Juniper Mist Firewall Ports and IP Addresses for Firewall Configuration
To ensure connectivity and proper operations of Juniper Mist™, configure your firewall to open the required firewall ports and allow traffic to/from the Juniper Mist IP addresses for your region.
How To Use This Information
-
Within this document, refer to the appropriate table for your regional cloud instance (such as Global 01, Global 02, and so on). For help identifying your cloud instance, see Juniper Mist Clouds.
-
Cloud Services—The tables identify the IP addresses and ports to allow for various cloud services, as listed.
-
Admin Portal
-
API
Guest Wi-Fi Portal
-
Webhooks Source IP Addresses
-
-
Device Types—The tables identify the IP addresses and ports to allow for various Juniper devices. You can ignore any device types that you don't have in your organization.
-
Juniper Mist Access Points and Juniper Mist Edge
-
EX Series Switches
-
SRX Series Firewalls
-
SSR Series Routers
Note:For terminators in the tables, use FQDN-based firewall rules. Their IP addresses will change.
-
-
Additional Information—Also allow the ports and IP addresses in the Additional Hosts to Allow section.
-
You need to provide unrestricted access to debian and mistsys repo in the environments where you create the Mist Edge VM for initial bring up. Also, ensure that the Firewall has Port-80 and Port-443 open.
-
You must allow outbound DNS access to 8.8.8.8 and 1.1.1.1. These addresses are hard-coded into SSR Series routers. The router must make DNS requests to one of these addresses.
Global 01
| Cloud Service or Device Type | IP Addresses and Ports |
|---|---|
| Admin Portal |
manage.mist.com/signin.html (TCP 443) api-ws.mist.com (TCP 443) api.mist.com (TCP 443) |
| API | api.mist.com (TCP 443) |
| Guest Wi-Fi Portal | portal.mist.com (TCP 443) |
| Webhooks Source IP Addresses (static IP addresses) |
54.193.71.17 54.215.237.20 |
| Juniper Mist Support | support-portal.mist.com |
| Juniper Mist Access Points and Juniper Mist Edge |
ep-terminator.mistsys.net (TCP 443) portal.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Series Switches |
redirect.juniper.net (TCP 443) jma-terminator.mistsys.net (TCP 443) ztp.mist.com (TCP 443) oc-term.mistsys.net (TCP 2200) Note: If you are using the Juniper CloudX architecture for
your EX and QFX switches, also disable
SSL
decryption on the firewall.
|
| SRX Series Firewalls |
redirect.juniper.net (TCP 443) ztp.mist.com (TCP 443) oc-term.mistsys.net (TCP 2200) srx-log-terminator.mist.com (TCP 6514) |
| SSR Series Routers |
ep-terminator.mistsys.net (TCP 443) portal.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
Global 02
| Cloud Service or Device | IP Addresses and Ports |
|---|---|
| Admin Portal |
manage.gc1.mist.com (TCP 443) api-ws.gc1.mist.com (TCP 443) api.gc1.mist.com(TCP 443) |
| API | api.gc1.mist.com (TCP 443) |
| Guest Wi-Fi Portal | portal.gc1.mist.com (TCP 443) |
| Webhooks Source IP Addresses (static IP addresses) |
34.94.226.48/28 (34.94.226.48-34.94.226.63) |
| Juniper Mist Support | support-portal.mist.com |
| Juniper Mist Access Points and Juniper Mist Edge |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc1.mist.com (TCP 443) portal.gc1.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Series Switches |
redirect.juniper.net (TCP 443) jma-terminator.gc1.mist.com (TCP 443) ztp.gc1.mist.com (TCP 443) oc-term.gc1.mist.com (TCP 2200) cdn.juniper.net (TCP 443) Note: If you are using the Juniper CloudX architecture for
your EX and QFX switches, also disable
SSL
decryption on the firewall.
