Thank you Simo,
Is there a better source for the IPA ports required you can direct me to
other than this https://access.redhat.com/solutions/357673
which shows the below:
Resolution
IdM Server <-> Clients
Name Destination-port / Purpose
Type
HTTP/HTTPS 80 / 443 WebUI and IPA CLI admin tools communication.
TCP
LDAP/LDAPS 389 / 636 directory service communication.
TCP
Kerberos 88 / 464 TCP and UDP communication for authentication
DNS 53 TCP and UDP nameservice, used also for autodiscovery, autoregistration and High Availability
Authentication(sssd), optional
NTP 123 network time protocol, optional
UDP
kadmind 464 / 749 used for principal generation, password changes etc.
TCP
IdM Server <-> IdM Server (i.e. Replica)
Name Destination-port/Type Purpose
HTTP/HTTPS 80 / 443 WebUI and IPA CLI admin tools communication.
TCP
LDAP/LDAPS 389 / 636 directory service communication.
TCP
Kerberos 88 / 464 TCP and UDP communication for authentication
DNS 53 / TCP and nameservice, used also for autodiscovery, autoregistration and High Availability Authentication
UDP (sssd), optional
NTP 123 network time protocol, optional
UDP
kadmind 464 / 749 used only via localhost
TCP
dogtag 7389 Server and replica communication
TCP
replica conf 9443 / 9444 / 9445 Recplica configuration, only needed during initial replica installation -- IPAv3/RHEL6 only (not
TCP required at all in IPAv4/RHEL7)
Note: In RHEL 7, 389 port is used for replication instead of 7389 port.
I have a hard time thinking ntp is required bidirectional as well which I
assume is the indication with the <-> but I was also wrong thinking tcp
port 53 would not be required which it is(found out hard way) so I was
leaning on the docs a lot.
What would be your take on bidirectional vs uni from the above list?
We are running DNS and NTP from IPA.
Sean Hogan
From: Simo Sorce <simo at redhat.com>
To: Sean Hogan/Durham/IBM at IBMUS
Cc: freeipa-users <freeipa-users at redhat.com>
Date: 08/31/2016 03:36 PM
Subject: Re: [Freeipa-users] IPA port 80
On Wed, 2016-08-31 at 14:22 -0700, Sean Hogan wrote:
>
>
> Hi all,
>
> Been reading a lot about Port 80 for IPA and firewalls but have not
found
> a concrete answer. I know the redhat docs indicate port 80 is required
> bidirectional however I need to investigate if it is truly needed.
>
> GUI only responds to 443 so not sure what else would be utilizing port
80.
> I have seen some references that dogtag proxies its ports to 80 and 443
but
> if the gui is running on 443 does that mean dogtag is proxying via 443
> only? Or is there a way to tell? Has anyone attempted not opening port
> 80 from IPA Server to IPA Server and clients to IPA server?
> ipa-server-3.0.0-50.el6.1.x86_64
Port 80 is not required, the only thing you'll find there is a redirect
to the HTTPS port.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160831/6dae00b3/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160831/6dae00b3/attachment.gif>