Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Juniper Mist Firewall Ports and IP Addresses for Firewall Configuration

To ensure connectivity and proper operations of Juniper Mist™, configure your firewall to open the required firewall ports and allow traffic to/from the Juniper Mist IP addresses for your region.

How To Use This Information

  • Within this document, refer to the appropriate table for your regional cloud instance (such as Global 01, Global 02, and so on). For help identifying your cloud instance, see Juniper Mist Clouds.

  • Cloud Services—The tables identify the IP addresses and ports to allow for various cloud services, as listed.

    • Admin Portal

    • API

      Guest Wi-Fi Portal

    • Webhooks Source IP Addresses

  • Device Types—The tables identify the IP addresses and ports to allow for various Juniper devices. You can ignore any device types that you don't have in your organization.

    • Juniper Mist Access Points and Juniper Mist Edge

    • EX Series Switches

    • SRX Series Firewalls

    • SSR Series Routers

    Note:

    For terminators in the tables, use FQDN-based firewall rules. Their IP addresses will change.

  • Additional Information—Also allow the ports and IP addresses in the Additional Information section.

  • You need to provide unrestricted access to debian and mistsys repo in the environments where you create the Mist Edge VM for initial bring up. Also, ensure that the Firewall has Port-80 and Port-443 open.

Global 01

Table 1: Global 01 IP Addresses and Ports to Allow
Cloud Service or Device Type IP Addresses and Ports
Admin Portal

manage.mist.com/signin.html (TCP 443)

api-ws.mist.com (TCP 443)

api.mist.com (TCP 443)

API api.mist.com (TCP 443)
Guest Wi-Fi Portal portal.mist.com (TCP 443)
Webhooks Source IP Addresses (static IP addresses)

54.193.71.17

54.215.237.20

Juniper Mist Support support-portal.mist.com
Juniper Mist Access Points and Juniper Mist Edge

ep-terminator.mistsys.net (TCP 443)

portal.mist.com (TCP 443)

redirect.mist.com (TCP 443)

EX Series Switches

redirect.juniper.net (TCP 443)

jma-terminator.mistsys.net (TCP 443)

ztp.mist.com (TCP 443)

oc-term.mistsys.net (TCP 2200)

SRX Series Firewalls

redirect.juniper.net (TCP 443)

ztp.mist.com (TCP 443)

oc-term.mistsys.net (TCP 2200)

srx-log-terminator.mist.com (TCP 6514)

SSR Series Routers

ep-terminator.mistsys.net (TCP 443)

portal.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

Global 02

Table 2: Global 02 IP Addresses and Ports to Allow
Cloud Service or Device IP Addresses and Ports
Admin Portal

manage.gc1.mist.com (TCP 443)

api-ws.gc1.mist.com (TCP 443)

api.gc1.mist.com(TCP 443)

API api.gc1.mist.com (TCP 443)
Guest Wi-Fi Portal portal.gc1.mist.com (TCP 443)
Webhooks Source IP Addresses (static IP addresses)

34.94.226.48/28

(34.94.226.48-34.94.226.63)

Juniper Mist Support support-portal.mist.com
Juniper Mist Access Points and Juniper Mist Edge

ep-terminator.mistsys.net (TCP 443)

ep-terminator.gc1.mist.com (TCP 443)

portal.gc1.mist.com (TCP 443)

redirect.mist.com (TCP 443)

EX Series Switches

redirect.juniper.net (TCP 443)

jma-terminator.gc1.mist.com (TCP 443)

ztp.gc1.mist.com (TCP 443)

oc-term.gc1.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

SRX Series Firewalls

redirect.juniper.net (TCP 443)

ztp.gc1.mist.com (TCP 443)

oc-term.gc1.mist.com (TCP 2200)

srx-log-terminator.gc1.mist.com (TCP 6514)

SSR Series Routers

ep-terminator.mistsys.net (TCP 443)

ep-terminator.gc1.mist.com (TCP 443)

portal.gc1.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

Global 03

Table 3: Global 03 IP Addresses and Ports to Allow
Cloud Service or Device IP Addresses and Ports
Admin Portal

manage.ac2.mist.com (TCP 443)

api-ws.ac2.mist.com (TCP 443)

api.ac2.mist.com(TCP 443)

API api.ac2.mist.com (TCP 443)
Guest Wi-Fi Portal portal.ac2.mist.com (TCP 443)
Webhooks Source IP Addresses (static IP addresses)

34.231.34.177

54.235.187.11

18.233.33.230

Juniper Mist Support support-portal.mist.com
Juniper Mist Access Points and Juniper Mist Edge

ep-terminator.mistsys.net (TCP 443)

ep-terminator.ac2.mist.com (TCP 443)

portal.ac2.mist.com (TCP 443)

redirect.mist.com (TCP 443)

