I have a balance 580 with 5 ISP WANs. Behind the balance we have a number of servers, including an on-premises Exchange server. When I first installed the balance, everything went smoothly and the device works perfectly for our setup. I also have 3 Pepwave APs being remotely managed by the balance 580.
Last week, we decided to discontinue on of our ISP WANs. In preparation, I reconfigured our web DNS records to use a different, existing public IP (also connected to the balance 580). In doing so, this gave me 5 days of almost total downtime where users could not access our Exchange webmail service through a secure connection (same for Outlook Anywhere and ActiveSync). The only way we could access webmail was through unsercured http:// and some misconfiguration of our Exchange server.
For 5 days, I couldn’t figure out what was causing the issue. Then I noticed when navigating to our webmail through https:// that our SSL certificate was giving a strange error. It was looking for the common name set on our cert but was instead receiving a request from captive-portal.peplink.com. I’ve never used the captive portal in our balance 580 so it wasn’t configured. I configured and unconfigured it to be sure, but still nothing. Finally after trying for all that time, I decided to disable all AP related features on the balance 580 1-by-1. After disabling the AP Management feature, the issue was resolved. I notice on the help section for that feature that it states:
The WLAN Controller for managing Pepwave APs can be enabled by this option. When this option is enabled, the WLAN Controller will wait for management connections originating from APs over the LAN on TCP and UDP port 11753. It will also wait for captive portal connections on TCP port 443. An extended DHCP option “CAPWAP Access Controller addresses” (field 138) will be added to the DHCP server. A local DNS record “wlancontroller” will added to the local DNS proxy.
I’m very confused as to why this wasn’t causing us a problem before now and why it has only surfaced since changing our primary public IP address. Does anyone know if there is any way round this? If I can configure the captive portal to listen on a non-standard SSL port like 445? Until I can do something like that, I won’t have the ability to remote manage our APs.