Novell Doc: Novell Access Manager 3.0 SP4 Setup Guide

5.1 Required Ports

The following tables list the ports that need to be opened when a firewall separates one component from another. Some combinations appear in more than one table, but this allows you to discover the required ports whether you are thinking that a firewall is separating an Access Gateway from the Administration Console or that a firewall is separating an Administration Console from the Access Gateway.

With these tables, you should be able to place the Access Manager components of your system anywhere within your existing firewalls and know which ports need to be opened in the firewall.

Table 5-1 When a Firewall Separates an Access Manager Component from a Global Service

Component	Port	Description
NTP Server	UDP 123	Access Manager components must be synchronized or authentication fails. We highly recommend that all components be configured to use an NTP (network time protocol) server. Depending upon where your NTP server is located in relationship to your firewalls, you might need to open UDP 123 so that the Access Manager component can use the NTP server.
DNS Servers	UDP 53	Access Manager components must be able to resolve DNS names. Depending upon where your DNS servers are located, you might need to open UDP 53 so that the Access Manager component can resolve DNS names.
Remote Administration Workstation	TCP 22	If you use SSH for remote administration and want to use it for remote administration of Access Manager components, you need to open TCP 22 to allow communication from your remote administration workstation to your Access Manager components.

Table 5-2 When a Firewall Separates the Administration Console from a Component

Component	Port	Description
Access Gateway, Identity Server, SSL VPN, or J2EE Agent	TCP 1443	For communication from the Administration Console to the devices.
	TCP 8444	For communication from the devices to the Administration Console.
	TCP 289	For communication from the devices to the Novell® Audit server on the Administration Console.
	TCP 524	For NCP™ certificate management with NPKI. The port needs to be opened so that both the device and the Administration Console can use the port.
	TCP 636	For secure LDAP communication from the devices to the Administration Console.
Importing a Linux Access Gateway	ICMP	During an import, the Linux Access Gateway sends two ICMP pings to the Administration Console. When the import has finished, you can close this port.
LDAP User Store	TCP 524	Required only if the user store is eDirectory™. When configuring a new eDirectory user store, NCP is used to enable SecretStore by adding a SAML authentication method and storing a public key for the Administration Console. It is not used in day-to-day operations.
Administration Console	Not a supported configuration. The primary and secondary consoles need to be on the same side of the firewall.
Browsers	TCP 8080	For HTTP communication from the browsers to the Administration Console.
	TCP 8443	For HTTPS communication from the browsers to the Administration Console.
	TCP 8028, 8030	To use iMonitor or DSTrace from a client to view information about the configuration store on the Administration Console.