EX Series Switches

redirect.juniper.net (TCP 443)

jma-terminator.ac2.mist.com (TCP 443)

ztp.ac2.mist.com (TCP 443)

oc-term.ac2.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

SRX Series Firewalls

redirect.juniper.net (TCP 443)

ztp.ac2.mist.com (TCP 443)

oc-term.ac2.mist.com (TCP 2200)

srx-log-terminator.ac2.mist.com (TCP 6514)

SSR Series Routers

ep-terminator.mistsys.net (TCP 443)

ep-terminator.ac2.mist.com (TCP 443)

portal.ac2.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

Global 04

Table 4: Global 04 IP Addresses and Ports to Allow
Cloud Service or Device IP Addresses and Ports
Admin Portal

manage.gc2.mist.com (TCP 443)

api-ws.gc2.mist.com (TCP 443)

api.gc2.mist.com (TCP 443)

API api.gc2.mist.com (TCP 443)
Guest Wi-Fi Portal portal.gc2.mist.com (TCP 443)
Webhooks Source IP Addresses (static IP addresses)

34.152.4.85

35.203.21.42

34.152.7.156

Juniper Mist Support support-portal.mist.com
Juniper Mist Access Points and Juniper Mist Edge

ep-terminator.mistsys.net (TCP 443)

ep-terminator.gc2.mist.com (TCP 443)

portal.gc2.mist.com (TCP443)

redirect.mist.com (TCP 443)

EX Series Switches

redirect.juniper.net (TCP 443)

jma-terminator.gc2.mist.com (TCP 443)

ztp.gc2.mist.com (TCP 443)

oc-term.gc2.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

SRX Series Firewalls

redirect.juniper.net (TCP 443)

ztp.gc2.mist.com (TCP 443)

oc-term.gc2.mist.com (TCP 2200)

srx-log-terminator.gc2.mist.com (TCP 6514)

SSR Series Routers

ep-terminator.mistsys.net (TCP 443)

ep-terminator.gc2.mist.com (TCP 443)

portal.gc2.mist.com (TCP443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

EMEA 01

Table 5: EMEA 01 IP Addresses and Ports to Allow
Cloud Service or Device IP Addresses and Ports
Admin Portal

manage.eu.mist.com (TCP 443)

api-ws.eu.mist.com (TCP 443)

API api.eu.mist.com (TCP 443)
Guest Wi-Fi Portal portal.eu.mist.com (TCP 443)
Webhooks Source IP Addresses (static IP addresses)

3.122.172.223

3.121.19.146

3.120.167.1

Juniper Mist Support support-portal.mist.com
Juniper Mist Access Points and Juniper Mist Edge

ep-terminator.mistsys.net (TCP 443)

ep-terminator.eu.mist.com (TCP 443)

portal.eu.mist.com (TCP 443)

redirect.mist.com (TCP 443)

EX Series Switches

redirect.juniper.net (TCP 443)

jma-terminator.eu.mist.com (TCP 443)

ztp.eu.mist.com (TCP 443)

oc-term.eu.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

SRX Series Firewalls

redirect.juniper.net (TCP 443)

ztp.eu.mist.com (TCP 443)

oc-term.eu.mist.com (TCP 2200)

srx-log-terminator.eu.mist.com (TCP 6514)

SSR Series Routers

ep-terminator.mistsys.net (TCP 443)

ep-terminator.eu.mist.com (TCP 443)

portal.eu.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

EMEA 02

Table 6: EMEA 02 IP Addresses and Ports to Allow
Cloud Service or Device IP Addresses and Ports
Admin Portal

manage.gc3.mist.com (TCP 443)

api-ws.gc3.mist.com (TCP 443)

API

api.gc3.mist.com (TCP 443)

Guest Wi-Fi Portal

portal.gc3.mist.com (TCP 443)

Webhooks Source IP Addresses (static IP addresses)

35.234.156.66

Juniper Mist Support support-portal.mist.com
Juniper Mist Access Points and Juniper Mist Edge

ep-terminator.mistsys.net (TCP 443)

ep-terminator.gc3.mist.com (TCP 443)

portal.gc3.mist.com (TCP 443)

redirect.mist.com (TCP 443)

EX Series Switches

redirect.juniper.net (TCP 443)

jma-terminator.gc3.mist.com (TCP 443)

ztp.gc3.mist.com (TCP 443)

oc-term.gc3.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

SRX Series Firewalls

redirect.juniper.net (TCP 443)

ztp.gc3.mist.com (TCP 443)

oc-term.gc3.mist.com (TCP 2200)

srx-log-terminator.gc3.mist.com (TCP 6514)

