Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Juniper Mist Firewall Ports and IP Addresses for Firewall Configuration

SUMMARY To ensure connectivity and proper operations of Juniper Mist™, configure your firewall to open the required firewall ports and allow traffic to/from the Juniper Mist IP addresses for your region.

Note:

Juniper Mist ports and IP addresses vary by region. To know which Juniper Mist region is applicable for your scenario, see Juniper Mist Cloud Instances.

Mist Cloud IP Addresses and Ports

Table 1: Mist Cloud IP Addresses and Ports
Service Type Global 01 Global 02 Global 03 Global 04 EMEA 01 EMEA 02 APAC 01
Admin Portal

manage.mist.com/signin.html (TCP 443)

api-ws.mist.com (TCP 443)

api.mist.com(TCP 443)

manage.gc1.mist.com (TCP 443)

api-ws.gc1.mist.com (TCP 443)

api.gc1.mist.com(TCP 443)

manage.ac2.mist.com (TCP 443)

api-ws.ac2.mist.com (TCP 443)

api.ac2.mist.com(TCP 443)

manage.gc2.mist.com (TCP 443)

api-ws.gc2.mist.com (TCP 443)

api.gc2.mist.com (TCP 443)

manage.eu.mist.com (TCP 443)

api-ws.eu.mist.com (TCP 443)

manage.gc3.mist.com

api-ws.gc3.mist.com

api.gc3.mist.com (TCP 443)

manage.ac5.mist.com (TCP 443)

api-ws.ac5.mist.com (TCP 443)

api.ac5.mist.com (TCP 443)

API api.mist.com(TCP 443) api.gc1.mist.com (TCP 443) api.ac2.mist.com (TCP 443) api.gc2.mist.com (TCP 443) api.eu.mist.com (TCP 443)

api.gc3.mist.com (TCP 443)

api.ac5.mist.com (TCP 443)
Guest Wi-Fi Portal portal.mist.com (TCP 443) portal.gc1.mist.com (TCP 443) portal.ac2.mist.com (TCP 443) portal.gc2.mist.com (TCP 443) portal.eu.mist.com (TCP 443)

portal.gc3.mist.com (TCP 443)

portal.ac5.mist.com(TCP 443)

Webhooks Source IP Addresses (static IP addresses)

54.193.71.17

54.215.237.20

34.94.226.48/28

(34.94.226.48-34.94.226.63)

34.231.34.177

54.235.187.11

18.233.33.230

34.152.4.85

35.203.21.42

34.152.7.156

3.122.172.223

3.121.19.146

3.120.167.1

35.234.156.66

54.206.226.168

13.238.77.6

54.79.134.226

Juniper Mist Support support-portal.mist.com support-portal.mist.com support-portal.mist.com support-portal.mist.com support-portal.mist.com support-portal.mist.com support-portal.mist.com

Device-to-Cloud Addresses and Ports

Note:

IP addresses for the terminators will change. Use FQDN based firewall rules.

Table 2: Device-to-Cloud IP Addresses and Ports
Device Type Global 01 Global 02 Global 03 Global 04 EMEA 01 EMEA 02

APAC 01

Juniper Mist Access Points and Juniper Mist Edge

ep-terminator.mistsys.net (TCP 443)

portal.mist.com (TCP 443)

redirect.mist.com (TCP 443)

ep-terminator.mistsys.net (TCP 443)

ep-terminator.gc1.mist.com (TCP 443)

portal.gc1.mist.com (TCP 443)

redirect.mist.com (TCP 443)

ep-terminator.mistsys.net (TCP 443)

ep-terminator.ac2.mist.com (TCP 443)

portal.ac2.mist.com (TCP 443)

redirect.mist.com (TCP 443)

ep-terminator.mistsys.net (TCP 443)

ep-terminator.gc2.mist.com (TCP 443)

portal.gc2.mist.com (TCP443)

redirect.mist.com (TCP 443)

ep-terminator.mistsys.net (TCP 443)

ep-terminator.eu.mist.com (TCP 443)

portal.eu.mist.com (TCP 443)

redirect.mist.com (TCP 443)

ep-terminator.mistsys.net (TCP 443)

ep-terminator.gc3.mist.com (TCP 443)

portal.gc3.mist.com (TCP 443)

redirect.mist.com (TCP 443)

ep-terminator.mistsys.net (TCP 443)

ep-terminator.ac5.mist.com (TCP 443)

portal.ac5.mist.com (TCP 443)

redirect.mist.com (TCP 443)

