Celona Access Points, Edge, and Orchestrator must communicate over the existing enterprise LAN/WAN infrastructure to enable zero-touch provisioning and cloud-based management of the Private Wireless network. For seamless Day 0 & Day N operations of the Celona Private Wireless network, enterprise firewalls must be configured to allow specific discovery, management, provisioning, and troubleshooting functions.
Please refer to the following tables for detailed firewall configurations to allow communication between Celona AP, Edge, and Orchestrator (software version 2206 & above).
Outbound Edge to Orchestrator
URL | Port | Protocol | Purpose |
443 | TCP | Global CSO - Central Authentication and Authorization, Customer and User Management, Inventory Management, Discovery | |
cso-1.celona.io | 443 | TCP | Regional CSO - (Dammam) - Configuration & Reporting, Network Management |
443 | TCP | Discovery |
Outbound Edge to the Internet
URL | Port | Protocol | Purpose |
443 | TCP | Troubleshooting | |
sas.goog | 443 | TCP | Google SAS communication |
443 | TCP | Federated Wireless SAS communication | |
123 | UDP | If no internal NTP server is configured via DHCP option 42, Edge reaches out to the internet for time synchronization | |
*.ubuntu.pool.ntp.org | 123 | UDP | If no internal NTP server is configured via DHCP option 42, Edge reaches out to the internet for time synchronization |
Apple application server | 5223 | TCP | This is applicable only if the Apple devices and native Apple applications (FaceTime, iMessage) need to be supported over Private Wireless |
Outbound Edge to Enterprise Network
IP Address | Port | Protocol | Purpose |
NTP server IP Address | 123 | UDP | Edge configured with internal NTP server via DHCP option 42 |
Outbound Access Point to Edge
Port | Protocol | Purpose |
2123 | UDP | GTP Control from AP to Edge |
2152 | UDP | GTP Data from AP to Edge |
36412 | SCTP | S1 connection from AP to Edge |
38412 | SCTP | For 5G only S1/NG connection from AP to Edge |
36003 | TCP | AP Configuration via TR-069 |
36037 | TCP | Metrics data from AP to Edge |
36363 | TCP | Log data from AP to Edge |
6001 | UDP | Troubleshooting data from AP to Edge |
6002 | TCP | AP to Edge telemetry |
Not Applicable | ICMP | Basic network troubleshooting from AP to Edge & vice versa |
36004 | TCP | For 5G only 5G AP Configuration via NETCONF |
Outbound Edge to Access Point
7547 | TCP | Edge fallback communication to AP |
22 | TCP | AP Software upgrades and troubleshooting |
Not Applicable | ICMP | Basic network troubleshooting from AP to Edge & vice versa |
Outbound Access Point to Orchestrator
URL | Port | Protocol | Purpose |
443 | TCP | AP discovery and configuration | |
443 | TCP | Glocal CSO - Discovery | |
443 | TCP | AP Bootstrap | |
443 | TCP | AP netconf Bootstrap | |
443 | TCP | AP netconf Bootstrap |
Outbound Access Point to the Internet
URL/IP Address | Port | Protocol | Purpose |
* | 123 | UDP | If no internal NTP server is configured via DHCP option 42, AP reaches out to the internet for time synchronization |
Outbound Access Point to Enterprise Network
IP Address | Port | Protocol | Purpose |
NTP server IP Address | 123 | UDP | If the internal network NTP server is configured via DHCP option 42 on AP |
PTP server IP | 319 | UDP | PTP Time synchronization |
PTP server IP | 320 | UDP | PTP Time synchronization |
Outbound from a Device to the Internet for eSIM provisioning
URL/IP Address | Port | Protocol | Purpose |
443 | TCP | SMDP+ server URL that hosts eSIM profiles. Devices connect to the SMDP+ server and download the eSIM profile |
Access to NTP
Celona Edge nodes and Celona Access Points require access to NTP for initial time synchronization. Please ensure your firewall permits access from the Celona Edge and Access Points to NTP (typically, this is server port 123).
Another, more preferred option for the initial time synchronization is DHCP option 42, which allows NTP servers to be listed through DHCP. If your DHCP server is configured for DHCP option 42, then the Celona devices will utilize that DHCP option to configure their NTP time server.
Support for Native Apple Apps (Facetime, iMessage)
Outbound from Apple device to Application server
URL/IP Address | Port | Protocol | Purpose |
Apple Application Server IP address | 5223 | TCP | Support for Native Apple applications, such as, Facetime & iMessage |
Note: Celona Access Points and Edge Clusters are not proxy-aware, so Orchestrator/Internet traffic must bypass any proxy. Proxies requiring authentication or SSL termination are not supported. However, device traffic can pass through a proxy, following enterprise network policies, as long as the device is part of an external network domain.