[Freeipa-users] ipa ports
Martin Kosek
mkosek at redhat.com
Thu May 24 08:50:23 UTC 2012
On Wed, 2012-05-23 at 19:27 -0400, Dmitri Pal wrote:
> On 05/23/2012 05:40 PM, Jan-Frode Myklebust wrote:
> > We have quite strict firewalls, so I need to specify the IPA network
> > ports accurately. So, we have now opening for:
> >
> > 80/tcp, 88/tcp, 389/tcp, 443/tcp, 464/tcp, 636/tcp
> > 88/udp, 464/udp
> >
> > in to our first IPA server. Now I'm in the process of configuring the
> > first replica. Is there any other ports that needs to be opened between
> > ipa master and replica?
> >
> > We don't serve NTP or DNS from IPA, so I guess these shouldn't be
> > relevant, but I think we want dogtag replicated, so there's maybe some
> > ports for that that needs opening ?
> >
> > Or, to put it another way, which of these ports:
> >
> > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Preparing_for_an_IPA_Installation.html#prereq-ports
> >
> > needs to be opened between ipa server, which for all clients, which for
> > replica and which for administrative clients ?
> >
> > HTTP/HTTPS -- open for all
> > LDAP/LDAPS -- open for all
> > Kerberos -- open for all
> > OCSP responder -- open for all if we use certs
> >
> > dogtag 9443 (agents) -- ?
> > dogtag 9444 (users, SSL) -- ?
> > dogtag 9445 (administrators) -- ?
> > dogtag 9446 (users, client authentication) -- ?
> > dogtag 9701 (Tomcat) -- ?
> > dogtag 7389 (internal LDAP database) -- ?
> >
> >
>
> Dogtag ports are now proxied vial HTTP
Exactly. So in your case, between replicas, you would need to open ports
you specified:
> 80/tcp, 88/tcp, 389/tcp, 443/tcp, 464/tcp, 636/tcp
> > 88/udp, 464/udp
+ the proxy port: 7389/tcp
I suppose you don't need to open 7389/tcp for all clients unless you
want them to be able to run LDAP search against dogtag backend LDAP
database.
Martin
More information about the Freeipa-users
mailing list