Contents

Wi-Fi Cloud Integration with Third-Party Controllers using CIP

Cloud Integration Point (CIP) technology enables the integration of WatchGuard Wi-Fi Cloud with third-party on-premise wireless controllers and event log management services such as:

  • Aruba Mobility Controller
  • Cisco Wireless LAN Controller (WLC)
  • HP Multi-Service Mobility (MSM) Controller
  • ArcSight Enterprise Security Management (ESM)
  • Syslog server

Integration with third-party Wi-Fi controllers, such as Aruba, Cisco, and HP, enables Wi-Fi Cloud to retrieve information on devices managed by the controller. Wi-Fi Cloud can use this information for Wireless Intrusion Prevention System (WIPS) classification and location tracking of devices.

Integration with Enterprise Security Management (ESM) servers, such as ArcSight and Syslog, enables Wi-Fi Cloud to send events and audit log messages to these servers. You can then use your own existing infrastructure to manage Wi-Fi Cloud events and log messages.

When you integrate Wi-Fi Cloud with your third-party systems, you can leverage these key security advantages of Wi-Fi Cloud while you continue to use your existing infrastructure:

  • Automatic WIPS classification of authorized devices managed by the controller
  • Additional inputs for location tracking of Wi-Fi clients
  • Ability to send events and audit log messages to a central log server for a unified view of event monitoring and log analysis for troubleshooting

How CIP Works

When you integrate Wi-Fi Cloud with on-premise systems, one key challenge is that these systems usually reside on a private network behind a firewall. You can integrate multiple on-premise systems with Wi-Fi Cloud when you use a Cloud Integration Point (CIP) device on your network.

Diagram of how CIP integrates into an existing on-premises network

You can configure an AP420 as the CIP in an on-premise network for use with Wi-Fi Cloud. When it is configured in CIP mode, the AP420 does not perform access point or WIPS sensor functions. The CIP creates a secure OpenVPN tunnel to Wi-Fi Cloud on UDP port 3852. This port must be open on the firewall to allow communications from the CIP to Wi-Fi Cloud to create the OpenVPN tunnel. All subsequent communications occur through the tunnel.

All data transmitted between the CIP and Wi-Fi Cloud is sent over an OpenVPN tunnel and is secured with AES-256-CBC encryption. The CIP contains a firewall that only forwards traffic to the defined destinations and through the ports configured for the CIP. The CIP also uses network address translation (NAT) for traffic from the tunnel to the LAN. It is not possible to establish a connection from the LAN to Wi-Fi Cloud.

CIP Requirements

To integrate Wi-Fi Cloud with an on-premise system:

  • You must have a WatchGuard AP420.
  • Port 3852 must be open on your firewall for communications from the CIP to Wi-Fi Cloud.
  • Ports 443 and 3851 must be open on your firewall to enable communications with Wi-Fi Cloud for AP provisioning.
  • Ports 443 and 80 must be open on your firewall for AP device firmware updates.
  • You must have an open IP path between the CIP and your on-premise systems.
  • IP address requirements are:
  • Static IP address — You must assign the CIP a static IP address if the on-premise system requires the CIP to be whitelisted to get access to the on-premise system. We recommend you use a static IP address.
    For information on how to set a static IP address for an AP, see How to set a static IP address for an AP in WatchGuard Wi-Fi Cloud.
  • DHCP — The CIP can obtain a DHCP IP address if the on-premise system does not require the CIP to be whitelisted to get access to the on-premise system.

There are three address options when you add an on-premise system to the CIP:

  • Private IP Address — In this case, a CIP is mandatory. Wi-Fi Cloud expects a CIP if the on-premise system IP address is private.
  • Public IP Address — Use of a CIP is optional if the on-premise system uses a public IP address. Wi-Fi Cloud can then get access to the on-premise system directly. The rest of the configuration remains the same.
  • Hostname — You can add an on-premise system to Wi-Fi Cloud by hostname (for example: host.arcsight.com). However, you must consider whether this hostname resolves to a public IP address or a private IP address. With Wi-Fi Cloud, you can add an on-premise system using a hostname without a CIP. This configuration works if the on-premise system uses a public IP address. If the on-premise system uses a private IP address, you must assign a CIP.

Configure CIP Integration

To set up a CIP to integrate Wi-Fi Cloud and an on-premise system, you must perform these steps:

  • Open port UDP 3852 on your firewall so that the CIP can communicate with Wi-Fi Cloud
  • Configure a WatchGuard AP420 as a CIP
  • Configure Wi-Fi Cloud for integration with on-premise wireless controllers
  • Configure Wi-Fi Cloud for integration with Enterprise Security Management (ESM) systems

Configure a WatchGuard AP420 as a CIP

You can configure an AP420 to be a dedicated CIP device that communicates with the on-premise system and Wi-Fi Cloud.

  1. Open Manage.
  2. Select Monitoring > Managed Devices.
  3. Click the AP that you want to designate as a CIP to open the Properties window for that AP.
  4. Click to open the Properties list.
  5. At the end of the Properties list, select the CIP Mode Enabled option to display the CIP mode property.

Screen shot of the AP properties list and the CIP Mode Enabled property

  1. Close the Properties list.
  2. In the Properties window, change the CIP Mode Enabled property to Yes.

Screen shot of the CIP Mode Enabled AP property

  1. Click Save.

Configure Wi-Fi Cloud for Integration with On-Premise Wireless Controllers

To configure on-premise wireless controllers, open Manage and select Configuration > WIPS > WLAN Integration.

Screen shot of the configuration tiles on the Configuration > WIPS > WLAN Integration page

These WLAN controllers are supported:

  • Aruba Mobility Controller
  • Cisco Wireless LAN Controller (WLC)
  • HP Multi-Service Mobility (MSM) Controller

For detailed information, see WLAN Integration.

Configure Wi-Fi Cloud for Integration with Enterprise Security Management (ESM) Systems

You can integrate Enterprise Security Management (ESM) systems with Wi-Fi Cloud using a CIP. To configure on-premise wireless controllers, open Manage and select Configuration > ESM Integration.

Screen shot of ESM integration tiles in Manage

These ESM systems are supported:

  • Syslog
  • ArcSight

For detailed information, see Syslog Integration and ArcSight Integration.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search