The following tables list the ports that need to be opened when a firewall separates one component from another. Some combinations appear in more than one table. This allows you to discover the required ports whether a firewall is separating an Access Gateway from the Administration Console or a firewall is separating an Administration Console from the Access Gateway.
With these tables, you should be able to place Access Manager components of your system anywhere within your existing firewalls and know which ports need to be opened in the firewall.
Table 8-1 When a Firewall Separates an Access Manager Component from a Global Service
Component |
Port |
Description |
---|---|---|
NTP Server |
UDP 123 |
Access Manager components must have time synchronized else the authentication fails. We recommend that you configure all components to use an network time protocol (NTP) server. Depending upon where your NTP server is located, you might need to open UDP 123, so that Access Manager components can use the NTP server. |
DNS Servers |
UDP 53 |
Access Manager components must be able to resolve DNS names. Depending upon where your DNS servers are located, you might need to open UDP 53, so that Access Manager components can resolve DNS names. |
Remote Linux Administration Workstation |
TCP 22 |
If you want to use SSH for remote administration of Access Manager components, open TCP 22 to allow communication from your remote administration workstation to your Access Manager components. |
Remote Windows Administration Workstation |
Configurable |
If you want to use RDP or VNC for remote administration of Access Manager components, open the ports required by your application from the remote administration workstation to your Access Manager components. You need to open ports for console access and for file sharing. For console access, VNC usually uses TCP 5901 and RDP uses TCP 3389. For file sharing, UDP 135-139 are the default ports. |
Table 8-2 When a Firewall Separates the Administration Console from a Component
Component |
Port |
Description |
---|---|---|
Access Gateway, Identity Server, SSL VPN |
TCP 1443 |
For communication from the Administration Console to the devices. |
TCP 8444 |
For communication from devices to the Administration Console. |
|
TCP 1289 |
For communication from devices to the Audit server on the Administration Console. |
|
TCP 524 |
For NCP certificate management with NPKI. The port needs to be opened so that both the device and the Administration Console can use the port. |
|
TCP 636 |
For secure LDAP communication from devices to the Administration Console. |
|
Importing an Access Gateway Appliance |
ICMP |
During an import, the Access Gateway Appliance sends two pings through ICMP to the Administration Console. When the import has finished, you can disable the ICMP echo requests and echo replies. |
LDAP User Store |
TCP 524 |
Required only if the user store is eDirectory. When configuring a new eDirectory user store, NCP is used to enable Novell SecretStore by adding a SAML authentication method and storing a public key for the Administration Console. It is not used in day-to-day operations. |
Administration Console |
TCP 524 |
Required to synchronize the configuration data store. |
|
TCP 636 |
Required for secure LDAP communication. |
|
TCP 427 |
Used for SLP (Service Location Protocol) communication. |
|
TCP 8080, 8443 |
Used for Tomcat communication. |
TCP 705 |
Used by Sub Agent-Master Agent communication inside the Administration Console. |
|
UDP 161 |
Used for communication by an external Network Monitoring System with the Administration Console by using SNMP. |
|
Browsers |
TCP 8080 |
For HTTP communication from browsers to the Administration Console. |
TCP 8443, 2443, 2080. |
For HTTPS communication from browsers to the Administration Console. NOTE:2443 and 2080 are optional ports required when the Administration Console and Identity Server are collocated. |
|
TCP 8028, 8030 |
To use iMonitor or DSTrace from a client to view information about the configuration store on the Administration Console. |
Table 8-3 When a Firewall Separates the Identity Server from a Component
Component |
Port |
Description |
---|---|---|
Access Gateway |
TCP 8080 or 8443 |
For authentication communication from the Access Gateway to the Identity Server. The default ports for the Identity Server are TCP 8080 and 8443. They are configurable. You need to open the port that you configured for the base URL of the Identity Server. |
|
TCP 80 or 443 |
For communication from the Identity Server to ESP of the Access Gateway. This is the reverse proxy port that is assigned to be ESP (see the Reverse Proxy /Authentication page). This is usually port 80 or 443. |
ESP Enabled SSL VPN |
TCP 8080 or 8443 |
