Common questions

Answers for UniFi admins & integrators.

Security, compatibility, and pricing — everything you need to know before putting UniFiShield in front of your controller or UDM Pro.

Do I have to give admin user access to guest WiFi providers?

No. That is one of the main problems UniFiShield solves. Guest WiFi platforms, hotspot vendors, and other third parties connect through the proxy using scoped credentials — they never receive your UniFi admin username, password, or full API access.

Can I restrict UniFi API key scope so third parties don't get all-site access?

Yes. UniFiShield exposes only the endpoints you approve — such as MAC authorisation or device lookup — and blocks everything else. Third parties cannot browse your full controller, reconfigure VLANs, or access sites you have not explicitly allowed.

Does UniFiShield work with UniFi Fabrics?

Yes. UniFiShield is designed to work in modern UniFi deployments, including Fabric-based environments where sites and controllers are managed across a wider UniFi ecosystem.

Does it work with all versions of UniFi, including UDM Pro Dream Machines?

Yes. UniFiShield supports classic self-hosted UniFi Controllers and UniFi OS devices including UDM, UDM Pro, UDM SE, and Dream Machine variants. One plan covers whichever platform hosts your site.

Is built-in IP failover included?

Yes. If your controller's reachable IP address changes — for example after a WAN failover or infrastructure move — UniFiShield's built-in IP failover keeps integrations connected without manual reconfiguration on the third-party side.

Is there a full live dashboard and health monitor?

Yes. The UniFiShield portal includes a live dashboard and health monitor so you can see proxy status, endpoint activity, and integration health at a glance — without logging into your controller.

What is UniFiShield, in plain terms?

UniFiShield is a secure proxy that sits between your UniFi Controller or UDM Pro and external systems. It forwards only approved API requests and keeps your real admin interface and credentials off the public internet.

Do I need port forwarding on my firewall?

No. UniFiShield outbound-connects or uses a controlled cloud path so third parties never need direct inbound access to your LAN. You can keep port forwarding disabled and your network perimeter closed.

How does the secure proxy actually work?

Third-party systems send API requests to UniFiShield instead of your controller. UniFiShield validates the request, checks it against your allowed endpoints, and forwards only what is permitted — sanitising paths and blocking admin-level operations.

Can I use it with a classic self-hosted UniFi Controller?

Yes. Whether your site runs on a Linux or Windows controller, a Cloud Key, or a UDM Pro, UniFiShield works the same way: one protected site, one monthly subscription.

Which endpoints can I expose to third parties?

Common examples include guest authorisation (MAC auth), client lookup, and device status calls required by captive portal or hotspot platforms. You choose what is allowed per integration; everything else returns blocked.

Is my UniFi admin password ever shared with vendors?

Never. UniFiShield holds the controller credentials on your side. External providers authenticate to UniFiShield only and cannot retrieve or reuse your admin password.

How much does UniFiShield cost?

£10 per month per UniFi site. No tiered plans — add a site, add £10/month. See our pricing page for what's included.

Can I protect multiple UniFi sites?

Yes. Each site is billed separately at £10/month. MSPs and multi-venue operators can manage several sites from the UniFiShield portal, each with its own scoped access rules.

What happens if my controller IP address changes?

UniFiShield's IP failover detects the change and updates routing automatically. Your third-party integrations continue to work through the same UniFiShield endpoint without you re-entering IPs in every external system.

Do guest WiFi platforms need VPN access to my network?

No. They connect to UniFiShield over HTTPS. UniFiShield handles communication with your controller — eliminating the need for site-to-site VPNs or punching holes in your firewall for each vendor.

Can MSPs use UniFiShield for multiple customer controllers?

Yes. Each customer site can be onboarded as a separate shielded endpoint with its own access policy. Partners get central visibility without sharing one admin login across every customer network.

Does UniFiShield support MAC authentication for guest portals?

Yes. MAC authorisation is one of the most common proxied operations — allowing captive portal and guest WiFi platforms to authenticate devices without full controller API access.

Is there an audit log of API calls through the proxy?

Yes. Endpoint activity is logged so you can review what third parties requested, when, and whether calls succeeded. This supports troubleshooting and security reviews.

How do I get started?

Fill in the contact form below or email info@unifishield.com. We'll walk you through connecting your first site — typically a short setup with no changes to your existing UniFi hardware.

Request a Demo

Ready to protect your controller?

Tell us about your setup and we'll show you how UniFiShield can secure third-party access to your UniFi Controller or UDM Pro.

  • No port forwarding — keep your network perimeter closed
  • Granular endpoints — expose only what each integration needs
  • Classic & UniFi OS — works with controllers and UDM Pro

Request Received!

Thanks for reaching out. We'll be in touch shortly to discuss how UniFiShield can secure your UniFi environment.