Re: [Freeipa-users] IPA port 80
Thank You for the clarification all. Sean Hogan From: Rob Crittenden To: Sean Hogan/Durham/IBM@IBMUS, Peter Fern Cc: freeipa-users Date: 09/01/2016 06:47 AM Subject:Re: [Freeipa-users] IPA port 80 Sean Hogan wrote: > Thanks Peter, > > > So the set up is each vlan has an IPA replica within the firewall > boundary acting as its primary auth/policy server. If it goes down.. > then the clients can reach back thru the firewall to our backup IPAs. So > I am trying to pinpoint the actual ports required to be open on the > firewall to allow the clients the ability to get back to the back up IPAs. > > It comes down to opening ports thru the firewalls back to our IPA backup > servers. If port 80 is not required for the clients or servers to get to > IPA behind the firewall then there is no need in opening more ports than > required and getting 443 open adheres more to our security policy than > 80. So if everything is redirected to 443 and 80 is not required as it > is all redirected then the docs I am using are not correct. > > I am hoping Simo can weigh in on this Peter is right about OCSP/CRL. If you don't need them, and don't want a user-friendly redirect if your users don't specify https then yeah, you can probably do without port 80, assuming none of your clients REQUIRE an OCSP response (e.g. security.OCSP.require in Firefox, false by default). Another, rarely used path for port 80 is retrieval of the CA certificate when enrolling clients. Normally it is retrieved over authenticated LDAP but if that fails, and one isn't pre-positioned, it will fall back to trying to get it over port 80 (last because this isn't exactly safe). rob > > > Redhat link shows this for firewall port openings > _https://access.redhat.com/solutions/357673_ > with <-> seeming to indicate bidirectional. Not sure why NTP requires > that for the clients. > > *Resolution** > IdM Server <-> Clients* > *Name* > > *Destination-port / Type* > > *Purpose* > HTTP/HTTPS 80 / 443 TCPWebUI and IPA CLI admin tools communication. > LDAP/LDAPS 389 / 636 TCP directory service communication. > Kerberos 88 / 464 TCP and UDPcommunication for authentication > DNS53 TCP and UDP nameservice, used also for autodiscovery, > autoregistration and High Availability Authentication(sssd), optional > NTP123 UDP network time protocol, optional > kadmind464 / 749 TCP used for principal generation, password changes etc. > > * > IdM Server <-> IdM Server (i.e. Replica)* > *Name* > > *Destination-port/Type* > > *Purpose* > HTTP/HTTPS 80 / 443 TCPWebUI and IPA CLI admin tools communication. > LDAP/LDAPS 389 / 636 TCP directory service communication. > Kerberos 88 / 464 TCP and UDPcommunication for authentication > DNS53 / TCP and UDPnameservice, used also for autodiscovery, > autoregistration and High Availability Authentication(sssd), *optional* > NTP123 UDP network time protocol, *optional* > kadmind464 / 749 TCP used only via localhost > dogtag 7389 TCPServer and replica > communication > replica conf 9443 / 9444 / 9445 TCP Recplica configuration, only needed > during initial replica installation -- IPAv3/RHEL6 only (not required at > all in IPAv4/RHEL7) > > *Note:* In RHEL 7, 389 port is used for replication instead of 7389 port. > > > Sean Hogan > > > > > > Inactive hide details for Peter Fern ---08/31/2016 04:01:30 PM---You > need to serve CRLs and OCSP via HTTP to avoid clients failPeter Fern > ---08/31/2016 04:01:30 PM---You need to serve CRLs and OCSP via HTTP to > avoid clients failing to verify the cert of the host ser > > From: Peter Fern > To: freeipa-users > Date: 08/31/2016 04:01 PM > Subject: Re: [Freeipa-users] IPA port 80 > Sent by: freeipa-users-boun...@redhat.com > > > > > > You need to serve CRLs and OCSP via HTTP to avoid clients failing to > verify the cert of the host serving the CRL/OCSP when the cert on that > host needs to be verified at itself. > > I'm not sure why you'd particularly care though - reading the Apache > configs and you should see that other than a couple of exceptions, all > HTTP traffic is redirected to HTTPS. > > On 01/09/16 07:22, Sean Hogan wrote: > > Hi all, > > Been reading a lot about Port
Re: [Freeipa-users] IPA port 80
On Thu, 2016-09-01 at 09:33 +1000, Peter Fern wrote: > On 01/09/16 08:35, Simo Sorce wrote: > > Port 80 is not required, the only thing you'll find there is a redirect > > to the HTTPS port. > > What about CRL/OCSP (and possibly others)? The Apache configs > explicitly do not redirect to HTTPS except for the /ipa path for this > reason. Oh right Peter, you are completely right. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA port 80
Sean Hogan wrote: Thanks Peter, So the set up is each vlan has an IPA replica within the firewall boundary acting as its primary auth/policy server. If it goes down.. then the clients can reach back thru the firewall to our backup IPAs. So I am trying to pinpoint the actual ports required to be open on the firewall to allow the clients the ability to get back to the back up IPAs. It comes down to opening ports thru the firewalls back to our IPA backup servers. If port 80 is not required for the clients or servers to get to IPA behind the firewall then there is no need in opening more ports than required and getting 443 open adheres more to our security policy than 80. So if everything is redirected to 443 and 80 is not required as it is all redirected then the docs I am using are not correct. I am hoping Simo can weigh in on this Peter is right about OCSP/CRL. If you don't need them, and don't want a user-friendly redirect if your users don't specify https then yeah, you can probably do without port 80, assuming none of your clients REQUIRE an OCSP response (e.g. security.OCSP.require in Firefox, false by default). Another, rarely used path for port 80 is retrieval of the CA certificate when enrolling clients. Normally it is retrieved over authenticated LDAP but if that fails, and one isn't pre-positioned, it will fall back to trying to get it over port 80 (last because this isn't exactly safe). rob Redhat link shows this for firewall port openings _https://access.redhat.com/solutions/357673_ with <-> seeming to indicate bidirectional. Not sure why NTP requires that for the clients. *Resolution** IdM Server <-> Clients* *Name* *Destination-port / Type* *Purpose* HTTP/HTTPS 80 / 443 TCPWebUI and IPA CLI admin tools communication. LDAP/LDAPS 389 / 636 TCP directory service communication. Kerberos88 / 464 TCP and UDPcommunication for authentication DNS 53 TCP and UDP nameservice, used also for autodiscovery, autoregistration and High Availability Authentication(sssd), optional NTP 123 UDP network time protocol, optional kadmind 464 / 749 TCP used for principal generation, password changes etc. * IdM Server <-> IdM Server (i.e. Replica)* *Name* *Destination-port/Type* *Purpose* HTTP/HTTPS 80 / 443 TCPWebUI and IPA CLI admin tools communication. LDAP/LDAPS 389 / 636 TCP directory service communication. Kerberos88 / 464 TCP and UDPcommunication for authentication DNS 53 / TCP and UDPnameservice, used also for autodiscovery, autoregistration and High Availability Authentication(sssd), *optional* NTP 123 UDP network time protocol, *optional* kadmind 464 / 749 TCP used only via localhost dogtag 7389 TCPServer and replica communication replica conf9443 / 9444 / 9445 TCP Recplica configuration, only needed during initial replica installation -- IPAv3/RHEL6 only (not required at all in IPAv4/RHEL7) *Note:* In RHEL 7, 389 port is used for replication instead of 7389 port. Sean Hogan Inactive hide details for Peter Fern ---08/31/2016 04:01:30 PM---You need to serve CRLs and OCSP via HTTP to avoid clients failPeter Fern ---08/31/2016 04:01:30 PM---You need to serve CRLs and OCSP via HTTP to avoid clients failing to verify the cert of the host ser From: Peter Fern To: freeipa-users Date: 08/31/2016 04:01 PM Subject: Re: [Freeipa-users] IPA port 80 Sent by: freeipa-users-boun...@redhat.com You need to serve CRLs and OCSP via HTTP to avoid clients failing to verify the cert of the host serving the CRL/OCSP when the cert on that host needs to be verified at itself. I'm not sure why you'd particularly care though - reading the Apache configs and you should see that other than a couple of exceptions, all HTTP traffic is redirected to HTTPS. On 01/09/16 07:22, Sean Hogan wrote: Hi all, Been reading a lot about Port 80 for IPA and firewalls but have not found a concrete answer. I know the redhat docs indicate port 80 is required bidirectional however I need to investigate if it is truly needed. GUI only responds to 443 so not sure what else would be utilizing port 80. I have seen some references that dogtag proxies its ports to 80 and 443 but if the gui is running on 443 does that mean dogtag is proxying via 443 only? Or is there a way to tell? Has anyone attempted not opening port 80 from IPA Server to IPA Server and clients to IPA server? ipa-server-3.0.0-50.el6.1.x86_64 Sean Hogan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your s
Re: [Freeipa-users] IPA port 80
TCP Kerberos88 / 464 TCP and UDP communication for authentication DNS 53 / TCP and UDP nameservice, used also for autodiscovery, autoregistration and High Availability Authentication (sssd), optional NTP 123network time protocol, optional UDP kadmind 464 / 749 used only via localhost TCP dogtag 7389 Server and replica communication TCP replica conf9443 / 9444 / 9445 TCP Recplica configuration, only needed during initial replica installation -- IPAv3/RHEL6 only (not required at all in IPAv4/RHEL7) Note: In RHEL 7, 389 port is used for replication instead of 7389 port. Sean Hogan From: Peter Fern To: freeipa-users Date: 08/31/2016 04:01 PM Subject: Re: [Freeipa-users] IPA port 80 Sent by:freeipa-users-boun...@redhat.com You need to serve CRLs and OCSP via HTTP to avoid clients failing to verify the cert of the host serving the CRL/OCSP when the cert on that host needs to be verified at itself. I'm not sure why you'd particularly care though - reading the Apache configs and you should see that other than a couple of exceptions, all HTTP traffic is redirected to HTTPS. On 01/09/16 07:22, Sean Hogan wrote: Hi all, Been reading a lot about Port 80 for IPA and firewalls but have not found a concrete answer. I know the redhat docs indicate port 80 is required bidirectional however I need to investigate if it is truly needed. GUI only responds to 443 so not sure what else would be utilizing port 80. I have seen some references that dogtag proxies its ports to 80 and 443 but if the gui is running on 443 does that mean dogtag is proxying via 443 only? Or is there a way to tell? Has anyone attempted not opening port 80 from IPA Server to IPA Server and clients to IPA server? ipa-server-3.0.0-50.el6.1.x86_64 Sean Hogan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA port 80
On 01/09/16 08:35, Simo Sorce wrote: > Port 80 is not required, the only thing you'll find there is a redirect > to the HTTPS port. What about CRL/OCSP (and possibly others)? The Apache configs explicitly do not redirect to HTTPS except for the /ipa path for this reason. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA port 80
UDP kadmind 464 / 749 used only via localhost TCP dogtag 7389 Server and replica communication TCP replica conf 9443 / 9444 / 9445Recplica configuration, only needed during initial replica installation -- IPAv3/RHEL6 only (not TCP required at all in IPAv4/RHEL7) Note: In RHEL 7, 389 port is used for replication instead of 7389 port. I have a hard time thinking ntp is required bidirectional as well which I assume is the indication with the <-> but I was also wrong thinking tcp port 53 would not be required which it is(found out hard way) so I was leaning on the docs a lot. What would be your take on bidirectional vs uni from the above list? We are running DNS and NTP from IPA. Sean Hogan From: Simo Sorce To: Sean Hogan/Durham/IBM@IBMUS Cc: freeipa-users Date: 08/31/2016 03:36 PM Subject: Re: [Freeipa-users] IPA port 80 On Wed, 2016-08-31 at 14:22 -0700, Sean Hogan wrote: > > > Hi all, > > Been reading a lot about Port 80 for IPA and firewalls but have not found > a concrete answer. I know the redhat docs indicate port 80 is required > bidirectional however I need to investigate if it is truly needed. > > GUI only responds to 443 so not sure what else would be utilizing port 80. > I have seen some references that dogtag proxies its ports to 80 and 443 but > if the gui is running on 443 does that mean dogtag is proxying via 443 > only? Or is there a way to tell? Has anyone attempted not opening port > 80 from IPA Server to IPA Server and clients to IPA server? > ipa-server-3.0.0-50.el6.1.x86_64 Port 80 is not required, the only thing you'll find there is a redirect to the HTTPS port. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA port 80
You need to serve CRLs and OCSP via HTTP to avoid clients failing to verify the cert of the host serving the CRL/OCSP when the cert on that host needs to be verified at itself. I'm not sure why you'd particularly care though - reading the Apache configs and you should see that other than a couple of exceptions, all HTTP traffic is redirected to HTTPS. On 01/09/16 07:22, Sean Hogan wrote: > > Hi all, > > Been reading a lot about Port 80 for IPA and firewalls but have not > found a concrete answer. I know the redhat docs indicate port 80 is > required bidirectional however I need to investigate if it is truly > needed. > > GUI only responds to 443 so not sure what else would be utilizing port > 80. I have seen some references that dogtag proxies its ports to 80 > and 443 but if the gui is running on 443 does that mean dogtag is > proxying via 443 only? Or is there a way to tell? Has anyone attempted > not opening port 80 from IPA Server to IPA Server and clients to IPA > server? > ipa-server-3.0.0-50.el6.1.x86_64 > > > > > Sean Hogan > > > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] IPA port 80
On Wed, 2016-08-31 at 14:22 -0700, Sean Hogan wrote: > > > Hi all, > > Been reading a lot about Port 80 for IPA and firewalls but have not found > a concrete answer. I know the redhat docs indicate port 80 is required > bidirectional however I need to investigate if it is truly needed. > > GUI only responds to 443 so not sure what else would be utilizing port 80. > I have seen some references that dogtag proxies its ports to 80 and 443 but > if the gui is running on 443 does that mean dogtag is proxying via 443 > only? Or is there a way to tell? Has anyone attempted not opening port > 80 from IPA Server to IPA Server and clients to IPA server? > ipa-server-3.0.0-50.el6.1.x86_64 Port 80 is not required, the only thing you'll find there is a redirect to the HTTPS port. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project