetworks.com.cn	device-china-prod-d2.central.arubanetworks.com.cn	HTTPS TCP port 443
CN-2	app-china2.central.arubanetworks.com.cn	device-china2-d2.central.arubanetworks.com.cn	HTTPS TCP port 443
AP South	app2-ap.central.arubanetworks.com	device-apac-d2.central.arubanetworks.com	HTTPS TCP port 443
AP Northeast	app-apaceast.central.arubanetworks.com	device-apaceast.central.arubanetworks.com	HTTPS TCP port 443
AP-SouthEast	app-apacsouth.central.arubanetworks.com	device-apacsouth.central.arubanetworks.com	HTTPS TCP port 443
UAE North	app-uaenorth1.central.arubanetworks.com	device-uaenorth1-d2.central.arubanetworks.com	HTTPS TCP port 443

Domain Names for Device Communication with HPE Aruba Networking Activate

Table 4: Domain Names for Device Communication with HPE Aruba Networking Activate
Domain Name	Protocol
device.arubanetworks.com	HTTPS TCP port 443
devices-v2.arubanetworks.com	HTTPS TCP port 443
est.arubanetworks.com *	HTTPS TCP port 443

* Required for HPE Aruba Networking 2530 switches to provision certificate using the EST server in activate.

The device.arubanetworks.com URL is not applicable for AOS-CX switches.

For the switches to establish connection with the Activate server, when a proxy server is configured on the network, the URLs in this table must be added to the list of allowed URLs on the proxy server.

Cloud Guest Server Domains for Guest Access Service

Table 5: Domain Names for Cloud Guest Server Access
Region	Domain Name	Protocol
US-1	naw2.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
US-1	naw2-elb.cloudguest.central.arubanetworks.com	TCP port 443
US-2	nae1.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
US-2	nae1-elb.cloudguest.central.arubanetworks.com	TCP port 443
US West 4	uswest4.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
US West 4	uswest4-elb.cloudguest.central.arubanetworks.com	TCP port 443
US West 5	naw2.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
US West 5	naw2-elb.cloudguest.central.arubanetworks.com	TCP port 443
EU-1	euw1.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
EU-1	euw1-elb.cloudguest.central.arubanetworks.com	TCP port 443
EU-2	euw2.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
EU-2	euw2-elb.cloudguest.central.arubanetworks.com	TCP port 443
EU-3	euw3.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
EU-3	euw3-elb.cloudguest.central.arubanetworks.com	TCP port 443
CA Central	ca.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
CA Central	ca-elb.cloudguest.central.arubanetworks.com	TCP port 443
CN North	cloudguest.central.arubanetworks.com.cn	TCP port 2083 TCP port 443
CN North	cloudguest-elb.central.arubanetworks.com.cn	TCP port 443
CN-2	naw2.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
CN-2	naw2-elb.cloudguest-elb.central.arubanetworks.com	TCP port 443
AP South	ap1.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
AP South	ap1-elb.cloudguest.central.arubanetworks.com	TCP port 443
AP NorthEast	apaceast.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
AP NorthEast	apaceast-elb.cloudguest.central.arubanetworks.com	TCP port 443
AP SouthEast	apacsouth.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
AP SouthEast	apacsouth-elb.cloudguest.central.arubanetworks.com	TCP port 443
UAE North	asw1.cloudguest.central.arubanetworks.com	TCP port 2083 TCP port 443
UAE North	asw1-elb.cloudguest.central.arubanetworks.com	TCP port 443

Domain Names for OpenFlow

Table 6: Domain Names for OpenFlow
Region	Domain Name
US-1	https://app2-ofc.central.arubanetworks.com
US-2	https://ofc-prod2.central.arubanetworks.com
US West	https://ofc-uswest4.central.arubanetworks.com
US West 5	https://ofc-uswest5.central.arubanetworks.com
EU-1	https://app2-eu-ofc.central.arubanetworks.com
EU-2	https://ofc-eucentral2.central.arubanetworks.com
EU-3	https://ofc-eucentral3.central.arubanetworks.com
CA Central	https://ofc-ca.central.arubanetworks.com
CN North	https://ofc.central.arubanetworks.com.cn
CN-2	https://ofc-china2.central.arubanetworks.com.cn
AP South	https://app2-ap-ofc.central.arubanetworks.com
APNorthEast	https://ofc-apaceast.central.arubanetworks.com
AP SouthEast	https://ofc-apacsouth.central.arubanetworks.com
UAE North	https://ofc-uaenorth1.central.arubanetworks.com

