You need to do a couple of things:
- Create an "address pools" for the RAP to get an internal controller IP address
- Add the wired mac address of the RAP in the RAP whitelist
- You need to create an AP-Group that has the public IP address that the RAP will use to reach the controller (Make sure that you allow UDP/4500 for that IP address on your firewall for incoming traffic coming from the internet)
You need add the public IP address in the provisioning profile (Master IP)
- If your RAP109 is up and running you should see the "instant" SSID connect to it, open your browser and type "instant.arubanetworks.com" , then go to the Maintenance tab >Convert and use the following option and type the public IP address that the controller should be reached from the remote location