Controllerless Networks

Contributor II

IAP firewall ACLs not working as expected for ARD

Has anyone setup ARD with IAPs that have firewalls on the device WLAN?


A school is wanting their IAP-based (v networks to be allowed through the WLAN firewall for Apple Remote Desktop (ARD) to control devices on a Guest WLAN.  ARD uses an Admin App running on a Wired device ( to connect to components in MacOS on a wireless client device (  Communication happens over TCP/UDP 3031, 3283, 5432, 5900, 5988, 8005, according to Apple's documentation.  It may also need SSH, Port 22.  My end goal would be to permit this traffic through the WLAN firewall to client devices and a set of static IPs (the Admin computers), but deny the rest of the internal network to those clients.


I have set the Access settings for the Guest WLAN to "Network-Based Control" and put in an "Allow all to" above the "Deny any to 10.x.x.x", but communication still seems to be failing.


On the IAP, "show datapath session | include" shows packets being denied from to, for port 5900.  I don't understand why that is happening...


Am I missing something here?  The ACLs are only applied to client-originating traffic, correct?  Will network traffic with source address from the wired side and destination address of the Guest WLAN client also be firewalled by this ACL?


If anyone has experience configuring ARD to work through Firewalls, I would be happy to hear your wisdom.  Thanks!

Search Airheads
Showing results for 
Search instead for 
Did you mean: