Hello all again. I am trying to make sense of the documentation on firewall rules for in IPA/AD Trust relationship.
The official RHEL 7 Windows Integration Guide states in section - 5.2.6 Firewalls And Ports, that: *"For a trust relationship, the Active Directory server and IdM server must have almost all of the required system ports open that are required for an IdM server installation, with the exception of the LDAP ports."* So the following ports should be open (on the side of the IPA) : 80, 443, 88, 464, 53 - TCP 88, 464, 53, 123 - UDP And also : *"The IdM backend LDAP server must not be reachable by the Active Directory domain controller. The associated ports — 389 and 636 — on the IdM server host must be shut down for the Active Directory domain controller."* https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Windows_Integration_Guide/index.html#trust-requirements After searching the mail archives i found the next post: https://www.redhat.com/archives/freeipa-users/2014-August/msg00032.html *"LDAP over UDP is required for trusts as connectionless LDAP (CLDAP) is part of discovery protocol that AD machines expect to work. Blocking TCP/389 and TCP/636 between AD DCs and IPA servers should not hurt."* But the HowTo documentation (on trust) in FreeIPA site states the following: *"Previously we recommended that you should make sure that IPA LDAP server is not reachable by AD DC by closing down TCP ports 389 and 636 for AD DC. Our current tests lead to the assumption that this is not necessary anymore."* http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Firewall_configuration Also after the ipa-adtrust-install script completes it outputs the following message: *Setup complete* *You must make sure these network ports are open: * *TCP Ports: * ** 138: netbios-dgm * ** 139: netbios-ssn * ** 445: microsoft-ds * *UDP Ports: * ** 138: netbios-dgm * ** 139: netbios-ssn * 389: (C)LDAP * 445: microsoft-ds * Those ports need to be opened between the AD and IPA server? Finally i would like to understand if all the ports that should to be opened on the side of the IPA server, also should be opened at the AD on the both directions (Incoming, outgoing)? I can see that the firewall configuration for AD not yet documented in the HowTo guide. Thanks, Genadi.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
