MX16.x and port 443

KenLux
Here to help

MX16.x and port 443

We are currently running an MX84 with MX15.x and need to upgrade to MX 16.x.

 

The MX84's WAN port is connected to the internet. We are currently forwarding traffic on inbound port 443 to a server.

 

The release notes for the MX16.15 firmware state:

While Meraki appliances have traditionally relied on UDP port 7351 for cloud communication and TCP ports 80 and 443 for backup communications, with MX 16 we are beginning a transition to using TCP port 443 as the primary means for cloud connectivity. In order to ensure proper connectivity to the Meraki cloud after this upgrade, please ensure that traffic using TCP port 443 between 209.206.48.0/20 is allowed through any firewalls that may be deployed upstream of your Meraki appliances.

 

What does this mean for us since we need to forward port 443 to another server?

 

I think there are a few possibilities:

  1. The MX will interpret any traffic on port 443 as being for the MX. This would result in users not being able to reach the server from the internet. At least we would be able to roll back the firmware
  2. The MX will follow the port forwarding rule and send all traffic inbound on port 443 to the server. In this case, I don't think that we would be able to access the MX through the Meraki cloud service. We wouldn't be able to roll back the firmware and would have to do a factory reset.
  3. The MX filters the inbound traffic on port 443 with traffic from 209.206.48.0/20 being processed by the MX and all other traffic forwarded per the forwarding rule.

 

While I assume that the answer is (3), I can't find any discussion of this. If the answer is (1), we could roll back the firmware, but if the answer is (2), then we will lose the ability to manage any of our Meraki devices.

 

A mitigation for (2) would be to add a router in front of the MX that performs the filtering that is mentioned in (3).

 

I did see a warning somewhere about losing access to the local status page via the WAN interface if ports 80 and 443 are being forwarded, but it didn't say anything about the cloud services.

 

Somebody out there has to be using this device with port 443 forwarded to a web server or other type of server. Does anyone know for sure that the MX will filter out traffic from Meraki before forwarding all other traffic according to the port-forwarding rule?

3 Replies 3
Brash
Kind of a big deal
Kind of a big deal

The Meraki appliance will communicate with the cloud with a destination port of TCP 443.
However the source port will be dynamic (in the >50000 range).

The Meraki cloud will not send any traffic inbound towards to MX on port 443.

As verification, If you navigate to "Help" -> "Firewall Info" in the Meraki console, you'll see that the firewall rules required on port 443 are all outbound from the MX, not inbound.

Thanks. I can see the firewall requirements, but it appears that they may be the rules needed for the currently installed firmware (15.x)  - that shows primary communication with the Meraki cloud over out bound UDP port 7351 with TCP 443 as a backup, which is what the release notes say they are changing. So I am not sure that the firewall info page is a way to verify the firewall info for the 16.x version if it hasn't been installed yet.

 

That being said, it makes sense, but is there any official documentation that I can find from Meraki that I can view before updating the firmware?

RaphaelL
Kind of a big deal
Kind of a big deal

Simply take a packet capture on the WAN interface , you will see that the MX is sourcing the traffic with a ephemeral port and a destination port of 443 as stated. It has nothing to do with your port forwarding rules and your firewall rules ( unless you have another firewall between your MX and your WAN ).

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels