Thank you Simo,
Is there a better source for the IPA ports required you can direct me to other than this https://access.redhat.com/solutions/357673 which shows the below: Resolution IdM Server <-> Clients Name Destination-port / Purpose Type HTTP/HTTPS 80 / 443 WebUI and IPA CLI admin tools communication. TCP LDAP/LDAPS 389 / 636 directory service communication. TCP Kerberos 88 / 464 TCP and UDP communication for authentication DNS 53 TCP and UDP nameservice, used also for autodiscovery, autoregistration and High Availability Authentication(sssd), optional NTP 123 network time protocol, optional UDP kadmind 464 / 749 used for principal generation, password changes etc. TCP IdM Server <-> IdM Server (i.e. Replica) Name Destination-port/Type Purpose HTTP/HTTPS 80 / 443 WebUI and IPA CLI admin tools communication. TCP LDAP/LDAPS 389 / 636 directory service communication. TCP Kerberos 88 / 464 TCP and UDP communication for authentication DNS 53 / TCP and nameservice, used also for autodiscovery, autoregistration and High Availability Authentication UDP (sssd), optional NTP 123 network time protocol, optional UDP kadmind 464 / 749 used only via localhost TCP dogtag 7389 Server and replica communication TCP replica conf 9443 / 9444 / 9445 Recplica configuration, only needed during initial replica installation -- IPAv3/RHEL6 only (not TCP required at all in IPAv4/RHEL7) Note: In RHEL 7, 389 port is used for replication instead of 7389 port. I have a hard time thinking ntp is required bidirectional as well which I assume is the indication with the <-> but I was also wrong thinking tcp port 53 would not be required which it is(found out hard way) so I was leaning on the docs a lot. What would be your take on bidirectional vs uni from the above list? We are running DNS and NTP from IPA. Sean Hogan From: Simo Sorce <[email protected]> To: Sean Hogan/Durham/IBM@IBMUS Cc: freeipa-users <[email protected]> Date: 08/31/2016 03:36 PM Subject: Re: [Freeipa-users] IPA port 80 On Wed, 2016-08-31 at 14:22 -0700, Sean Hogan wrote: > > > Hi all, > > Been reading a lot about Port 80 for IPA and firewalls but have not found > a concrete answer. I know the redhat docs indicate port 80 is required > bidirectional however I need to investigate if it is truly needed. > > GUI only responds to 443 so not sure what else would be utilizing port 80. > I have seen some references that dogtag proxies its ports to 80 and 443 but > if the gui is running on 443 does that mean dogtag is proxying via 443 > only? Or is there a way to tell? Has anyone attempted not opening port > 80 from IPA Server to IPA Server and clients to IPA server? > ipa-server-3.0.0-50.el6.1.x86_64 Port 80 is not required, the only thing you'll find there is a redirect to the HTTPS port. Simo. -- Simo Sorce * Red Hat, Inc * New York
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
