Architecture Question/Help

  • 1
  • Question
  • Updated 3 years ago
Hi All,

First time posting here. We have recently deployed a Zone Director 1100 and several zf7363 APs in our main office. So far the response has been great and everything is working smoothly. Eventually we would like to deploy APs in our branch offices as well and hopefully still use the Zone Director in our main office as the controller.

The challenge I am facing is that the ZD and APs all are totally isolated from our corporate LAN/WAN. They sit behind their own firewall and only provide internet access to our users. All of the APs to be deployed at the branch offices would be arranged in a like topology. When we spec'd the system we did not take this isolation into account unfortunately. Without the remote APs being able to communicate to the Zone Director over the corporate WAN I'm not exactly sure of the best path forward.

Would the recommended approach/design be to put the Zone Director and APs into a DMZ and then talking back and forth over the public internet? I'm not sure what sort of in/out traffic the zone director uses to communicate to the APs and what ports are in use.

I'm hoping there is a more simple approach that will allow the APs to operate autonomously but still be managed centrally. I've read a bit about the Flex Master platform which sounds like it might suit our needs but could be way overkill since we are only going to have about 25-30 APs total throughout our company.

Any advice or input is appreciated.
Photo of Bradford Mitchell

Bradford Mitchell

  • 2 Posts
  • 0 Reply Likes

Posted 4 years ago

  • 1
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
Hi Bradford,

You could potentially do a VPN tunnel through your corporate WAN. Unless you are in turn tunneling all of the AP traffic back to the controller (which is fairly rare), the traffic through the WAN would be minimal. Watch for MTU issues.

Here's a KB article (that is a little rough..) detailing port requirements for various deployments. https://support.ruckuswireless.com/an...
Photo of Bradford Mitchell

Bradford Mitchell

  • 2 Posts
  • 0 Reply Likes
Thanks Keith.

Per our security policy wireless has to remain completely isolated from the corporate WAN unfortunately. I could do site to site VPN tunnels from the Wireless network FWs but was hoping to avoid this layer of complexity.

I'm sort of curious how FlexMaster could fit into this since in the product description I've read

"Now, Ruckus Wi-Fi systems can be securely controlled, monitored, and upgraded from anywhere in the world, over the Internet or a private IP network — with FlexMaster. It’ a complete management platform for building and managing Enterprise and Carrier-Grade Wi-Fi Service Infrastructures."

I'm guessing the FlexMaster box would have to sit in a DMZ to manage wireless networks over the internet, but what about the APs?

Sorry if I'm not being clear. I can knock up a diagram if that would help
Photo of Keith - Pack Leader

Keith - Pack Leader

  • 860 Posts
  • 51 Reply Likes
FlexMaster does have it's own tunneling capability which is what's being referred to above. And it can support the following:



Which is I think close to what you are looking for. You can download it from our website, and it comes with a 10 client license (ZD is one client) for evaluation purposes. Hint - after installation drop iptables and make sure :80 and :443 are open
Photo of Eizens Putnins

Eizens Putnins

  • 107 Posts
  • 42 Reply Likes
Hi,
I want to make comment that ZD requires as much licenses from Flexmaster, as APs it can manage (ZD license size), even if there is ust one AP. So Zd1106 uses 6 Flexmaster licences, not 1, and, for example, ZD1112 need 12 licenses.
So you can connect only ZD1106 to Flexmaster with evaluation license.
Also there is no much sense to manage ZD by Flexmaster in you case, as it is on your site and there is much more management features in ZD (and you need access to it anyway).
It is possible to install ZD in DMZ, open proper ports, and install APs on remote sites after Firewall, making address translation for neccessary ports, without VPN.
It will work (if delays on WAN are less than 50-100-msec), but it is not what you usually want to do. Vpn is more safe, but it adds delays, so requirement to WAN become even higher. If delays are too big, clients can time-out autentication and fail to connect.
Unfortunately, you can't expect to have centralized management and no communication between sites, it is unrealistic wish.
Some other vendors (Aruba, for example) which mainly use only tunneled connection for APs, support architecture when AP itself creates Ipsec tunnel to controller over Internet, which is really handy for remote brunches. But it's not required really often, or Ruckus would implemented it too.
Hope it helps,
Eizens