EX Series Switches

redirect.juniper.net (TCP 443)

jma-terminator.mistsys.net (TCP 443)

ztp.mist.com (TCP 443)

oc-term.mistsys.net (TCP 2200)

redirect.juniper.net (TCP 443)

jma-terminator.gc1.mistsys.net

ztp.gc1.mist.com (TCP 443)

oc-term.gc1.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

redirect.juniper.net (TCP 443)

jma-terminator.ac2.mistsys.net

ztp.ac2.mist.com (TCP 443)

oc-term.ac2.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

redirect.juniper.net (TCP 443)

jma-terminator.gc2.mistsys.net

ztp.gc2.mist.com (TCP 443)

oc-term.gc2.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

redirect.juniper.net (TCP 443)

jma-terminator.eu.mistsys.net

ztp.eu.mist.com (TCP 443)

oc-term.eu.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

redirect.juniper.net (TCP 443)

ztp.gc3.mist.com (TCP 443)

oc-term.gc3.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

redirect.juniper.net (TCP 443)

jma-terminator.ac5.mistsys.net

ztp.ac5.mist.com (TCP 443)

oc-term.ac5.mist.com (TCP 2200)

cdn.juniper.net (TCP 443)

SRX Series Firewalls

redirect.juniper.net (TCP 443)

ztp.mist.com (TCP 443)

oc-term.mistsys.net (TCP 2200)

srx-log-terminator.mist.com (TCP 6514)

redirect.juniper.net (TCP 443)

ztp.gc1.mist.com (TCP 443)

oc-term.gc1.mist.com (TCP 2200)

srx-log-terminator.gc1.mist.com (TCP 6514)

redirect.juniper.net (TCP 443)

ztp.ac2.mist.com (TCP 443)

oc-term.ac2.mist.com (TCP 2200)

srx-log-terminator.ac2.mist.com (TCP 6514)

redirect.juniper.net (TCP 443)

ztp.gc2.mist.com (TCP 443)

oc-term.gc2.mist.com (TCP 2200)

srx-log-terminator.gc2.mist.com (TCP 6514)

redirect.juniper.net (TCP 443)

ztp.eu.mist.com (TCP 443)

oc-term.eu.mist.com (TCP 2200)

srx-log-terminator.eu.mist.com (TCP 6514)

redirect.juniper.net (TCP 443)

ztp.gc3.mist.com (TCP 443)

oc-term.gc3.mist.com (TCP 2200)

srx-log-terminator.gc3.mist.com (TCP 6514)

redirect.juniper.net (TCP 443)

ztp.ac5.mist.com (TCP 443)

oc-term.ac5.mist.com (TCP 2200)

srx-log-terminator.ac5.mist.com (TCP 6514)

SSR Series Routers

ep-terminator.mistsys.net (TCP 443)

portal.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

ep-terminator.mistsys.net (TCP 443)

ep-terminator.gc1.mist.com (TCP 443)

portal.gc1.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

ep-terminator.mistsys.net (TCP 443)

ep-terminator.ac2.mist.com (TCP 443)

portal.ac2.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

ep-terminator.mistsys.net (TCP 443)

ep-terminator.gc2.mist.com (TCP 443)

portal.gc2.mist.com (TCP443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

ep-terminator.mistsys.net (TCP 443)

ep-terminator.eu.mist.com (TCP 443)

portal.eu.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

ep-terminator.mistsys.net (TCP 443)

ep-terminator.gc3.mist.com (TCP 443)

portal.gc3.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

ep-terminator.mistsys.net (TCP 443)

ep-terminator.ac5.mist.com (TCP 443)

portal.ac5.mist.com (TCP 443)

redirect.mist.com (TCP 443)

software.128technology.com (TCP 443)

rp.cloud.threatseeker.com (TCP 443)

Additional Information for Access Points

  • APs require TCP port 443 to connect to the Juniper Mist cloud. Optionally, you can tunnel this traffic by using Layer 2 Tunneling Protocol (L2TP).
  • The Domain Name System (DNS) requires UDP port 53 to look up the cloud hostnames. However, the DNS does not need a public DNS server.
  • The Dynamic Host Control Protocol (DHCP) initially requires UDP ports 67 and 68. After initial device onboarding, you can configure static IP on the device if you prefer.
  • The Network Time Protocol (NTP) may require UDP port 123 in some environments. The AP will by default attempt to receive the time from pool.ntp.org. The AP can also receive time through DHCP option 42.
  • We also recommend opening UDP port 443 and TCP port 80.

  • The IP addresses change periodically and may resolve to something like this: ep-terminator-production-839577302.us-west-1.elb.amazonaws.com.

  • Proxy settings are supported and the proxy setting is used if available, but if not the AP will still try to connect.

Additional Hosts to Allow

  • portal.mist.com for WiFi captive portal
  • manage.mist.com/signin.html for Admin UI access
  • api.mist.com for Admin API access
  • api-ws.mist.com for Admin websocket API access
  • support-portal.mist.com for Admin Support Portal access

Additional Information for Wired/WAN Assurance

This is the terminator needed for Wired/WAN Assurance: radsec.nac.mist.com (TCP 2083).

Note:

IP addresses for the terminators will change. Use FQDN-based firewall rules.