Red Hat Summit1.6. Ports and Firewalls Requirements
For the components of Satellite architecture to communicate, ensure that the required network ports are open and free on the base operating system. You must also ensure that the required network ports are open on any network-based firewalls.
Use this information to configure any network-based firewalls. Note that some cloud solutions must be specifically configured to allow communications between machines because they isolate machines similarly to network-based firewalls. If you use an application-based firewall, ensure that the application-based firewall permits all applications that are listed in the tables and known to your firewall. If possible, disable the application checking and allow open port communication based on the protocol.
Integrated Capsule
Satellite Server has an integrated Capsule and any host that is directly connected to Satellite Server is a Client of Satellite in the context of this section. This includes the base operating system on which Capsule Server is running.
Clients of Capsule
Hosts which are clients of Capsules, other than Satellite’s integrated Capsule, do not need access to Satellite Server. For more information on Satellite Topology, see Capsule Networking in Planning for Red Hat Satellite 6.
Required ports can change based on your configuration.
A matrix table of ports is available in the Red Hat Knowledgebase solution Red Hat Satellite List of Network Ports.
The following tables indicate the destination port and the direction of network traffic:
| Port | Protocol | Service | Required For |
|---|---|---|---|
| 443 | TCP | HTTPS | Subscription Management Services (access.redhat.com) and connecting to the Red Hat CDN (cdn.redhat.com). |
Satellite Server needs access to the Red Hat CDN. For a list of IP addresses used by the Red Hat CDN (cdn.redhat.com), see the Knowledgebase article Public CIDR Lists for Red Hat on the Red Hat Customer Portal.
| Port | Protocol | Service | Required For |
|---|---|---|---|
| 443 | TCP | HTTPS | Browser-based UI access to Satellite |
| 80 | TCP | HTTP | Redirection to HTTPS for web UI access to Satellite (Optional) |
| Port | Protocol | Service | Required For |
|---|---|---|---|
| 80 | TCP | HTTP | Anaconda, yum, for obtaining Katello certificates, templates, and for downloading iPXE firmware |
| 443 | TCP | HTTPS | Subscription Management Services, yum, Telemetry Services, and for connection to the Katello Agent |
| 5646 | TCP | AMQP | The Capsule Qpid dispatch router to the Qpid dispatch router in Satellite |
| 5647 | TCP | AMQP | Katello Agent to communicate with Satellite’s Qpid dispatch router |
| 8000 | TCP | HTTP | Anaconda to download kickstart templates to hosts, and for downloading iPXE firmware |
| 8140 | TCP | HTTPS | Puppet agent to Puppet master connections |
| 9090 | TCP | HTTPS | Sending SCAP reports to the integrated Capsule, for the discovery image during provisioning, and for communicating with Satellite Server to copy the SSH keys for Remote Execution (Rex) configuration |
| 7 | TCP and UDP | ICMP | External DHCP on a Client to Satellite network, ICMP ECHO to verify IP address is free (Optional) |
| 53 | TCP and UDP | DNS | Client DNS queries to a Satellite’s integrated Capsule DNS service (Optional) |
| 67 | UDP | DHCP | Client to Satellite’s integrated Capsule broadcasts, DHCP broadcasts for Client provisioning from a Satellite’s integrated Capsule (Optional) |
| 69 | UDP | TFTP | Clients downloading PXE boot image files from a Satellites' integrated Capsule for provisioning (Optional) |
| 5000 | TCP | HTTPS | Connection to Katello for the Docker registry (Optional) |
Any managed host that is directly connected to Satellite Server is a client in this context because it is a client of the integrated Capsule. This includes the base operating system on which a Capsule Server is running.
| Port | Protocol | Service | Required for |
|---|---|---|---|
| 443 | TCP | HTTPS | Connections to the Pulp server in the Capsule |
| 9090 | TCP | HTTPS | Connections to the proxy in the Capsule |
| 80 | TCP | HTTP | Downloading a bootdisk (Optional) |
| Port | Protocol | Service | Required For |
|---|---|---|---|
| 22 | TCP | SSH | Satellite and Capsule originated communications, for Remote Execution (Rex) and Ansible. |
| 443 | TCP | HTTPS | Satellite originated communications, for vCenter compute resource. |
| 5000 | TCP | HTTP | Satellite originated communications, for compute resources in OpenStack or for running containers. |
| 22, 16514 | TCP | SSH, SSL/TLS | Satellite originated communications, for compute resources in libvirt. |
| 389, 636 | TCP | LDAP, LDAPS | Satellite originated communications, for LDAP and secured LDAP authentication sources. |
| 5900 to 5930 | TCP | SSL/TLS | Satellite originated communications, for NoVNC console in web UI to hypervisors. |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}