For cnMaestro and CBRS to work what domains/IP and TCP ports does an AP need open to the internet?
I am seeing in DNS.
sas.cbrs.cambiumnetworks.com
device-software.cloud.cambiumnetworks.com
cloud.cambiumnetworks.com
I am opening these on TCP/443. Anything else?
I am a little confused by what you're asking.
Is your AP already connected to cnMaestro? Is it via the cloud or On Premises version?
If your AP is in cnMaestro, then you can start by following the CBRS Guide here.
If it's not yet in there, then maybe start with the cnMaestro Documentation...
Yes, its connected on cloud. In firewall we do not allow 'everything' through. We specify what ports and destinations the AP is allowed to connect too through firewall. I can specify in firewall a DNS entry and it will resolve the IPs dynamically into list even as they change. I was specifying just these two entries and allowing on TCP/443.
device-software.cloud.cambiumnetworks.com
cloud.cambiumnetworks.com
All devices worked fine. Lots of APs and SMs for months now. I do now have a CBRS AP that will lose connection to SAS after about a week. Does not seem to lose connection to cnMaestro Cloud though. Rebooting that AP resolves it. I found this entry in DNS cache.
sas.cbrs.cambiumnetworks.com
I just added it to my list and then the CBRS AP reconnected to SAS immediately without reboot. I will need to wait a week or so to see if that fixes it. Anything else I need allow in firewall?
Those are the only exceptions you should need to allow proper operation of cnMaestro cloud and the CBRS Services.
I am also seeing us-e1-s8-p2nspwgjvm.cloud.cambiumnetworks.com cname record.
I found that my firewall was using its brand name DNS for FQDN lookups. I switched to using 8.8.8.8 and 1.1.1.1 and the sas.cbrs.cambiumnetworks.com FQDN changed to match the IP address that was getting denied.
I think the issue was that the firewall default DNS is on the east coast. We are in the west. The 1.1.1.1 and 8.8.8.8 servers are closer and have the DNS entries for our local servers.