|
| SRX Series Firewalls |
redirect.juniper.net (TCP 443) ztp.gc1.mist.com (TCP 443) oc-term.gc1.mist.com (TCP 2200) srx-log-terminator.gc1.mist.com (TCP 6514) |
| SSR Series Routers |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc1.mist.com (TCP 443) portal.gc1.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
Global 03
| Cloud Service or Device | IP Addresses and Ports |
|---|---|
| Admin Portal |
manage.ac2.mist.com (TCP 443) api-ws.ac2.mist.com (TCP 443) api.ac2.mist.com(TCP 443) |
| API | api.ac2.mist.com (TCP 443) |
| Guest Wi-Fi Portal | portal.ac2.mist.com (TCP 443) |
| Webhooks Source IP Addresses (static IP addresses) |
34.231.34.177 54.235.187.11 18.233.33.230 |
| Juniper Mist Support | support-portal.mist.com |
| Juniper Mist Access Points and Juniper Mist Edge |
ep-terminator.mistsys.net (TCP 443) ep-terminator.ac2.mist.com (TCP 443) portal.ac2.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Series Switches |
redirect.juniper.net (TCP 443) jma-terminator.ac2.mist.com (TCP 443) ztp.ac2.mist.com (TCP 443) oc-term.ac2.mist.com (TCP 2200) cdn.juniper.net (TCP 443) Note: If you are using the Juniper CloudX architecture for
your EX and QFX switches, also disable
SSL
decryption on the firewall.
|
| SRX Series Firewalls |
redirect.juniper.net (TCP 443) ztp.ac2.mist.com (TCP 443) oc-term.ac2.mist.com (TCP 2200) srx-log-terminator.ac2.mist.com (TCP 6514) |
| SSR Series Routers |
ep-terminator.mistsys.net (TCP 443) ep-terminator.ac2.mist.com (TCP 443) portal.ac2.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
Global 04
| Cloud Service or Device | IP Addresses and Ports |
|---|---|
| Admin Portal |
manage.gc2.mist.com (TCP 443) api-ws.gc2.mist.com (TCP 443) api.gc2.mist.com (TCP 443) |
| API | api.gc2.mist.com (TCP 443) |
| Guest Wi-Fi Portal | portal.gc2.mist.com (TCP 443) |
| Webhooks Source IP Addresses (static IP addresses) |
34.152.4.85 35.203.21.42 34.152.7.156 |
| Juniper Mist Support | support-portal.mist.com |
| Juniper Mist Access Points and Juniper Mist Edge |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc2.mist.com (TCP 443) portal.gc2.mist.com (TCP443) redirect.mist.com (TCP 443) |
| EX Series Switches |
redirect.juniper.net (TCP 443) jma-terminator.gc2.mist.com (TCP 443) ztp.gc2.mist.com (TCP 443) oc-term.gc2.mist.com (TCP 2200) cdn.juniper.net (TCP 443) Note: If you are using the Juniper CloudX architecture for
your EX and QFX switches, also disable
SSL
decryption on the firewall.
|
| SRX Series Firewalls |
redirect.juniper.net (TCP 443) ztp.gc2.mist.com (TCP 443) oc-term.gc2.mist.com (TCP 2200) srx-log-terminator.gc2.mist.com (TCP 6514) |
| SSR Series Routers |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc2.mist.com (TCP 443) portal.gc2.mist.com (TCP443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
Global 05
| Cloud Service or Device | IP Addresses and Ports |
|---|---|
| Admin Portal |
manage.gc4.mist.com (TCP 443) api-ws.gc4.mist.com (TCP 443) api.gc4.mist.com (TCP 443) |
| API | api.gc4.mist.com (TCP 443) |
| Guest Wi-Fi Portal | portal.gc4.mist.com (TCP 443) |
| Webhooks Source IP Addresses (static IP addresses) |
35.192.224.0/29 (35.192.224.0 - 35.192.224.7) |
| Juniper Mist Support | support-portal.mist.com |
| Juniper Mist Access Points and Juniper Mist Edge |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc4.mist.com (TCP 443) portal.gc4.mist.com (TCP443) redirect.mist.com (TCP 443) |
| EX Series Switches |
redirect.juniper.net (TCP 443) jma-terminator.gc4.mist.com (TCP 443) ztp.gc4.mist.com (TCP 443) oc-term.gc4.mist.com (TCP 2200) cdn.juniper.net (TCP 443) Note: If you are using the Juniper CloudX architecture for
your EX and QFX switches, also disable
SSL
decryption on the firewall.