For authentication communication from SSL VPN to the Identity Server. TCP 8080 and 8443 are the default ports for the Identity Server. They are configurable. You need to open the port of the base URL of the Identity Server. Also for communication from the Identity Server to ESP SSL VPN. This is the Embedded Service Provider Base URL on the Configuration page. The default values are TCP 8080 and 8443. |
Traditional SSL VPN |
N/A. Traditional SSL VPN never communicates directly with the Identity Server. |
|
Administration Console |
TCP 1443 |
For communication from the Administration Console to devices. This is configurable. |
TCP 8444 |
For communication from the Identity Server to the Administration Console. |
|
TCP 1289 |
For communication from the Identity Server to the Audit server on the Administration Console. |
|
TCP 524 |
For NCP certificate management with NPKI from the Identity Server to the Administration Console. |
|
TCP 636 |
For secure LDAP communication from the Identity Server to the Administration Console. |
|
Identity Server |
TCP 8443 or 443 |
For HTTPS communication. You can use iptables to configure this for TCP 443. See |
|
TCP 7801, 7802 |
For back-channel communication with cluster members. You need to open two consecutive ports for the cluster, for example 7801 and 7802. The initial port (7801) is configurable. |
LDAP User Stores |
TCP 636 |
For secure LDAP communication from the Identity Server to the LDAP user store. |
Service Providers |
TCP 8445 |
If you have enabled identity provider introductions, open a port to allow HTTPS communication from the user’s browser to the service provider. |
TCP 8446 |
If you have enabled identity provider introductions, open a port to allow HTTPS communication from the user’s browser to the service consumer. |
|
Browsers |
TCP 8080, 3080, 3443 |
For HTTP communication from a browser to the Identity Server. You can use iptables to configure this for TCP 80. See NOTE:3080 and 3443 are optional ports. These are required when SSL VPN and Identity Server are collocated. |
TCP 8443 |
For HTTPS communication from a browser to the Identity Server. You can use iptables to configure this for TCP 443. See |
|
CRL and OCSP Servers |
Configurable |
If you are using x.509 certificates that include an AIA or CRL Distribution Point attribute, you need to open the port required to talk to that server. Ports 80/443 are the most common ports, but the LDAP ports 389/636 can also be used. |
Active Directory Server with Kerberos |
TCP 88, UDP 88 |
For communication with the KDC on the Active Directory Server for Kerberos authentication. |
Table 8-4 When a Firewall Separates the Access Gateway from a Component
Component |
Port |
Description |
---|---|---|
Identity Server |
TCP 8080 or 8443 |
For authentication communication from the Access Gateway to the Identity Server. The default ports are TCP 8080 and 8443, which are configurable. You need to open the port of the base URL of the Identity Server. |
|
TCP 80 or 443 |
For communication from the Identity Server to ESP of the Access Gateway. This is the reverse proxy port that is assigned to be ESP (see the Reverse Proxy /Authentication page). This is usually port 80 or 443. |
Administration Console |
TCP 1443 |
For communication from the Administration Console to the Access Gateway. This is configurable. |
|
TCP 8444 |
For communication from the Access Gateway to the Administration Console. |
|
TCP 1289 |
For communication from the Access Gateway to the Audit server on the Administration Console. |
|
TCP 524 |
For NCP certificate management with NPKI from the Access Gateway to the Administration Console. |
|
TCP 636 |
For secure LDAP communication from the Access Gateway to the Administration Console. |
ESP Enabled SSL VPN |
N/A. ESP-enabled SSL VPN never communicates directly with the Access Gateway. |
|
Traditional SSL VPN |
TCP 8080 |
(Access Gateway Appliance) For HTTP communication from the Access Gateway to SSL VPN. |
TCP 8443 |
(Access Gateway Appliance) If SSL has been enabled between the Access Gateway and SSL VPN, TCP 8443 needs to be opened for HTTPS communication from the Access Gateway to SSL VPN. |
|
Access Gateway |
TCP 7801, 7802 |
For back-channel communication with cluster members. You need the first port plus 1. The initial port (7801) is configurable. It is set by the Identity Server cluster configuration that the Access Gateway trusts. See |
Browsers/Clients |
TCP 80 |
For HTTP communication from the client to the Access Gateway. This is configurable. |
TCP 443 |
For HTTPS communication from the client to the Access Gateway. This is configurable. |
|
Web Servers |
TCP 80 |
For HTTP communication from the Access Gateway to the Web servers. This is configurable. |
|
TCP 443 |
For HTTPS communication from the Access Gateway to Web servers. This is configurable. |
NOTE:On SLES 11 SP2 (or a higher version), you can use YaST to configure UDP ports and internal networks.
