On 12.8.2016 22:03, Jake wrote:
> Hey Guys, 
> Can anyone tell me if there are issues caused by blocking ICMP requests 
> between ipa clients, ipa servers and ad servers? 

For IPv4:
In theory, if your network is in ideal state and no service ever goes down
(unrealistic), it should work.

In practice, you will be observing long timeouts from time to time because the
clients will not be able to immediately detect that a service is down and
quickly fail-over to another server.


For IPv6: The network will totally break.


> We typically filter ICMP between all systems.
> 
> Also, if anyone has good documentation as to what ports are required between 
> each I'd really appreciate it! 
> 
>>From IPA Server to AD Server (trust) 
>>From IPA Client to IPA Server 
>>From IPA Client to AD Server (if any, unsure if kerberos/ldap is needed here 
>>or not on v4) 
>>From AD Client to IPA Client (ad users on windows machines accessing ipa 
>>client over ssh with kerberos gssapi) 

For IPA servers, please see
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports

For IPA clients, please see
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/clients-prereqs.html#prereq-ports-clients

For AD trusts, please see
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#trust-req-ports


IPA & AD clients in cross-forest trust need to be able to communicate with IPA
and AD servers at least for Kerberos, but I would not bother with filtering
these specifically. Take them as clients joined to both realms.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to