Warning message

Log in to add comments or rate this document.

How to update packages with (yum/up2date/satellite-sync/rhn_register) on a server registered to RHN through a firewall

Updated 2015-03-05T23:38:09+00:00

Issue

  • How do I configure my system so that up2date, yum, or satellite-sync can access RHN channels through a firewall or proxy?
  • What URLs and ports do I need to configure in my proxy server to access RHN?
  • Network error when registering a server with rhn_register or rhnreg_ks.
  • Having issues with my subscription certificate on a machine behind a firewall.
  • When trying to update packages with yum, the following error is seen:

    There was an error communicating with RHN.
    RHN channel support will be disabled.
    Error communicating with server. The message was:
    Unable to connect to the host and port specified
    

Environment

  • Red Hat Enterprise Linux
  • Red Hat Network
  • Red Hat Satellite 5.x
  • Internet access filtered by proxy or firewall

Resolution

  • For up2date, yum, rhn_register, and satellite-sync to work correctly, the firewall must allow connections to:

    • rhn.redhat.com on port 80 (http)
    • rhn.redhat.com on port 443 (https)
    • xmlrpc.rhn.redhat.com on port 80 (http)
    • xmlrpc.rhn.redhat.com on port 443 (https)
    • content-xmlrpc.rhn.redhat.com on port 80 (http)
    • content-xmlrpc.rhn.redhat.com on port 443 (https)
    • content-web.rhn.redhat.com on port 80 (http)
    • content-web.rhn.redhat.com on port 443 (https)
    • cdn.redhat.com on port 80 (http)
    • cdn.redhat.com on port 443 (https)
  • Red Hat Satellite 5.x needs additional access to (click here for Satellite 6.x):

    • satellite.rhn.redhat.com on port 443 (https)
    • satellite.rhn.redhat.com on port 80 (http)
    • content-satellite.rhn.redhat.com on port 80 (http)
    • content-satellite.rhn.redhat.com on port 443 (https)

Note: IP addresses for servers are not permanent. Please use the domain names instead. This is partly because we distribute them through a Content Delivery Service by Akamai. For this reason, it is necessary to allow the following ports/hostnames on firewall for proper yum operation:

* *.akamaiedge.net on port 443 [https]
  • If the network cannot be opened to the above hostnames and ports, and RHN Classic is being used, location aware updates can be disabled as a workaround. This will not work with RHSM, which requires a different set of hostnames through the firewall.
  • If FTP is used as opposed to HTTP, then outbound port 20 (FTP) will need to be opened. To determine if FTP is used, see the output of grep -i ftp:///etc/yum.repos.d/*.

Root Cause

  • A Red Hat Enterprise Linux server or Satellite must be able to connect back to RHN channels to download software updates.
  • If a firewall prohibits unlimited outbound connections, it is necessary to re-configure the firewall or use a proxy which allows access to the appropriate hosts and ports.