Which network ports are used by Identity Management (IdM)?
Environment
- Red Hat Enterprise Linux (ALL)
- Identity Management (IdM)
- IPA Server
- IPA Client
Issue
- Which network ports are used by Identity Management (IdM)/IPA ?
- What network ports are used by Identity Management (IdM)?
- Which ports does Identity Management (IdM)/IPA require?
- Which firewall ports must I open for IdM (IPA)?
- Which firewall ports need to be opened for functioning of IPA server and clients ?
Resolution
IdM Clients -> IdM Server
| Name | Destination-port / Type | Purpose |
|---|---|---|
| HTTP/HTTPS | 80 / 443 TCP | WebUI and IPA CLI admin tools communication. |
| LDAP/LDAPS | 389 / 636 TCP | directory service communication. |
| Kerberos | 88 / 464 TCP and UDP | communication for authentication |
| DNS | 53 TCP and UDP | nameservice, used also for autodiscovery, autoregistration and High Availability Authentication(sssd), optional |
| NTP | 123 UDP | network time protocol, optional |
| kadmind | 464 / 749 TCP | used for principal generation, password changes etc. |
IdM Server <-By-Directional-> IdM Server (i.e. Replica)
| Name | Destination-port/Type | Purpose |
|---|---|---|
| HTTP/HTTPS | 80 / 443 TCP | WebUI and IPA CLI admin tools communication. |
| LDAP/LDAPS | 389 / 636 TCP | directory service communication. |
| Kerberos | 88 / 464 TCP and UDP | communication for authentication |
| DNS | 53 / TCP and UDP | name service, used also for autodiscovery, auto registration and High Availability Authentication(sssd), optional |
| NTP | 123 UDP | network time protocol, optional |
| kadmind | 464 / 749 TCP | used only via localhost |
| dogtag | 7389 TCP | Server and replica communication |
| replica conf | 9443 / 9444 / 9445 TCP | Replica configuration, only needed during initial replica installation -- IPAv3/RHEL6 only (not required at all in IPAv4/RHEL7 and RHEL 8) |
| Dogtag instance on top of Tomcat | 8005 and 8009 /TCP | Internally, on IPA masters, ports 8005 and 8009 (TCP/TCP6) are used to run components of the Certificate Authority services on the 127.0.0.1 and ::1 local interface addresses |
Note:
- In RHEL 6, 7 and 8, 389 port is used for replication instead of 7389 port.
- For migration plan, during install process is also required the port 8443/tcp allowed on Rhel 7 cluster.
To enable communication between AD domain controllers and IdM servers, refer What ports and services are required to setup IPA, AD two-way trust?
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
9 Comments
The article is fine for the IPA internal traffic, is it possible to add the ports used for AD <-> IdM server (for Trust and normal usage) traffic, and AD <-> IdM client traffic?
exactly. I am still waiting for this to be updated.
This misses any attempt by the IdM server to access public DNS root servers.
In /usr/lib/firewalld/services are 4 definitions that start with freeipa None of them mention port 749
Can we specify which ports are egress, ngress or bi-directional? Thank you.
the articel doesen't mention why we "still" use unsecure ports (80, 389) and when and why is TLS in use. so we miss the deep dive completly
Could this content be updated to spell out that any mention of RHEL 7 also applies to RHEL 8?
this page is missing the ports required to connect to Active Directory. I was hoping to find it all in 1 place.
this article needs work.