On 12.8.2016 22:03, Jake wrote: > Hey Guys, > Can anyone tell me if there are issues caused by blocking ICMP requests > between ipa clients, ipa servers and ad servers?
For IPv4: In theory, if your network is in ideal state and no service ever goes down (unrealistic), it should work. In practice, you will be observing long timeouts from time to time because the clients will not be able to immediately detect that a service is down and quickly fail-over to another server. For IPv6: The network will totally break. > We typically filter ICMP between all systems. > > Also, if anyone has good documentation as to what ports are required between > each I'd really appreciate it! > >>From IPA Server to AD Server (trust) >>From IPA Client to IPA Server >>From IPA Client to AD Server (if any, unsure if kerberos/ldap is needed here >>or not on v4) >>From AD Client to IPA Client (ad users on windows machines accessing ipa >>client over ssh with kerberos gssapi) For IPA servers, please see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/installing-ipa.html#prereq-ports For IPA clients, please see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/clients-prereqs.html#prereq-ports-clients For AD trusts, please see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-requirements.html#trust-req-ports IPA & AD clients in cross-forest trust need to be able to communicate with IPA and AD servers at least for Kerberos, but I would not bother with filtering these specifically. Take them as clients joined to both realms. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project