Table 5-3 When a Firewall Separates the Identity Server from a Component

Component	Port	Description
Access Gateway	TCP 8080 or 8443	For authentication communication from the Access Gateway to the Identity Server and from the Identity Server to the Access Gateway. TCP 8080 and 8443 are the default ports. They are configurable. You need to open the port of the Base URL of the Identity Server.
SSL VPN	N/A. The SSL VPN never communicates directly with the Identity Server.
J2EE Agent	TCP 8080 or 8443	For authentication communication from the J2EE Agent to the Identity Server. TCP 8080 and 8443 are the default ports. They are configurable. You need to open the port of the Base URL of the Identity Server. See Translating the Identity Server Configuration Port in the Novell Access Manager 3.0 SP4 Administration Guide.
Administration Console	TCP 1443	For communication from the Administration Console to the devices. This is configurable.
	TCP 8444	For communication from the Identity Server to the Administration Console.
	TCP 289	For communication from the Identity Server to the Novell Audit server on the Administration Console.
	TCP 524	For NCP certificate management with NPKI from the Identity Server to the Administration Console.
	TCP 636	For secure LDAP communication from the Identity Server to the Administration Console.
Identity Server	TCP 8443 or 443	For HTTPS communication. You can use iptable to configure this for TCP 443. See Translating the Identity Server Configuration Port in the Novell Access Manager 3.0 SP4 Administration Guide.
	TCP 7801 range	For back-channel communication with cluster members. You need to open two ports for each member of the cluster plus one. Thus, for a two member cluster, 7801, 7802, 7803, 7804, and 7805 need to be open. The initial port (7801) is configurable. See Managing a Cluster with Multiple Identity Servers in the Novell Access Manager 3.0 SP4 Administration Guide.
LDAP User Stores	TCP 636	For secure LDAP communication from the Identity Server to the LDAP user store.
Service Providers	TCP 8445	If you have enabled Identity Provider introductions, you need to open a port to allow HTTPS communication from the user’s browser to the service provider.
Service Providers	TCP 8446	If you have enabled Identity Provider introductions, you need to open a port to allow HTTPS communication from the user’s browser to the service consumer.
Browsers	TCP 8080	For HTTP communication from the browser to the Identity Server. You can use iptable to configure this for TCP 80. See Translating the Identity Server Configuration Port in the Novell Access Manager 3.0 SP4 Administration Guide.
Browsers	TCP 8443	For HTTPS communication from the browser to the Identity Server. You can use iptable to configure this for TCP 443. See Translating the Identity Server Configuration Port in the Novell Access Manager 3.0 SP4 Administration Guide.

Table 5-4 When a Firewall Separates the Access Gateway from a Component

Component	Port	Description
Identity Server	TCP 8080 or 8443	For authentication communication from the Access Gateway to the Identity Server. TCP 8080 and 8443 are the default ports. They are configurable. You need to open the port of the Base URL of the Identity Server. See Translating the Identity Server Configuration Port in the Novell Access Manager 3.0 SP4 Administration Guide.
Administration Console	TCP 1443	For communication from the Administration Console to the Access Gateway. This is configurable.
	TCP 8444	For communication from the Access Gateway to the Administration Console.
	TCP 289	For communication from the Access Gateway to the Novell Audit server on the Administration Console.
	TCP 524	For NCP certificate management with NPKI from the Access Gateway to the Administration Console.
	TCP 636	For secure LDAP communication from the Access Gateway to the Administration Console.
SSL VPN	TCP 8080	For HTTP communication from the Access Gateway to the SSL VPN.
SSL VPN	TCP 8443	If SSL has been enabled between the Access Gateway and the SSL VPN, TCP 8443 needs to be opened for HTTPS communication from the Access Gateway to the SSL VPN.
J2EE Agent	Only required if the Access Gateway is configured to protect the J2EE server as a Web server.
	TCP 8080, 8443	For communication from the Access Gateway to the JBoss* server. These are the default ports. They are configurable.
	TCP 9080, 9443	For communication from the Access Gateway to the WebSphere* server. These are the default ports. They are configurable.
	TCP 7001, 7002	For communication from the Access Gateway to the WebLogic* server. These are the default ports. They are configurable.
Access Gateway	Not a supported configuration. All members of an Access Gateway group need to be on the same side of the firewall.
Browsers/Clients	TCP 80	For HTTP communication from the client to the Access Gateway. This is configurable.
Browsers/Clients	TCP 443	For HTTPS communication from the client to the Access Gateway. This is configurable.
	UDP 8880	For RDB communication from the client to the Access Gateway. Only required if you enable RDB on the NetWare® Access Gateway
	TCP 23	For Telnet communication from the client to the Access Gateway. Only required if you enable Telnet on the NetWare Access Gateway.
	TCP 21	For FTP communication from the client to the Access Gateway. Only required if you enable Mini FTP on the NetWare Access Gateway.
	TCP 524	For SFTP communication from the client to the Access Gateway. Only required if you load the ncpip.nlm for SFTP on the NetWare Access Gateway.
Web Servers	TCP 80	For HTTP communication from the Access Gateway to the Web servers. This is configurable.
	TCP 443	For HTTPS communication from the Access Gateway to the Web servers. This is configurable.