Table 8-5 When a Firewall Separates Traditional SSL VPN from a Component
Component |
Port |
Description |
---|---|---|
Access Gateway |
TCP 8080 |
For HTTP communication from the Access Gateway to SSL VPN. |
TCP 8443 |
If SSL has been enabled between the Access Gateway and SSL VPN, TCP 8443 needs to be opened for HTTPS communication from the Access Gateway to SSL VPN. |
|
Identity Server |
N/A. SSL VPN never communicates directly with the Identity Server. |
|
Administration Console |
TCP 1443 |
For communication from the Administration Console to SSL VPN. This is configurable. |
TCP 8444 |
For communication from SSL VPN to the Administration Console. |
|
TCP 1289 |
For communication from SSL VPN to the Novell Audit server on the Administration Console. |
|
TCP 524 |
For NCP certificate management with NPKI from SSL VPN to the Administration Console. |
|
TCP 636 |
For secure LDAP communication from SSL VPN to the Administration Console. |
|
SSL VPN Server |
TCP 8900 |
For communication between the cluster members. This is a default port. You can use any other free port. |
Browsers |
TCP 8080 TCP 8443 |
For HTTP communication. For HTTPS communication. |
SOCKS server |
TCP 7777 |
For SOCKS communication from SSL VPN to the SOCKS server. This is the default port for access to SSL VPN, but it can be configured to use TCP 443. |
OpenVPN |
UDP 7777 |
For OpenVPN server communication. This is the default port for access to SSL VPN, but it can be configured to use UDP 443. |
Application Servers (E-mail, Telnet, Thin Client) |
TCP 22 |
For SSH communication from SSL VPN to the application server. |
TCP 23 |
For Telnet communication from SSL VPN to the application server. |
|
Application ports |
Specific to the application that SSL VPN is providing access to. |
|
Firewall on same machine as SSL VPN |
tun0 |
SSL VPN creates a tunnel that needs to be open on the internal networks list of the machine. |
Table 8-6 When a Firewall Separates ESP-Enabled SSL VPN from a Component
Component |
Port |
Description |
---|---|---|
Identity Server |
TCP 8080 or 8443 |
For authentication communication from SSL VPN to the Identity Server. TCP 8080 and 8443 are the default ports. They are configurable. You need to open the port of the base URL of the Identity Server. For communication from the Identity Server to the Embedded Service Provider of SSL VPN. This is the Embedded Service Provider Base URL on the Configuration page. The default values are TCP 8080 and 8443. |
Administration Console |
TCP 1443 |
For communication from the Administration Console to SSL VPN. This is configurable. |
TCP 8444 |
For communication from SSL VPN to the Administration Console. |
|
TCP 1289 |
For communication from SSL VPN to the Novell Audit server on the Administration Console. |
|
TCP 524 |
For NCP certificate management with NPKI from SSL VPN to the Administration Console. |
|
TCP 636 |
For secure LDAP communication from SSL VPN to the Administration Console. |
|
ESP-Enabled SSL VPN |
TCP 7801 and 8900 |
For communication between the cluster members. 8900 is a default port. You can use any other free port instead of 8900. |
Browsers |
TCP 8080 TCP 8443 |
For HTTP communication. For HTTPS communication. |
SOCKS server |
TCP 7777 |
For SOCKS communication from SSL VPN to the SOCKS server. This is the default port for access to SSL VPN, but it can be configured to use TCP 443. |
OpenVPN |
TCP 7777 |
For OpenVPN server communication. This is the default port for access to SSL VPN, but it can be configured to use UDP 443. |
Application Servers (E-mail, Telnet, Thin Client) |
TCP 22 |
For SSH communication from SSL VPN to the application server. |
TCP 23 |
For Telnet communication from SSL VPN to the application server. |
|
Application ports |
Specific to the application that SSL VPN is providing access to. |
|
Firewall on same machine as SSL VPN |
tun0 |
SSL VPN creates a tunnel that needs to be open on the internal networks list of the machine. For configuration information, see the following Note. |