SSR Series Routers

ep-terminator.mistsys.net (TCP 443)

ep-terminator.gc3.mist.com (TCP 443)

portal.gc3.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

EMEA 03

Table 7: EMEA 03 IP Addresses and Ports to Allow
Cloud Service or Device IP Addresses and Ports
Admin Portal

manage.ac6.mist.com (TCP 443)

api-ws.ac6.mist.com (TCP 443)

API

api.ac6.mist.com (TCP 443)

Guest Wi-Fi Portal

portal.ac6.mist.com (TCP 443)

Webhooks Source IP Addresses (static IP addresses)

51.112.15.151

51.112.76.109

51.112.86.222

Juniper Mist Support

support-portal.mist.com

Juniper Mist Access Points and Juniper Mist Edge

ep-terminator.mistsys.net (TCP 443)

ep-terminator.ac6.mist.com (TCP 443)

portal.ac6.mist.com (TCP 443)

redirect.mist.com (TCP 443)

EX Series Switches

redirect.juniper.net (TCP 443)

jma-terminator.ac6.mist.com (TCP 443)

ztp.ac6.mist.com (TCP 443)

oc-term.ac6.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

SRX Series Firewalls

redirect.juniper.net (TCP 443)

ztp.ac6.mist.com (TCP 443)

oc-term.ac6.mist.com (TCP 2200)

srx-log-terminator.ac6.mist.com (TCP 6514)

SSR Series Routers

ep-terminator.mistsys.net (TCP 443)

ep-terminator.ac6.mist.com (TCP 443)

portal.ac6.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

APAC 01

Table 8: APAC 01 IP Addresses and Ports to Allow
Cloud Service or Device IP Addresses and Ports
Admin Portal

manage.ac5.mist.com (TCP 443)

api-ws.ac5.mist.com (TCP 443)

api.ac5.mist.com (TCP 443)

API api.ac5.mist.com (TCP 443)
Guest Wi-Fi Portal

portal.ac5.mist.com(TCP 443)

Webhooks Source IP Addresses (static IP addresses)

54.206.226.168

13.238.77.6

54.79.134.226

Juniper Mist Support support-portal.mist.com
Juniper Mist Access Points and Juniper Mist Edge

ep-terminator.mistsys.net (TCP 443)

ep-terminator.ac5.mist.com (TCP 443)

portal.ac5.mist.com (TCP 443)

redirect.mist.com (TCP 443)

EX Series Switches

redirect.juniper.net (TCP 443)

jma-terminator.ac5.mist.com (TCP 443)

ztp.ac5.mist.com (TCP 443)

oc-term.ac5.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

SRX Series Firewalls

redirect.juniper.net (TCP 443)

ztp.ac5.mist.com (TCP 443)

oc-term.ac5.mist.com (TCP 2200)

srx-log-terminator.ac5.mist.com (TCP 6514)

SSR Series Routers

ep-terminator.mistsys.net (TCP 443)

ep-terminator.ac5.mist.com (TCP 443)

portal.ac5.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

Additional Information

Additional Hosts to Allow

  • portal.mist.com for WiFi captive portal
  • manage.mist.com/signin.html for Admin UI access
  • api.mist.com for Admin API access
  • api-ws.mist.com for Admin websocket API access
  • support-portal.mist.com for Admin Support Portal access

Additional Information for Access Points

  • APs require TCP port 443 to connect to the Juniper Mist cloud. Optionally, you can tunnel this traffic by using Layer 2 Tunneling Protocol (L2TP).
  • The Domain Name System (DNS) requires UDP port 53 to look up the cloud hostnames. However, the DNS does not need a public DNS server.
  • The Dynamic Host Control Protocol (DHCP) initially requires UDP ports 67 and 68. After initial device onboarding, you can configure static IP on the device if you prefer.
  • The Network Time Protocol (NTP) may require UDP port 123 in some environments. The AP will by default attempt to receive the time from pool.ntp.org. The AP can also receive time through DHCP option 42.
  • We also recommend opening UDP port 443 and TCP port 80.

  • The IP addresses change periodically and may resolve to something like this: ep-terminator-production-839577302.us-west-1.elb.amazonaws.com.

  • Proxy settings are supported and the proxy setting is used if available, but if not the AP will still try to connect.

Additional Information for Wired and WAN Assurance

For Wired and WAN Assurance, allow radsec.nac.mist.com (TCP 2083).

For Access Assurance for customers in the European Union (EU), allow radsec-eu.nac.mist.com(TCP 2083).

Note:

IP addresses for the terminators will change. Use FQDN-based firewall rules.