2.4. Additional Requirements
- Full AccessClient systems need full network access to the RHN Satellite solution's services and ports.
- Firewall RulesRHN strongly recommends firewalling the RHN Satellite solution from the Internet. However, various TCP ports must be opened on the Satellite, depending on your implementation of RHN Satellite. Some UDP ports will also be required for DHCP and TFTP services to function correctly.
Table 2.4. Ports to open on the Satellite
Port Protocol Direction Reason 67 TCP/UDP Inbound Open this port to configure the Satellite system as a DHCP server for systems requesting IP addresses. 69 TCP/UDP Inbound Open this port to configure Satellite as a PXE server and allow installation and re-installation of PXE-boot enabled systems. 80 TCP Outbound Satellite uses this port to reach Red Hat Network. 80 TCP Inbound Web UI and client requests come in via http. 443 TCP Inbound Web UI and client requests come in via https. 443 TCP Outbound Red Hat Network Satellite uses this port to reach Red Hat Network (unless running in a disconnected mode for Satellite). 4545 TCP Inbound and Outbound Red Hat Network Satellite Monitoring makes connections to
rhnmdrunning on client systems, if Monitoring is enabled and probes are configured for registered systems.
5222 TCP Inbound If you plan to push actions to client systems. 5269 TCP Inbound and Outbound If you push actions to or via an Red Hat Network Proxy Server.RHN's list of hosts are as follows:rhn.redhat.com, xmlrpc.rhn.redhat.com, satellite.rhn.redhat.com, content-xmlrpc.rhn.redhat.com, content-web.rhn.redhat.com, and content-satellite.rhn.redhat.com
- DMZ Proxy SolutionUnless the Satellite server is in disconnected mode, it needs to initiate outbound connections on ports 80 and 443 to the Red Hat Network (RHN) Hosted service (
satellite.rhn.redhat.com). To ensure correct functioning of the satellite system, do not restrict access to these hosts and ports. If required, an http or https proxy can be used, by issuing the
satellite-sync --http-proxycommand.The Satellite server needs to allow inbound connections on ports 80 and 443 from client systems and any RHN Proxy servers connected to the Satellite, as well as any system that needs to access the Satellite Web UI. WebUI and client requests come in via either http or https.The RHN monitoring functionality requires outbound connections to individual monitoring-enabled client systems on port 4545. RHN Satellite monitoring makes connections to
rhnmdrunning on client systems if monitoring is enabled and probes are configured for registered systems.The RHN push functionality requires both outbound and inbound connections on port 5269 to and from each registered RHN Proxy server with RHN push functionality enabled. This is used for two-way communications between the
jabberdservice on Satellite and Proxy, respectively. In addition, it needs to allow inbound connections on port 5222 from client systems directly registered to the Satellite. This is used for one-way (client to server) communications between the
osadservice on client systems and the
jabberdservice on the Satellite.
- Synchronized System TimesThere is great time sensitivity when connecting to a Web server running SSL (Secure Sockets Layer); it is imperative that the time settings on the clients and server be reasonably close together so the SSL certificate does not expire before or during use. For this reason, Red Hat requires the Satellite and all client systems to use Network Time Protocol (NTP). This also applies to the separate database machine in RHN Satellite with Stand-Alone Database, which must also be set to the same time zone as the Satellite.
- Setting System Language and LocaleYou should properly set the UTF-8 encoding for your language and locale on your RHN Satellite system via the
LANGsetting in the file must be in the following format:
TERRITORYare entered as two-letter codes. For example if your language is English and your locale is the United States, you set your
- Fully Qualified Domain Name (FQDN)The system upon which the RHN Satellite will be installed must resolve its own FQDN properly. If this is not the case, cookies will not work properly on the website.
NoteIt is important that the hostname of a Satellite contains no uppercase letters. A hostname that includes uppercase letters can cause
jabberdto fail.If, at any point, you need to change your Satellite hostname, refer to Section 8.7, “Changing the Satellite Hostname”.
- Functioning Domain Name Service (DNS)For the RHN Satellite's domain name to be resolved by its clients, it and they must all be linked to a working DNS server in the customer environment.
- An Entitlement CertificateThe customer will receive, via email from the sales representative, a signed Entitlement Certificate explaining the services provided by Red Hat through RHN Satellite. This certificate will be required during the installation process.If you do not have an Entitlement Certificate at installation time, contact Red Hat Global Support Services at:
- A Red Hat Network AccountCustomers who connect to the central Red Hat Network Servers to receive incremental updates must have an external account with Red Hat Network. This account should be set up at the time of purchase with the sales representative.
WarningDo not subscribe your RHN Satellite to any of the following child channels available on RHN Hosted:
Subscribing to these channels and updating your Satellite may install newer, incompatible versions of critical software components, causing the Satellite to fail.
- Red Hat Developer Suite
- Red Hat Application Server
- Red Hat Extras
- Backups of Login InformationIt is imperative that customers keep track of all primary login information. For RHN Satellite, this includes usernames and passwords for the Organization Administrator account on rhn.redhat.com, the primary administrator account on the Satellite itself, SSL certificate generation, and database connection (which also requires a SID, or net service name). Red Hat strongly recommends this information be copied onto two separate floppy disks, printed out on paper, and stored in a fireproof safe.
- The entire RHN Satellite solution should be protected by a firewall if the Satellite accesses or is accessed via the Internet. An Internet connection is not required for RHN Satellites running in completely disconnected environments. This feature instead uses Channel Content ISOs that can be downloaded to a separate system to synchronize the Satellite with the central Red Hat Network Servers. All other RHN Satellites should be synchronized directly over the Internet.
NoteIf you are running a disconnected Satellite that is not registered to RHN Hosted the installation program will note and return a list of any missing additional packages needed beyond
@baseto be installed, then the installation program will exit. This allows you to install those packages. You may want to use the installation ISO image or DVD media to create a repository for those additional packages, and then rerun the Satellite installer.
- All unnecessary ports should be firewalled off. Client systems connect to RHN Satellite over ports 80, 443, and 4545 (if Monitoring is enabled). In addition, if you plan to enable the pushing of actions from the Satellite to client systems, as described in Section 8.11, “Enabling Push to Clients”, you must allow inbound connections on port 5222. Finally, if the Satellite will also push to an RHN Proxy Server, you must also allow inbound connections on port 5269.
- No system components should be directly, publicly available. No user other than the system administrators should have shell access to these machines.
- All unnecessary services should be disabled using ntsysv or
httpdservice should be enabled.
- If the Satellite serves Monitoring-entitled systems and you wish to acknowledge via email the alert notifications you receive, you must configure sendmail to properly handle incoming mail as described in Section 4.5, “Sendmail Configuration”.
- The RHN Satellite Installation Guide — This guide, which you are now reading, provides the essential steps necessary to get an RHN Satellite up and running.
- The RHN Client Configuration Guide — This guide explains how to configure the systems to be served by an RHN Proxy Server or RHN Satellite. (This will also likely require referencing The RHN Reference Guide, which contains steps for registering and updating systems.)
- The RHN Channel Management Guide — This guide identifies in great detail the recommended methods for building custom packages, creating custom channels, and managing private Errata.
- The RHN Reference Guide — This guide describes how to create RHN accounts, register and update systems, and use the RHN website to its utmost potential. This guide will probably come in handy throughout the installation and configuration process.