Hi folks, happy I found this list. Great information!

We're a University using CCA for our wireless network. I just deployed CCA 
3.6.4 this past August so I'm still learning. Our CCA CAM/CAS is 3.6.4.1, 
in-band, virtual gateway mode.

I made the mistake of configuring our CAS with a public IP address not 
considering the ramifications. When my wireless clients return home, I can 
see lots of hits against port 8906/udp to our CAS on our campus firewall. 
They don't make it of course. I now realize I should have used a private 
address so this wouldn't happen.

However, after reading through this list, I now understand that the 
udp/8906 packets are L3 discoveries from the Agent. I don't need L3 as we 
run Virtual Gateway mode and our wireless clients are all local to the 
CAS. Under Device Management I do NOT have either the "Enable L3 Support" 
or "Enable L2 strict mode for Clean Access Agent" checked but I did 
specify my CAS as the Discovery Host.

So, can this be fixed without changing my CAS IP address (which I really 
don't want to do mid term)? Should I remove the Discovery Host altogether? 
Should I change the Discovery host to a local host with a private address 
(one that won't resolve in DNS from home)? If I change this, what will 
happen to existing Agent users? Will they be prompted to download 
(upgrade) the agent again?

If I can't fix this for existing users, I'd like to at least make it right 
for new users of the system. Any help would be appreciated.

Thanks,

-Mike