|
| SRX Series Firewalls |
redirect.juniper.net (TCP 443) ztp.gc4.mist.com (TCP 443) oc-term.gc4.mist.com (TCP 2200) srx-log-terminator.gc4.mist.com (TCP 6514) |
| SSR Series Routers |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc4.mist.com (TCP 443) portal.gc4.mist.com (TCP443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
EMEA 01
| Cloud Service or Device | IP Addresses and Ports |
|---|---|
| Admin Portal |
manage.eu.mist.com (TCP 443) api-ws.eu.mist.com (TCP 443) |
| API | api.eu.mist.com (TCP 443) |
| Guest Wi-Fi Portal | portal.eu.mist.com (TCP 443) |
| Webhooks Source IP Addresses (static IP addresses) |
3.122.172.223 3.121.19.146 3.120.167.1 |
| Juniper Mist Support | support-portal.mist.com |
| Juniper Mist Access Points and Juniper Mist Edge |
ep-terminator.mistsys.net (TCP 443) ep-terminator.eu.mist.com (TCP 443) portal.eu.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Series Switches |
redirect.juniper.net (TCP 443) jma-terminator.eu.mist.com (TCP 443) ztp.eu.mist.com (TCP 443) oc-term.eu.mist.com (TCP 2200) cdn.juniper.net (TCP 443) Note: If you are using the Juniper CloudX architecture for
your EX and QFX switches, also disable
SSL
decryption on the firewall.
|
| SRX Series Firewalls |
redirect.juniper.net (TCP 443) ztp.eu.mist.com (TCP 443) oc-term.eu.mist.com (TCP 2200) srx-log-terminator.eu.mist.com (TCP 6514) |
| SSR Series Routers |
ep-terminator.mistsys.net (TCP 443) ep-terminator.eu.mist.com (TCP 443) portal.eu.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
EMEA 02
| Cloud Service or Device | IP Addresses and Ports |
|---|---|
| Admin Portal |
manage.gc3.mist.com (TCP 443) api-ws.gc3.mist.com (TCP 443) |
| API |
api.gc3.mist.com (TCP 443) |
| Guest Wi-Fi Portal |
portal.gc3.mist.com (TCP 443) |
| Webhooks Source IP Addresses (static IP addresses) |
35.234.156.66 |
| Juniper Mist Support | support-portal.mist.com |
| Juniper Mist Access Points and Juniper Mist Edge |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc3.mist.com (TCP 443) portal.gc3.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Series Switches |
redirect.juniper.net (TCP 443) jma-terminator.gc3.mist.com (TCP 443) ztp.gc3.mist.com (TCP 443) oc-term.gc3.mist.com (TCP 2200) cdn.juniper.net (TCP 443) Note: If you are using the Juniper CloudX architecture for
your EX and QFX switches, also disable
SSL
decryption on the firewall.
|
| SRX Series Firewalls |
redirect.juniper.net (TCP 443) ztp.gc3.mist.com (TCP 443) oc-term.gc3.mist.com (TCP 2200) srx-log-terminator.gc3.mist.com (TCP 6514) |
| SSR Series Routers |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc3.mist.com (TCP 443) portal.gc3.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
EMEA 03
| Cloud Service or Device | IP Addresses and Ports |
|---|---|
| Admin Portal |
manage.ac6.mist.com (TCP 443) api-ws.ac6.mist.com (TCP 443) |
| API |
api.ac6.mist.com (TCP 443) |
| Guest Wi-Fi Portal |
portal.ac6.mist.com (TCP 443) |
| Webhooks Source IP Addresses (static IP addresses) |
51.112.15.151 51.112.76.109 51.112.86.222 |
| Juniper Mist Support |
support-portal.mist.com |
| Juniper Mist Access Points and Juniper Mist Edge |
ep-terminator.mistsys.net (TCP 443) ep-terminator.ac6.mist.com (TCP 443) portal.ac6.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Series Switches |
redirect.juniper.net (TCP 443) jma-terminator.ac6.mist.com (TCP 443) ztp.ac6.mist.com (TCP 443) oc-term.ac6.mist.com (TCP 2200) cdn.juniper.net (TCP 443) Note: If you are using the Juniper CloudX architecture for
your EX and QFX switches, also disable
SSL
decryption on the firewall.
