Which network ports are used by Identity Management (IdM)?

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux (ALL)
  • Identity Management (IdM)
  • IPA Server
  • IPA Client

Issue

  • Which network ports are used by Identity Management (IdM)/IPA ?
  • What network ports are used by Identity Management (IdM)?
  • Which ports does Identity Management (IdM)/IPA require?
  • Which firewall ports must I open for IdM (IPA)?
  • Which firewall ports need to be opened for functioning of IPA server and clients ?

Resolution

IdM Clients -> IdM Server

Name Destination-port/Type Purpose
HTTP/HTTPS  80,443/TCP              IPA WebUI, API and CLI tools communication
LDAP/LDAPS 389,636/TCP             directory service communication
Kerberos     88,464/TCP and UDP communication for authentication, kpasswd password changes
DNS          53/TCP and UDP    optional, nameservice, used also for autodiscovery, autoregistration and High Availability Authentication(sssd)
NTP         123/UDP                 optional, network time protocol, deprecated in RHEL 8+

IdM Server IdM Server (between two replicas)

Name Destination-port/Type Purpose
HTTP/HTTPS  80,443/TCP             IPA WebUI, API and CLI tools communication
LDAP/LDAPS 389,636/TCP            directory service communication
Kerberos     88,464/TCP and UDP communication for authentication, kpasswd password changes
DNS          53/TCP and UDP       optional, name service, used also for autodiscovery, auto registration and High Availability Authentication(sssd)
NTP          123/UDP                 optional, network time protocol, deprecated in RHEL 8+
kadmind      749/TCP             localhost only, KDC administration, do not open to network!
Tomcat - PKI frontend 8005,8009,8080,8443 /TCP localhost only, CA-enabled IPA replicas use ports 8005,8009,8080 and 8443 (TCP/TCP6) to communicate with components of the Certificate Authority services on the 127.0.0.1 and ::1 local interface addresses, do not open to network!
PKI LDAP     7389/TCP                  RHEL 6- only, Server and replica communication for PKI subtree, deprecated
Replica conf 9443,9444,9445/TCP RHEL 6- only, Replica configuration, only needed during initial replica installation, deprecated

Note:
- For migration plan, during install process is also required the port 8443/tcp allowed on Rhel 7 replicas. Please refer to the documentation

To enable communication between AD domain controllers and IdM servers, refer to What ports and services are required to setup IPA, AD two-way trust?

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments