Problem: many users put the Omada software controller behind a reverse proxy. The reverse proxy listens on port 443, accepts https requests on behalf of the controller, then forwards them to the controller, on whatever port the controller listens on. The controller may not be directly accessible in these configurations. Often, users specify a custom domain name to be used to access the controller.

When a user tries to upgrade device firmware through the software controller web interface, the device will make an https request to download the firmware. It appears that this request goes to whatever port is set in HTTPS Port for Controller Management, and is sent to the inform IP address, with the Host: header set to <ip address>:<port>, e.g. Host: 192.168.1.2:8043.

With the reverse proxy configuration described above, this request does not reach the controller. This can be for several reasons. First, the reverse proxy is typically listening on port 443, not 8403, and the controller port 8043 is not exposed. Second, the reverse proxy expects the custom domain name, not the ip address, to be set in the Host: header.

Solution: the software controller already has a setting for the controller hostname and ip used for password resets and RADIUS portal. The controller should instruct the device to make the https request to that hostname/ip instead, with the Host: header set appropriately. Finally, another setting should be added (Controller External Port) that specifies which port the device should send the https request to.