Domain Names for RCS

Table 7: Domain Names and URLs for RCS
Region	Domain Name	Protocol
US-1	rcs-ng-prod.central.arubanetworks.com	SSH Secure Shell. SSH is a network protocol that provides secure access to a remote device. port 443
US-1	rcs-ng-xp-prod.central.arubanetworks.com
US-2	rcs-ng-central-prod2.central.arubanetworks.com	SSH port 443
US-2	rcs-ng-xp-central-prod2.central.arubanetworks.com	SSH port 443
US West	rcs-ng-uswest4.central.arubanetworks.com	SSH port 443
US West	rcs-ng-xp-uswest4.central.arubanetworks.com	SSH port 443
US West 5	rcs-ng-uswest5.central.arubanetworks.com	SSH port 443
EU-1	rcs-ng-eu.central.arubanetworks.com	SSH port 443
EU-1	rcs-ng-xp-eu.central.arubanetworks.com	SSH port 443
EU-2	rcs-ng-eucentral2.central.arubanetworks.com	SSH port 443
EU-2	rcs-ng-xp-eucentral2.central.arubanetworks.com	SSH port 443
EU-3	rcs-ng-eucentral3.central.arubanetworks.com	SSH port 443
EU-3	rcs-ng-xp-eucentral3.central.arubanetworks.com	SSH port 443
CA Central	rcs-ng-starman.central.arubanetworks.com	SSH port 443
CA Central	rcs-ng-xp-starman.central.arubanetworks.com	SSH port 443
CN North	rcs-ng-china-prod.central.arubanetworks.com.cn	SSH port 443
CN-2	rcs-ng-china2.central.arubanetworks.com.cn	SSH port 443
AP South	rcs-ng-apac.central.arubanetworks.com	SSH port 443
AP South	rcs-ng-xp-apac.central.arubanetworks.com	SSH port 443
AP NorthEast	rcs-ng-apaceast.central.arubanetworks.com	SSH port 443
AP NorthEast	rcs-ng-xp-apaceast.central.arubanetworks.com	SSH port 443
AP SouthEast	rcs-ng-apacsouth.central.arubanetworks.com	SSH port 443
AP SouthEast	rcs-ng-xp-apacsouth.central.arubanetworks.com	SSH port 443
UAE North	rcs-ng-uaenorth1.central.arubanetworks.com	SSH port 443

Other Domain Names

Table 8: Other Domain Names
Domain Name	Protocol	Description
sso.arubanetworks.com	TCP port 443	Allows users to access their accounts on the internal server.
internal.central.arubanetworks.com internal2.central.arubanetworks.com	TCP port 443	Allows users to access the Classic Central Internal portal.
pool.ntp.org	UDP User Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. port 123	Allows the device to update the internal clock and configure time zone when a factory default device comes up. By default, the HPE Aruba Networking devices contact pool.ntp.org and use NTP Network Time Protocol. NTP is a protocol for synchronizing the clocks of computers over a network. to synchronize their system clocks.
activate.arubanetworks.com	TCP port 443	Allows the device to configure provisioning rules in Activate.
stun.pqm.arubanetworks.com	UDP or TCP port 3478 and 3479	Allows the device to discover public IP over the WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. uplinks configured on devices.
pqm.arubanetworks.com	ICMP Internet Control Message Protocol. ICMP is an error reporting protocol. It is used by network devices such as routers, to send error messages and operational information to the source IP address when network problems prevent delivery of IP packets. or UDP port 4500	Allows the device to check the health of WAN uplinks configured on Branch Gateways.
h30326.www3.hpe.com	TCP port 80 and TCP port 443	Allows users to access the HPE Aruba Networking AOS-CX firmware and DRT Downloadable Regulatory Table. The DRT feature allows new regulatory approvals to be distributed for APs without a software upgrade or patch. updates.
common.cloud.hpe.com/ccssvc/ccs-system-firmware-registry	TCP port 80 and TCP port 443	Allows the device to access the CloudFront server for locating all device type software images.
d20kce0f6gvxjn.cloudfront.net	TCP port 443	CloudFront generates this URL pointing to Gateway IDS/IPS rulesets. The AOS gateways with the Security license entitlement and Gateway IDS/IPS enabled accesses this URL automatically at the configured time. For more information, see Updating Ruleset for IDPS.
cloud.arubanetworks.com	TCP port 80	Allows users to open the Classic Central evaluation sign-up page.
aruba.brightcloud.com	TCP port 443	Enables devices to access the Webroot Brightcloud server for application, application categories, and website content classification.
bcap15-dualstack.brightcloud.com	TCP port 443	Allows HPE Aruba Networking devices to look up the Webroot Brightcloud server for Website categories.
api-dualstack.bcti.brightcloud.com	TCP port 443	Allows HPE Aruba Networking devices to access the IP Reputation and IP Geolocation service on the Webroot Brightcloud server.
database-dualstack.brightcloud.com	TCP port 443	Allows HPE Aruba Networking devices to download the website classification database from the Webroot Brightcloud server.
api.bcti.brightcloud.com	TCP port 443	Enables HPE Aruba Networking devices to access the Webroot Brightcloud server for application, application categories, and website content classification.

When configuring ACLs Access Control List. ACL is a common way of restricting certain types of traffic on a physical port. to allow traffic over a network firewall, use the domain names instead of the IP addresses. For more information on ACLs, see Firewall Policies and ACLs.
For Branch Gateways to set up IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel with the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrators, the UDP 4500 port must be open.