On 05/23/2012 05:40 PM, Jan-Frode Myklebust wrote: > We have quite strict firewalls, so I need to specify the IPA network > ports accurately. So, we have now opening for: > > 80/tcp, 88/tcp, 389/tcp, 443/tcp, 464/tcp, 636/tcp > 88/udp, 464/udp > > in to our first IPA server. Now I'm in the process of configuring the > first replica. Is there any other ports that needs to be opened between > ipa master and replica? > > We don't serve NTP or DNS from IPA, so I guess these shouldn't be > relevant, but I think we want dogtag replicated, so there's maybe some > ports for that that needs opening ? > > Or, to put it another way, which of these ports: > > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/Preparing_for_an_IPA_Installation.html#prereq-ports > > needs to be opened between ipa server, which for all clients, which for > replica and which for administrative clients ? > > HTTP/HTTPS -- open for all > LDAP/LDAPS -- open for all > Kerberos -- open for all > OCSP responder -- open for all if we use certs > > dogtag 9443 (agents) -- ? > dogtag 9444 (users, SSL) -- ? > dogtag 9445 (administrators) -- ? > dogtag 9446 (users, client authentication) -- ? > dogtag 9701 (Tomcat) -- ? > dogtag 7389 (internal LDAP database) -- ? > >
Dogtag ports are now proxied vial HTTP https://fedorahosted.org/freeipa/ticket/1334 I guess we need a doc bug to correct the documentation. Opened: https://bugzilla.redhat.com/show_bug.cgi?id=824666 Replica can check its connectivity to master it is created from using ipa-replica-conncheck utility on replica. It seems that this is not documented. Opened: https://bugzilla.redhat.com/show_bug.cgi?id=824667 > -jf > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users