Wi-Fi Cloud Integration with Third-Party Controllers using CIP

Cloud Integration Point (CIP) technology enables the integration of WatchGuard Wi-Fi Cloud with third-party on-premise wireless controllers and event log management services such as:

  • Aruba Mobility Controller
  • Cisco Wireless LAN Controller (WLC)
  • HP Multi-Service Mobility (MSM) Controller
  • ArcSight Enterprise Security Management (ESM)
  • Syslog server
  • SNMP

Integration with third-party Wi-Fi controllers, such as Aruba, Cisco, and HP, enables Wi-Fi Cloud to retrieve information on devices managed by the controller. Wi-Fi Cloud can use this information for Wireless Intrusion Prevention System (WIPS) classification and location tracking of devices.

Integration with Enterprise Security Management (ESM) servers, such as ArcSight and syslog servers, enables Wi-Fi Cloud to send events and audit log messages to these servers. You can then use your own existing log infrastructure to manage Wi-Fi Cloud events and log messages.

When you integrate Wi-Fi Cloud with your third-party systems, you can leverage these key security advantages of Wi-Fi Cloud while you continue to use your existing infrastructure:

  • Automatic WIPS classification of authorized devices managed by the controller
  • Additional inputs for location tracking of Wi-Fi clients
  • Ability to send events and audit log messages to a central log server for a unified view of event monitoring and log analysis for troubleshooting

Features That Use CIP

You can use a WatchGuard AP configured as a CIP with these features:

How CIP Works

When you integrate Wi-Fi Cloud with on-premise systems, one key challenge is that these systems usually reside on a private network behind a firewall. You can integrate multiple on-premise systems with Wi-Fi Cloud when you use a Cloud Integration Point (CIP) device on your network.

CIP mode is currently only supported on an AP420.

Diagram of how CIP integrates into an existing on-premises network

You can configure an AP420 as the CIP in an on-premise network for use with Wi-Fi Cloud.

When you configure an AP420 in CIP mode, the AP radios do not perform access point or WIPS sensor functions. An AP in CIP mode is dedicated to processing CIP services.

The CIP creates a secure OpenVPN tunnel to Wi-Fi Cloud on UDP port 3852. This port must be open on the firewall to allow communications from the CIP to Wi-Fi Cloud to create the OpenVPN tunnel. All subsequent communications occur through the tunnel.

All data transmitted between the CIP and Wi-Fi Cloud is sent over an OpenVPN tunnel and is secured with AES-256-CBC encryption. The CIP contains a firewall that only forwards traffic to the defined destinations and through the ports configured for the CIP. The CIP also uses network address translation (NAT) for traffic from the tunnel to the LAN. It is not possible to establish a connection from the LAN to Wi-Fi Cloud.

You can configure more than one CIP device to provide high availability for CIP services. Each feature that supports CIP enables you to configure a primary and secondary CIP device. When a primary CIP fails, all services that use this CIP as the primary will failover to the secondary CIP. Services will continue to use the secondary CIP when the primary CIP becomes available again.

CIP Requirements

To integrate Wi-Fi Cloud with an on-premise system:

  • You must have a WatchGuard AP420.
  • Port 3852 must be open on your firewall for communications from the CIP to Wi-Fi Cloud.
  • Ports 443 and 3851 must be open on your firewall to enable communications with Wi-Fi Cloud for AP provisioning.
  • Ports 443 and 80 must be open on your firewall for AP device firmware updates.
  • You must have an open IP path between the CIP and your on-premise systems.
  • IP address requirements are:
  • Static IP address — You must assign the CIP a static IP address if the on-premise system requires the CIP to be whitelisted to get access to the on-premise system. We recommend you use a static IP address.
    For information on how to set a static IP address for an AP, see How to set a static IP address for an AP in WatchGuard Wi-Fi Cloud.
  • DHCP — The CIP can obtain a DHCP IP address if the on-premise system does not require the CIP to be whitelisted to get access to the on-premise system.

There are three address options when you add an on-premise system to the CIP:

  • Private IP Address — In this case, a CIP is mandatory. Wi-Fi Cloud expects a CIP if the on-premise system IP address is private.
  • Public IP Address — Use of a CIP is optional if the on-premise system uses a public IP address. Wi-Fi Cloud can then get access to the on-premise system directly. The rest of the configuration remains the same.
  • Hostname — You can add an on-premise system to Wi-Fi Cloud by hostname (for example: host.arcsight.com). However, you must consider whether this hostname resolves to a public IP address or a private IP address. With Wi-Fi Cloud, you can add an on-premise system using a hostname without a CIP. This configuration works if the on-premise system uses a public IP address. If the on-premise system uses a private IP address, you must assign a CIP.

Configure CIP Integration

To set up a CIP to integrate Wi-Fi Cloud and an on-premise system, you must perform these steps:

  • Open port UDP 3852 on your firewall so that the CIP can communicate with Wi-Fi Cloud
  • Configure a WatchGuard AP420 in CIP mode
  • Configure Wi-Fi Cloud for integration with on-premise wireless controllers
  • Configure Wi-Fi Cloud for integration with Enterprise Security Management (ESM) systems, syslog, or SNMP trap servers.

Configure a WatchGuard AP420 in CIP mode

To configure an AP420 to be a dedicated CIP device that communicates with the on-premise system and Wi-Fi Cloud:

Configure Wi-Fi Cloud for Integration with On-Premise Wireless Controllers

These WLAN controllers are supported:

  • Aruba Mobility Controller
  • Cisco Wireless LAN Controller (WLC)
  • HP Multi-Service Mobility (MSM) Controller

For detailed information, see WLAN Integration.

Configure Wi-Fi Cloud for Integration with Enterprise Security Management (ESM) Systems

You can integrate Enterprise Security Management (ESM) systems with Wi-Fi Cloud using a CIP.

These ESM systems are supported:

  • Syslog
  • ArcSight

For detailed information, see Configure Syslog and ArcSight Integration.