Table 5-5 When a Firewall Separates the SSL VPN from a Component

Component	Port	Description
Access Gateway	TCP 8080	For HTTP communication from the Access Gateway to the SSL VPN.
Access Gateway	TCP 8443	If SSL has been enabled between the Access Gateway and the SSL VPN, TCP 8443 needs to be opened for HTTPS communication from the Access Gateway to the SSL VPN.
Identity Server	N/A. The SSL VPN never communicates directly with the Identity Server.
Administration Console	TCP 1443	For communication from the Administration Console to the SSL VPN. This is configurable.
	TCP 8444	For communication from the SSL VPN to the Administration Console.
	TCP 289	For communication from the SSL VPN to the Novell Audit server on the Administration Console.
	TCP 524	For NCP certificate management with NPKI from the SSL VPN to the Administration Console.
	TCP 636	For secure LDAP communication from the SSL VPN to the Administration Console.
J2EE Agent	N/A. The SSL VPN never communicates with the J2EE Agent.
Browsers	TCP 7777 UDP 7777	This is the default port for access to the SSL VPN, but it can be configured to use TCP 443 and UDP 443.
SOCKS server	TCP 2010	For SOCKS communication from the SSL VPN to the SOCKS server. This port is configurable.
Application Servers (E-mail, Telnet, Thin Client, etc.)	TCP 22	For SSH communication from the SSL VPN to the application server.
	TCP 23	For Telnet communication from the SSL VPN to the application server.
	Application ports	Specific to the application that SSL VPN is providing access to.
Firewall on same machine as the SSL VPN	tun0	SSL VPN creates a tunnel that needs to be open on the internal networks list of the machine. For configuration information, see the following Note.

NOTE:If you are running the SSL VPN on SLES 9 with a firewall, you cannot use YaST to configure the firewall for access to UDP ports and internal networks. You need to edit the /etc/sysconfig/SuSEfirewall2 file and add lines similar to the following:

FW_SERVICES_EXT_UDP=7777
FW_DEV_INT=tun0

On SLES 10, you can edit this file or use YaST to configure UDP ports and internal networks.

Table 5-6 When a Firewall Separates the J2EE Agent from a Component

Component	Port	Description
Administration Console	TCP 1443	For communication from the Administration Console to the J2EE Agent. This is configurable.
	TCP 8444	For communication from the J2EE Agent to the Administration Console.
	TCP 289	For communication from the J2EE Agent to the Novell Audit server on the Administration Console.
	TCP 524	For NCP certificate management with NPKI from the J2EE Agent to the Administration Console.
	TCP 636	For secure LDAP communication from the J2EE Agent to the Administration Console.
Identity Server	TCP 8080 or 8443	For authentication communication from the J2EE Agent to the Identity Server and from the Identity Server to the J2EE Agent. TCP 8080 and 8443 are the default ports. They are configurable. You need to open the port of the Base URL of the Identity Server. See Translating the Identity Server Configuration Port in the Novell Access Manager 3.0 SP4 Administration Guide.
Access Gateway	Only required if the Access Gateway is configured to protect the J2EE server as a Web server.
	TCP 8080, 8443	For communication from the Access Gateway to the JBoss server. These are the default ports. They are configurable.
	TCP 9080, 9443	For communication from the Access Gateway to the WebSphere server. These are the default ports. They are configurable.
	TCP 7001, 7002	For communication from the Access Gateway to the WebLogic server. These are the default ports. They are configurable.
SSL VPN	N/A. The J2EE Agent never communicates with the SSL VPN.
Browsers	TCP 8080, 8443	For communication from the browser to the JBoss server. These are the default ports. They are configurable.
	TCP 9080, 9443	For communication from the browser to the WebSphere server. These are the default ports. They are configurable.
	TCP 7001, 7002	For communication from the browser to the WebLogic server. These are the default ports. They are configurable.