|
| SRX Series Firewalls |
redirect.juniper.net (TCP 443) ztp.ac6.mist.com (TCP 443) oc-term.ac6.mist.com (TCP 2200) srx-log-terminator.ac6.mist.com (TCP 6514) |
| SSR Series Routers |
ep-terminator.mistsys.net (TCP 443) ep-terminator.ac6.mist.com (TCP 443) portal.ac6.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
EMEA 04
| Cloud Service or Device | IP Addresses and Ports |
|---|---|
| Admin Portal |
manage.gc6.mist.com (TCP 443) api-ws.gc6.mist.com (TCP 443) |
| API |
api.gc6.mist.com (TCP 443) |
| Guest Wi-Fi Portal |
portal.gc6.mist.com (TCP 443) |
| Webhooks Source IP Addresses (static IP addresses) |
34.166.152.112/29 (34.166.152.112 - 34.166.152.119) |
| Juniper Mist Support |
support-portal.mist.com |
| Juniper Mist Access Points and Juniper Mist Edge |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc6.mist.com (TCP 443) portal.gc6.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Series Switches |
redirect.juniper.net (TCP 443) jma-terminator.gc6.mist.com (TCP 443) ztp.gc6.mist.com (TCP 443) oc-term.gc6.mist.com (TCP 2200) cdn.juniper.net (TCP 443) Note: If you are using the Juniper CloudX architecture for
your EX and QFX switches, also disable
SSL
decryption
on the firewall.
|
| SRX Series Firewalls |
redirect.juniper.net (TCP 443) ztp.gc6.mist.com (TCP 443) oc-term.gc6.mist.com (TCP 2200) srx-log-terminator.gc6.mist.com (TCP 6514) |
| SSR Series Routers |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc6.mist.com (TCP 443) portal.gc6.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
APAC 01
| Cloud Service or Device | IP Addresses and Ports |
|---|---|
| Admin Portal |
manage.ac5.mist.com (TCP 443) api-ws.ac5.mist.com (TCP 443) api.ac5.mist.com (TCP 443) |
| API | api.ac5.mist.com (TCP 443) |
| Guest Wi-Fi Portal |
portal.ac5.mist.com(TCP 443) |
| Webhooks Source IP Addresses (static IP addresses) |
54.206.226.168 13.238.77.6 54.79.134.226 |
| Juniper Mist Support | support-portal.mist.com |
| Juniper Mist Access Points and Juniper Mist Edge |
ep-terminator.mistsys.net (TCP 443) ep-terminator.ac5.mist.com (TCP 443) portal.ac5.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Series Switches |
redirect.juniper.net (TCP 443) jma-terminator.ac5.mist.com (TCP 443) ztp.ac5.mist.com (TCP 443) oc-term.ac5.mist.com (TCP 2200) cdn.juniper.net (TCP 443) Note: If you are using the Juniper CloudX architecture for
your EX and QFX switches, also disable
SSL
decryption on the firewall.
|
| SRX Series Firewalls |
redirect.juniper.net (TCP 443) ztp.ac5.mist.com (TCP 443) oc-term.ac5.mist.com (TCP 2200) srx-log-terminator.ac5.mist.com (TCP 6514) |
| SSR Series Routers |
ep-terminator.mistsys.net (TCP 443) ep-terminator.ac5.mist.com (TCP 443) portal.ac5.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
APAC 02
| Cloud Service or Device | IP Addresses and Ports |
|---|---|
| Admin Portal |
manage.gc5.mist.com (TCP 443) api-ws.gc5.mist.com (TCP 443) api.gc5.mist.com (TCP 443) |
| API | api.gc5.mist.com (TCP 443) |
| Guest Wi-Fi Portal | portal.gc5.mist.com (TCP 443) |
| Webhooks Source IP Addresses (static IP addresses) |
34.47.180.168/29 (34.47.180.168 - 34.47.180.175) |
| Juniper Mist Support | support-portal.mist.com |
| Juniper Mist Access Points and Juniper Mist Edge |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc5.mist.com (TCP 443) portal.gc5.mist.com (TCP 443) redirect.mist.com (TCP 443) |
| EX Series Switches |
redirect.juniper.net (TCP 443) jma-terminator.gc5.mist.com (TCP 443) ztp.gc5.mist.com (TCP 443) oc-term.gc5.mist.com (TCP 2200) cdn.juniper.net (TCP 443) Note: If you are using the Juniper CloudX architecture for
your EX and QFX switches, also disable
SSL
decryption on the firewall.
