Network Services Best Practices

This table provides recommendations for network service configuration to support a WatchGuard Wi-Fi Cloud deployment in an enterprise environment.

Service

Recommended

Notes

DHCP

Use the current network DHCP servers.

 

DNS

Use the current network DNS services.

 

Proxy

Configure proxy bypass rules to allow AP to cloud management traffic.

All management traffic from the access points to Wi-Fi Cloud must be configured to bypass proxies while preventing unfiltered user access to the Internet.

You can use a WatchGuard Firebox to configure policies for Wi-Fi Cloud traffic and bypass proxies. Predefined policies are available for this purpose. The Firebox configuration file includes the predefined WG-Cloud-Managed-WiFi packet filter policy that you can add to the configuration to enable traffic over the ports required for WatchGuard Wi-Fi Cloud domains.

Firewall

You must allow this traffic on your firewall:

  • Port 3851 (UDP) outbound
  • Port 3852 (UDP) outbound for APs configured in CIP mode
  • Port 80 (TCP) outbound / stateful inbound
  • Port 443 (TCP) outbound / stateful inbound

These are the required ports for WatchGuard APs to communicate with WatchGuard Wi-Fi Cloud at these domains:

*.cloudwifi.com

redirector.online.spectraguard.net

 

NAT

Use the current network NAT solution.

Consider enabling NAT on the AP for small remote sites.

Traffic Shaping and QoS

Apply traffic shaping and QoS to traffic inbound from Internet.

 

Content Filtering

Use the current network content filter solution.

Consider content filtering on the AP for small remote sites.

 

RADIUS

Use the current network RADIUS solution.