Red Hat Customer Portal

Skip to main content

How to update packages with (yum/up2date/satellite-sync/rhn_register) on a server registered to RHN through a firewall

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux
  • Red Hat Network
  • Red Hat Satellite 5.x
  • Internet access filtered by proxy or firewall

Issue

  • How do I configure my system so that up2date, yum, or satellite-sync can access RHN channels through a firewall or proxy?
  • What URLs and ports do I need to configure in my proxy server to access RHN?
  • Network error when registering a server with rhn_register or rhnreg_ks.
  • Having issues with my subscription certificate on a machine behind a firewall.
  • When trying to update packages with yum, the following error is seen:

    There was an error communicating with RHN.
    RHN channel support will be disabled.
    Error communicating with server. The message was:
    Unable to connect to the host and port specified
    

Resolution

  • For up2date, yum, rhn_register, and satellite-sync to work correctly, the firewall must allow connections to:

    • rhn.redhat.com on port 80 (http)
    • rhn.redhat.com on port 443 (https)
    • xmlrpc.rhn.redhat.com on port 80 (http)
    • xmlrpc.rhn.redhat.com on port 443 (https)
    • content-xmlrpc.rhn.redhat.com on port 80 (http)
    • content-xmlrpc.rhn.redhat.com on port 443 (https)
    • content-web.rhn.redhat.com on port 80 (http)
    • content-web.rhn.redhat.com on port 443 (https)
    • cdn.redhat.com on port 80 (http)
    • cdn.redhat.com on port 443 (https)
  • Red Hat Satellite 5.x needs additional access to (click here for Satellite 6.x):

    • satellite.rhn.redhat.com on port 443 (https)
    • satellite.rhn.redhat.com on port 80 (http)
    • content-satellite.rhn.redhat.com on port 80 (http)
    • content-satellite.rhn.redhat.com on port 443 (https)

Note: IP addresses for servers are not permanent. Please use the domain names instead. This is partly because we distribute them through a Content Delivery Service by Akamai. For this reason, it is necessary to allow the following ports/hostnames on firewall for proper yum operation:

* *.akamaiedge.net on port 443 [https]
  • If the network cannot be opened to the above hostnames and ports, and RHN Classic is being used, location aware updates can be disabled as a workaround. This will not work with RHSM, which requires a different set of hostnames through the firewall.
  • If FTP is used as opposed to HTTP, then outbound port 20 (FTP) will need to be opened. To determine if FTP is used, see the output of grep -i ftp:///etc/yum.repos.d/*.

Root Cause

  • A Red Hat Enterprise Linux server or Satellite must be able to connect back to RHN channels to download software updates.
  • If a firewall prohibits unlimited outbound connections, it is necessary to re-configure the firewall or use a proxy which allows access to the appropriate hosts and ports.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.