Business Community > Controllers > Exposing Omada Controller to Internet - Security questions
< Controllers

Exposing Omada Controller to Internet - Security questions

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Exposing Omada Controller to Internet - Security questions

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Exposing Omada Controller to Internet - Security questions
Exposing Omada Controller to Internet - Security questions
2025-04-27 04:55:14 - last edited 2025-04-28 02:29:35

Hello,


using VPN to connect sites to my Omada controller is not suitable in every situation. See answer from TP-Link here: https://community.tp-link.com/en/business/forum/topic/668402


So my questions are: are there security tests or hardening recommendations from TP-Link? Especially exposing 8043 WebUI (for device firmware updates) makes me headache. Is there documentation about used protocols / ciphers? Which communication with sites is plain text? Can you please tell me the URL for updates, which devices call to get the firmware https://fqdn:8043/fwupd/v2/29r01 for ex. ?


How do you dealing with it?


Thanks!

  0      
 
  0      
 
#1
Options
2 Accepted Solutions
Re:Exposing Omada Controller to Internet - Security questions-Solution
2025-04-27 14:13:28 - last edited 2025-04-28 02:29:35

  @Wrzlbrnft 

 

If you must use port forward based adoption on some sites, there are a few ways to make it a little more secure, but its still not "ideal"

1) enable 2FA on your controller accounts
2) Enable Account Security on your controller accounts to lock access to specific IPs only
3) If the remote sites are on a fixed public IP, you can allow just tthat on the port forwarding rules

4) You can change the HTTPS management port used for remote firmware updates (hardware controllers default to 443, software to 8043) - I change mine to 29817 so i can simply include it in the port forward as one rule 29810 - 29817 TCP/UDP

Recommended Solution
  1  
  1  
#2
Options
Re:Exposing Omada Controller to Internet - Security questions-Solution
2025-04-28 02:34:18 - last edited 2025-04-28 02:34:35

  @Wrzlbrnft 

 

Here is an example for point2 of GRL's suggestion:

 

 

Wish you a happy life and smooth network usage!  >Omada US Enterprise Beta Program Launch< >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<
Recommended Solution
  0  
  0  
#3
Options
2 Reply
Re:Exposing Omada Controller to Internet - Security questions-Solution
2025-04-27 14:13:28 - last edited 2025-04-28 02:29:35

  @Wrzlbrnft 

 

If you must use port forward based adoption on some sites, there are a few ways to make it a little more secure, but its still not "ideal"

1) enable 2FA on your controller accounts
2) Enable Account Security on your controller accounts to lock access to specific IPs only
3) If the remote sites are on a fixed public IP, you can allow just tthat on the port forwarding rules

4) You can change the HTTPS management port used for remote firmware updates (hardware controllers default to 443, software to 8043) - I change mine to 29817 so i can simply include it in the port forward as one rule 29810 - 29817 TCP/UDP

Recommended Solution
  1  
  1  
#2
Options
Re:Exposing Omada Controller to Internet - Security questions-Solution
2025-04-28 02:34:18 - last edited 2025-04-28 02:34:35

  @Wrzlbrnft 

 

Here is an example for point2 of GRL's suggestion:

 

 

Wish you a happy life and smooth network usage!  >Omada US Enterprise Beta Program Launch< >Get the Latest Omada SDN Controller Releases Here< >Experience the Latest Omada EAP Firmware<
Recommended Solution
  0  
  0  
#3
Options

Information

Helpful: 0

Views: 434

Replies: 2

About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.