Re: [Freeipa-users] IPA port 80

Rob Crittenden Thu, 01 Sep 2016 06:52:34 -0700

Sean Hogan wrote:

Thanks Peter,



So the set up is each vlan has an IPA replica within the firewall
boundary acting as its primary auth/policy server. If it goes down..
then the clients can reach back thru the firewall to our backup IPAs. So
I am trying to pinpoint the actual ports required to be open on the
firewall to allow the clients the ability to get back to the back up IPAs.

It comes down to opening ports thru the firewalls back to our IPA backup
servers. If port 80 is not required for the clients or servers to get to
IPA behind the firewall then there is no need in opening more ports than
required and getting 443 open adheres more to our security policy than
80. So if everything is redirected to 443 and 80 is not required as it
is all redirected then the docs I am using are not correct.

I am hoping Simo can weigh in on this

Peter is right about OCSP/CRL. If you don't need them, and don't want auser-friendly redirect if your users don't specify https then yeah, youcan probably do without port 80, assuming none of your clients REQUIREan OCSP response (e.g. security.OCSP.require in Firefox, false by default).

Another, rarely used path for port 80 is retrieval of the CA certificatewhen enrolling clients. Normally it is retrieved over authenticated LDAPbut if that fails, and one isn't pre-positioned, it will fall back totrying to get it over port 80 (last because this isn't exactly safe).

rob



Redhat link shows this for firewall port openings
_https://access.redhat.com/solutions/357673_
with <-> seeming to indicate bidirectional. Not sure why NTP requires
that for the clients.

*Resolution**
IdM Server <-> Clients*
*Name*
        
*Destination-port / Type*
        
*Purpose*
HTTP/HTTPS      80 / 443 TCP    WebUI and IPA CLI admin tools communication.
LDAP/LDAPS      389 / 636 TCP   directory service communication.
Kerberos        88 / 464 TCP and UDP    communication for authentication
DNS     53 TCP and UDP  nameservice, used also for autodiscovery,
autoregistration and High Availability Authentication(sssd), optional
NTP     123 UDP         network time protocol, optional
kadmind         464 / 749 TCP   used for principal generation, password changes 
etc.

*
IdM Server <-> IdM Server (i.e. Replica)*
*Name*
        
*Destination-port/Type*
        
*Purpose*
HTTP/HTTPS      80 / 443 TCP    WebUI and IPA CLI admin tools communication.
LDAP/LDAPS      389 / 636 TCP   directory service communication.
Kerberos        88 / 464 TCP and UDP    communication for authentication
DNS     53 / TCP and UDP        nameservice, used also for autodiscovery,
autoregistration and High Availability Authentication(sssd), *optional*
NTP     123 UDP         network time protocol, *optional*
kadmind         464 / 749 TCP   used only via localhost
dogtag  7389 TCP        Server and replica communication
replica conf    9443 / 9444 / 9445 TCP  Recplica configuration, only needed
during initial replica installation -- IPAv3/RHEL6 only (not required at
all in IPAv4/RHEL7)

*Note:* In RHEL 7, 389 port is used for replication instead of 7389 port.


Sean Hogan





Inactive hide details for Peter Fern ---08/31/2016 04:01:30 PM---You
need to serve CRLs and OCSP via HTTP to avoid clients failPeter Fern
---08/31/2016 04:01:30 PM---You need to serve CRLs and OCSP via HTTP to
avoid clients failing to verify the cert of the host ser

From: Peter Fern <[email protected]>
To: freeipa-users <[email protected]>
Date: 08/31/2016 04:01 PM
Subject: Re: [Freeipa-users] IPA port 80
Sent by: [email protected]

------------------------------------------------------------------------



You need to serve CRLs and OCSP via HTTP to avoid clients failing to
verify the cert of the host serving the CRL/OCSP when the cert on that
host needs to be verified at itself.

I'm not sure why you'd particularly care though - reading the Apache
configs and you should see that other than a couple of exceptions, all
HTTP traffic is redirected to HTTPS.

On 01/09/16 07:22, Sean Hogan wrote:

        Hi all,

        Been reading a lot about Port 80 for IPA and firewalls but have
        not found a concrete answer. I know the redhat docs indicate
        port 80 is required bidirectional however I need to investigate
        if it is truly needed.

        GUI only responds to 443 so not sure what else would be
        utilizing port 80. I have seen some references that dogtag
        proxies its ports to 80 and 443 but if the gui is running on 443
        does that mean dogtag is proxying via 443 only? Or is there a
        way to tell? Has anyone attempted not opening port 80 from IPA
        Server to IPA Server and clients to IPA server?
        ipa-server-3.0.0-50.el6.1.x86_64




        Sean Hogan




--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] IPA port 80

Reply via email to