|
| SRX Series Firewalls |
redirect.juniper.net (TCP 443) ztp.gc5.mist.com (TCP 443) oc-term.gc5.mist.com (TCP 2200) srx-log-terminator.gc5.mist.com (TCP 6514) |
| SSR Series Routers |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc5.mist.com (TCP 443) portal.gc5.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
APAC 03
| Cloud Service or Device | IP Addresses and Ports |
|---|---|
| Admin Portal |
manage.gc7.mist.com (TCP 443) api-ws.gc7.mist.com (TCP 443) api.gc7.mist.com (TCP 443) |
| API | api.gc7.mist.com (TCP 443) |
| Guest Wi-Fi Portal |
portal.gc7.mist.com(TCP 443) |
| Webhooks Source IP Addresses (static IP addresses) |
34.104.128.8/29 (34.104.128.8 - 34.104.128.15) |
| Juniper Mist Support | support-portal.mist.com |
| Juniper Mist Access Points and Juniper Mist Edge |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc7.mist.com (TCP 443) portal.gc7.mist.com (TCP 443) redirect.mist.com (TCP 443) Note: For Mist Edges to function effectively on the APAC 03
cloud instance, a new version of the tunnel termination service is required. This
version will be released at a later date. If you want to use Mist Edge with the
tunnel service in this region, contact your account team for guidance.
|
| EX Series Switches |
redirect.juniper.net (TCP 443) jma-terminator.gc7.mist.com (TCP 443) ztp.gc7.mist.com (TCP 443) oc-term.gc7.mist.com (TCP 2200) cdn.juniper.net (TCP 443) Note: If you are using the Juniper CloudX architecture for
your EX and QFX switches, also disable
SSL
decryption
on the firewall.
|
| SRX Series Firewalls |
redirect.juniper.net (TCP 443) ztp.gc7.mist.com (TCP 443) oc-term.gc7.mist.com (TCP 2200) srx-log-terminator.gc7.mist.com (TCP 6514) |
| SSR Series Routers |
ep-terminator.mistsys.net (TCP 443) ep-terminator.gc7.mist.com (TCP 443) portal.gc7.mist.com (TCP 443) redirect.mist.com (TCP 443) software.128technology.com (TCP 443) rp.cloud.threatseeker.com (TCP 443) |
Additional Hosts to Allow
- portal.mist.com for WiFi captive portal
- manage.mist.com/signin.html for Admin UI access
- api.mist.com for Admin API access
- api-ws.mist.com for Admin websocket API access
- support-portal.mist.com for Admin Support Portal access
Additional Information for Access Points
- APs require TCP port 443 to connect to the Juniper Mist cloud. Optionally, you can tunnel this traffic by using Layer 2 Tunneling Protocol (L2TP).
-
We also recommend opening UDP port 443 and TCP port 80. Port 443 is the primary communication channel for AP’s talking to cloud (onboarding, telemetry, configuration). Port 80 is recommended as a backup.
- The Domain Name System (DNS) requires UDP port 53 to look up the cloud hostnames. However, the DNS does not need a public DNS server.
- The Dynamic Host Control Protocol (DHCP) initially requires UDP ports 67 and 68. After initial device onboarding, you can configure static IP on the device if you prefer.
- The Network Time Protocol (NTP) may require UDP port 123 in some environments. The AP will by default attempt to receive the time from pool.ntp.org. The AP can also receive time through DHCP option 42.
-
The IP addresses change periodically and may resolve to something like this: ep-terminator-production-839577302.us-west-1.elb.amazonaws.com.
-
Proxy settings are supported and the proxy setting is used if available, but if not the AP will still try to connect.
Ports for Access Assurance (NAC), Wired Assurance, and WAN Assurance
We recommend that you use FQDN-based firewall rules because the IP addresses for the terminators are subject to change.
For Wired and WAN Assurance, allow outbound connections to:
- radsec.nac.mist.com (TCP 2083)
For Access Assurance in the European Union (EU), allow outbound connections to:
- radsec-eu.nac.mist.com (TCP 2083)