[Freeipa-users] Re: FreeIPA in AWS
On ti, 20 maalis 2018, Andrew Meyer via FreeIPA-users wrote: I have FreeIPA setup on CentOS 7 in AWS. However we are looking to lock down communication over our VPN tunnel. Trying to do some research to see what ports I need. I've gotten most of them, 80,443,88,464,389,636,123. I have it setup to allow UDP/TCP for both sides. However in the amazon security groups I have found that if I remove 0.0.0.0/0 from the inbound I lose communication to the remote FreeIPA servers. However the server in AWS can talk back. This email thread might not be relevant here but I wanted to see what kind of response i'd get. Are there ports similar to what needs to be opened for AD ? I found this on Amazon's website:How to Connect Your On-Premises Active Directory to AWS Using AD Connector | Amazon Web Services All ports are described in RHEL guides for IdM, though they are split around two big guides. Last year I tried to gather all details about our firewall requirements in a single place to provide input to RHEL documentation writers. Though they haven't yet published their updates to the official documentation, you can peruse my draft: https://vda.li/drafts/firewall-considerations.txt It is dense but it is the best source about IPA communication flows I know. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA in AWS
Thank you sir! I will added the additional ports and let you know if I run into any other issues! On Tuesday, March 20, 2018 9:03 AM, Alexander Bokovoy via FreeIPA-users wrote: On ti, 20 maalis 2018, Andrew Meyer via FreeIPA-users wrote: >I have FreeIPA setup on CentOS 7 in AWS. However we are looking to >lock down communication over our VPN tunnel. Trying to do some >research to see what ports I need. I've gotten most of them, >80,443,88,464,389,636,123. I have it setup to allow UDP/TCP for both >sides. However in the amazon security groups I have found that if I >remove 0.0.0.0/0 from the inbound I lose communication to the remote >FreeIPA servers. However the server in AWS can talk back. This email >thread might not be relevant here but I wanted to see what kind of >response i'd get. >Are there ports similar to what needs to be opened for AD ? >I found this on Amazon's website:How to Connect Your On-Premises Active >Directory to AWS Using AD Connector | Amazon Web Services All ports are described in RHEL guides for IdM, though they are split around two big guides. Last year I tried to gather all details about our firewall requirements in a single place to provide input to RHEL documentation writers. Though they haven't yet published their updates to the official documentation, you can peruse my draft: https://vda.li/drafts/firewall-considerations.txt It is dense but it is the best source about IPA communication flows I know. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA in AWS
So I made the changes to the SecurityGroup in AWS and my local FreeIPA servers can't talk up. I suspect this is something on the AWS side. :-( On Tuesday, March 20, 2018 9:17 AM, Andrew Meyer via FreeIPA-users wrote: Thank you sir! I will added the additional ports and let you know if I run into any other issues! On Tuesday, March 20, 2018 9:03 AM, Alexander Bokovoy via FreeIPA-users wrote: On ti, 20 maalis 2018, Andrew Meyer via FreeIPA-users wrote: >I have FreeIPA setup on CentOS 7 in AWS. However we are looking to >lock down communication over our VPN tunnel. Trying to do some >research to see what ports I need. I've gotten most of them, >80,443,88,464,389,636,123. I have it setup to allow UDP/TCP for both >sides. However in the amazon security groups I have found that if I >remove 0.0.0.0/0 from the inbound I lose communication to the remote >FreeIPA servers. However the server in AWS can talk back. This email >thread might not be relevant here but I wanted to see what kind of >response i'd get. >Are there ports similar to what needs to be opened for AD ? >I found this on Amazon's website:How to Connect Your On-Premises Active >Directory to AWS Using AD Connector | Amazon Web Services All ports are described in RHEL guides for IdM, though they are split around two big guides. Last year I tried to gather all details about our firewall requirements in a single place to provide input to RHEL documentation writers. Though they haven't yet published their updates to the official documentation, you can peruse my draft: https://vda.li/drafts/firewall-considerations.txt It is dense but it is the best source about IPA communication flows I know. -- / Alexander Bokovoy ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
[Freeipa-users] Re: FreeIPA in AWS
Here is what I have configured in my FreeIPA security group in AWS. The source for each port is configured for only the networks that need to talk to the FreeIPA servers. tcp: 53 tcp: 80 tcp: 88 tcp: 389 tcp: 443 tcp: 464 tcp: 636 udp: 53 udp: 88 udp: 123 udp: 464 *Mike Plemmons | Senior DevOps Engineer | CrossChx* 614.427.2411 mike.plemm...@crosschx.com www.crosschx.com On Tue, Mar 20, 2018 at 11:01 AM, Andrew Meyer via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > So I made the changes to the SecurityGroup in AWS and my local FreeIPA > servers can't talk up. I suspect this is something on the AWS side. :-( > > > On Tuesday, March 20, 2018 9:17 AM, Andrew Meyer via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > Thank you sir! I will added the additional ports and let you know if I > run into any other issues! > > > On Tuesday, March 20, 2018 9:03 AM, Alexander Bokovoy via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > On ti, 20 maalis 2018, Andrew Meyer via FreeIPA-users wrote: > >I have FreeIPA setup on CentOS 7 in AWS. However we are looking to > >lock down communication over our VPN tunnel. Trying to do some > >research to see what ports I need. I've gotten most of them, > >80,443,88,464,389,636,123. I have it setup to allow UDP/TCP for both > >sides. However in the amazon security groups I have found that if I > >remove 0.0.0.0/0 from the inbound I lose communication to the remote > >FreeIPA servers. However the server in AWS can talk back. This email > >thread might not be relevant here but I wanted to see what kind of > >response i'd get. > >Are there ports similar to what needs to be opened for AD ? > >I found this on Amazon's website:How to Connect Your On-Premises Active > >Directory to AWS Using AD Connector | Amazon Web Services > All ports are described in RHEL guides for IdM, though they are split > around two big guides. > > Last year I tried to gather all details about our firewall requirements > in a single place to provide input to RHEL documentation writers. Though > they haven't yet published their updates to the official documentation, > you can peruse my draft: > https://vda.li/drafts/firewall-considerations.txt > > It is dense but it is the best source about IPA communication flows I know. > > -- > / Alexander Bokovoy > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > > > ___ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > > ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org