Thank you Simo,

  Is there a better source for the IPA ports required you can direct me to
other than this https://access.redhat.com/solutions/357673
which shows the below:

Resolution
IdM Server <-> Clients
                                                                                
                                          
     Name      Destination-port /                                         
Purpose                                         
                      Type                                                      
                                          
                                                                                
                                          
 HTTP/HTTPS   80 / 443             WebUI and IPA CLI admin tools communication. 
                                          
              TCP                                                               
                                          
                                                                                
                                          
 LDAP/LDAPS   389 / 636            directory service communication.             
                                          
              TCP                                                               
                                          
                                                                                
                                          
 Kerberos     88 / 464 TCP and UDP communication for authentication             
                                          
                                                                                
                                          
 DNS          53 TCP and UDP       nameservice, used also for autodiscovery, 
autoregistration and High Availability       
                                   Authentication(sssd), optional               
                                          
                                                                                
                                          
 NTP          123                  network time protocol, optional              
                                          
              UDP                                                               
                                          
                                                                                
                                          
 kadmind      464 / 749            used for principal generation, password 
changes etc.                                   
              TCP                                                               
                                          
                                                                                
                                          


IdM Server <-> IdM Server (i.e. Replica)
                                                                                
                                                         
     Name     Destination-port/Type                                             
  Purpose                                                
                                                                                
                                                         
 HTTP/HTTPS   80 / 443              WebUI and IPA CLI admin tools 
communication.                                                         
              TCP                                                               
                                                         
                                                                                
                                                         
 LDAP/LDAPS   389 / 636             directory service communication.            
                                                         
              TCP                                                               
                                                         
                                                                                
                                                         
 Kerberos     88 / 464 TCP and UDP  communication for authentication            
                                                         
                                                                                
                                                         
 DNS          53 / TCP and          nameservice, used also for autodiscovery, 
autoregistration and High Availability Authentication      
              UDP                   (sssd), optional                            
                                                         
                                                                                
                                                         
 NTP          123                   network time protocol, optional             
                                                         
              UDP                                                               
                                                         
                                                                                
                                                         
 kadmind      464 / 749             used only via localhost                     
                                                         
              TCP                                                               
                                                         
                                                                                
                                                         
 dogtag       7389                  Server and replica communication            
                                                         
              TCP                                                               
                                                         
                                                                                
                                                         
 replica conf 9443 / 9444 / 9445    Recplica configuration, only needed during 
initial replica installation -- IPAv3/RHEL6 only (not     
              TCP                   required at all in IPAv4/RHEL7)             
                                                         
                                                                                
                                                         




Note: In RHEL 7, 389 port is used for replication instead of 7389 port.





I have a hard time thinking ntp is required bidirectional as well which I
assume is the indication with the <-> but I was also wrong thinking tcp
port 53 would not be required which it is(found out hard way) so I was
leaning on the docs a lot.


What would be your take on bidirectional vs uni from the above list?


We are running DNS and NTP from IPA.







Sean Hogan





From:   Simo Sorce <s...@redhat.com>
To:     Sean Hogan/Durham/IBM@IBMUS
Cc:     freeipa-users <freeipa-users@redhat.com>
Date:   08/31/2016 03:36 PM
Subject:        Re: [Freeipa-users] IPA port 80



On Wed, 2016-08-31 at 14:22 -0700, Sean Hogan wrote:
>
>
> Hi all,
>
>   Been reading a lot about Port 80 for IPA and firewalls but have not
found
> a concrete answer.  I know the redhat docs indicate port 80 is required
> bidirectional however I need to investigate if it is truly needed.
>
> GUI only responds to 443 so not sure what else would be utilizing port
80.
> I have seen some references that dogtag proxies its ports to 80 and 443
but
> if the gui is running on 443 does that mean dogtag is proxying via 443
> only?  Or is there a way to tell?   Has anyone attempted not opening port
> 80 from IPA Server to IPA Server and clients to IPA server?
> ipa-server-3.0.0-50.el6.1.x86_64

Port 80 is not required, the only thing you'll find there is a redirect
to the HTTPS port.

Simo.

--
Simo Sorce * Red Hat, Inc * New York



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to