Thanks Peter,

So the set up is each vlan has an IPA replica within the firewall boundary
acting as its primary auth/policy server.  If it goes down.. then the
clients can reach back thru the firewall to our backup IPAs.  So I am
trying to pinpoint the actual ports required to be open on the firewall to
allow the clients the ability to get back to the back up IPAs.

It comes down to opening ports thru the firewalls back to our IPA backup
servers.  If port 80 is not required for the clients or servers to get to
IPA behind the firewall then there is no need in opening more ports than
required and getting 443 open adheres more to our security policy than 80.
So if everything is redirected to 443 and 80 is not required as it is all
redirected then the docs I am using are not correct.

I am hoping Simo can weigh in on this


Redhat link shows this for firewall port openings
https://access.redhat.com/solutions/357673
with <-> seeming to indicate bidirectional.  Not sure why NTP requires that
for the clients.

Resolution
IdM Server <-> Clients
                                                                                
                                             
      Name        Destination-port /                                         
Purpose                                         
                         Type                                                   
                                             
                                                                                
                                             
 HTTP/HTTPS      80 / 443             WebUI and IPA CLI admin tools 
communication.                                           
                 TCP                                                            
                                             
                                                                                
                                             
 LDAP/LDAPS      389 / 636            directory service communication.          
                                             
                 TCP                                                            
                                             
                                                                                
                                             
 Kerberos        88 / 464 TCP and UDP communication for authentication          
                                             
                                                                                
                                             
 DNS             53 TCP and UDP       nameservice, used also for autodiscovery, 
autoregistration and High Availability       
                                      Authentication(sssd), optional            
                                             
                                                                                
                                             
 NTP             123                  network time protocol, optional           
                                             
                 UDP                                                            
                                             
                                                                                
                                             
 kadmind         464 / 749            used for principal generation, password 
changes etc.                                   
                 TCP                                                            
                                             
                                                                                
                                             


IdM Server <-> IdM Server (i.e. Replica)
                                                                                
                                                             
      Name       Destination-port/Type                                          
      Purpose                                                
                                                                                
                                                             
 HTTP/HTTPS      80 / 443               WebUI and IPA CLI admin tools 
communication.                                                         
                 TCP                                                            
                                                             
                                                                                
                                                             
 LDAP/LDAPS      389 / 636              directory service communication.        
                                                             
                 TCP                                                            
                                                             
                                                                                
                                                             
 Kerberos        88 / 464 TCP and UDP   communication for authentication        
                                                             
                                                                                
                                                             
 DNS             53 / TCP and UDP       nameservice, used also for 
autodiscovery, autoregistration and High Availability Authentication      
                                        (sssd), optional                        
                                                             
                                                                                
                                                             
 NTP             123                    network time protocol, optional         
                                                             
                 UDP                                                            
                                                             
                                                                                
                                                             
 kadmind         464 / 749              used only via localhost                 
                                                             
                 TCP                                                            
                                                             
                                                                                
                                                             
 dogtag          7389                   Server and replica communication        
                                                             
                 TCP                                                            
                                                             
                                                                                
                                                             
 replica conf    9443 / 9444 / 9445 TCP Recplica configuration, only needed 
during initial replica installation -- IPAv3/RHEL6 only (not     
                                        required at all in IPAv4/RHEL7)         
                                                             
                                                                                
                                                             



Note: In RHEL 7, 389 port is used for replication instead of 7389 port.


Sean Hogan







From:   Peter Fern <free...@0xc0dedbad.com>
To:     freeipa-users <freeipa-users@redhat.com>
Date:   08/31/2016 04:01 PM
Subject:        Re: [Freeipa-users] IPA port 80
Sent by:        freeipa-users-boun...@redhat.com



You need to serve CRLs and OCSP via HTTP to avoid clients failing to verify
the cert of the host serving the CRL/OCSP when the cert on that host needs
to be verified at itself.

I'm not sure why you'd particularly care though - reading the Apache
configs and you should see that other than a couple of exceptions, all HTTP
traffic is redirected to HTTPS.

On 01/09/16 07:22, Sean Hogan wrote:


      Hi all,

      Been reading a lot about Port 80 for IPA and firewalls but have not
      found a concrete answer. I know the redhat docs indicate port 80 is
      required bidirectional however I need to investigate if it is truly
      needed.

      GUI only responds to 443 so not sure what else would be utilizing
      port 80. I have seen some references that dogtag proxies its ports to
      80 and 443 but if the gui is running on 443 does that mean dogtag is
      proxying via 443 only? Or is there a way to tell? Has anyone
      attempted not opening port 80 from IPA Server to IPA Server and
      clients to IPA server?
      ipa-server-3.0.0-50.el6.1.x86_64




      Sean Hogan










--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project





-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to