Hello all again.

I am trying to make sense of the documentation on firewall rules for in
IPA/AD Trust relationship.

The official RHEL 7 Windows Integration Guide states in section - 5.2.6
Firewalls And Ports, that:

*"For a trust relationship, the Active Directory server and IdM server must
have almost all of the required system ports open that are required for an
IdM server installation, with the exception of the LDAP ports."*
So the following ports should be open (on the side of the IPA) :
80, 443, 88, 464, 53 - TCP
88, 464, 53, 123 - UDP

And also :

*"The IdM backend LDAP server must not be reachable by the Active Directory
domain controller. The associated ports — 389 and 636 — on the IdM server
host must be shut down for the Active Directory domain controller."*


After searching the mail archives i found the next post:


*"LDAP over UDP is required for trusts as
connectionless LDAP (CLDAP) is part of discovery protocol that AD
machines expect to work.

Blocking TCP/389 and TCP/636 between AD DCs and IPA servers should not

But the HowTo documentation (on trust) in FreeIPA site states the following:

*"Previously we recommended that you should make sure that IPA LDAP
server is not reachable by AD DC by closing down TCP ports 389 and 636
for AD DC. Our current tests lead to the assumption that this is not
necessary anymore."*


Also after the ipa-adtrust-install script completes it outputs the
following message:

*Setup complete*

*You must make sure these network ports are open: *

*TCP Ports: *

** 138: netbios-dgm *

** 139: netbios-ssn *

** 445: microsoft-ds *

*UDP Ports: *

** 138: netbios-dgm *

** 139: netbios-ssn
* 389: (C)LDAP
* 445: microsoft-ds *

Those ports need to be opened between the AD and IPA server?

Finally i would like to understand if all the ports that should to be
opened on the side of the IPA server, also should be opened at the AD
on the both directions (Incoming, outgoing)?

I can see that the firewall configuration for AD not yet documented in
the HowTo guide.


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to