4.1 Required Ports

The following tables list the ports that need to be opened when a firewall separates one component from another. Some combinations appear in more than one table, but this allows you to discover the required ports whether you are thinking that a firewall is separating an Access Gateway from the Administration Console or that a firewall is separating an Administration Console from the Access Gateway.

With these tables, you should be able to place the Access Manager components of your system anywhere within your existing firewalls and know which ports need to be opened in the firewall.

Table 4-1 When a Firewall Separates an Access Manager Component from a Global Service

Component

Port

Description

NTP Server

UDP 123

Access Manager components must have time synchronized or authentication fails. We highly recommend that all components be configured to use an NTP (network time protocol) server. Depending upon where your NTP server is located in relationship to your firewalls, you might need to open UDP 123 so that the Access Manager component can use the NTP server.

DNS Servers

UDP 53

Access Manager components must be able to resolve DNS names. Depending upon where your DNS servers are located, you might need to open UDP 53 so that the Access Manager component can resolve DNS names.

Remote Linux Administration Workstation

TCP 22

If you use SSH for remote administration and want to use it for remote administration of Access Manager components, you need to open TCP 22 to allow communication from your remote administration workstation to your Access Manager components.

Remote Windows Administration Workstation

Configurable

If you use RDP or VNC for remote administration and want to use it for remote administration of Access Manager components, you need to open the ports required by your application from the remote administration workstation to your Access Manager components. You need to open ports for console access and for file sharing.

For console access, VNC usually uses TCP 5901 and RDP uses TCP 3389. For file sharing, UDP 135-139 are the default ports.

Table 4-2 When a Firewall Separates the Administration Console from a Component

Component

Port

Description

Access Gateway, Identity Server, SSL VPN, or J2EE Agent

TCP 1443

For communication from the Administration Console to the devices.

TCP 8444

For communication from the devices to the Administration Console.

TCP 289

For communication from the devices to the Novell Audit server on the Administration Console.

TCP 524

For NCP certificate management with NPKI. The port needs to be opened so that both the device and the Administration Console can use the port.

TCP 636

For secure LDAP communication from the devices to the Administration Console.

Importing an Access Gateway Appliance

ICMP

During an import, the Access Gateway Appliance sends two ICMP pings to the Administration Console. When the import has finished, you can close this port.

LDAP User Store

TCP 524

Required only if the user store is eDirectory. When configuring a new eDirectory user store, NCP is used to enable Novell SecretStore by adding a SAML authentication method and storing a public key for the Administration Console. It is not used in day-to-day operations.

Administration Console

TCP 524

Required to synchronize the configuration data store.

 

TCP 636

Required for secure LDAP communication.

 

TCP 427

Used for SLP (Service Location Protocol) communication.

 

TCP 8080, 8443

Used for Tomcat communication.

Browsers

TCP 8080

For HTTP communication from the browsers to the Administration Console.

TCP 8443

For HTTPS communication from the browsers to the Administration Console.

TCP 8028, 8030

To use iMonitor or DSTrace from a client to view information about the configuration store on the Administration Console.

Table 4-3 When a Firewall Separates the Identity Server from a Component

Component

Port

Description

Access Gateway

TCP 8080 or 8443

For authentication communication from the Access Gateway to the Identity Server. The default ports for the Identity Server are TCP 8080 and 8443. They are configurable. You need to open the port that you configured for the Base URL of the Identity Server.

 

TCP 80 or 443

For communication from the Identity Server to the Embedded Service Provider of the Access Gateway. This is the reverse proxy port that is assigned to be Embedded Service Provider (see the Reverse Proxy /Authentication page). This is usually either port 80 or 443.

ESP Enabled SSL VPN

TCP 8080 or 8443

For authentication communication from the SSL VPN server to the Identity Server. TCP 8080 and 8443 are the default ports for the Identity Server. They are configurable. You need to open the port of the Base URL of the Identity Server.

Also for communication from the Identity Server to the Embedded Service Provider of the SSL VPN server. This is the Embedded Service Provider Base URL on the Configuration page. The default values are TCP 8080 and 8443.

Traditional SSL VPN

N/A. The traditional SSL VPN server never communicates directly with the Identity Server.

J2EE Agent

TCP 8080 or 8443

For authentication communication from the J2EE Agent to the Identity Server. TCP 8080 and 8443 are the default ports. They are configurable. You need to open the port of the Base URL of the Identity Server. See Translating the Identity Server Configuration Port in the Novell Access Manager 3.1 SP2 Identity Server Guide.

Administration Console

TCP 1443

For communication from the Administration Console to the devices. This is configurable.

TCP 8444

For communication from the Identity Server to the Administration Console.

TCP 289

For communication from the Identity Server to the Novell Audit server on the Administration Console.

TCP 524

For NCP certificate management with NPKI from the Identity Server to the Administration Console.

TCP 636

For secure LDAP communication from the Identity Server to the Administration Console.

Identity Server

TCP 8443 or 443

For HTTPS communication. You can use iptables to configure this for TCP 443. See Translating the Identity Server Configuration Port in the Novell Access Manager 3.1 SP2 Identity Server Guide.

 

TCP 7801, 7802

For back-channel communication with cluster members. You need to open two consecutive ports for the cluster, for example 7801 and 7802.

The initial port (7801) is configurable. SeeConfiguring a Cluster with Multiple Identity Servers in the Novell Access Manager 3.1 SP2 Identity Server Guide.

LDAP User Stores

TCP 636

For secure LDAP communication from the Identity Server to the LDAP user store.

Service Providers

TCP 8445

If you have enabled Identity Provider introductions, you need to open a port to allow HTTPS communication from the user’s browser to the service provider.

TCP 8446

If you have enabled Identity Provider introductions, you need to open a port to allow HTTPS communication from the user’s browser to the service consumer.

Browsers

TCP 8080

For HTTP communication from the browser to the Identity Server. You can use iptables to configure this for TCP 80. See Translating the Identity Server Configuration Port in the Novell Access Manager 3.1 SP2 Identity Server Guide.

TCP 8443

For HTTPS communication from the browser to the Identity Server. You can use iptables to configure this for TCP 443. See Translating the Identity Server Configuration Port in the Novell Access Manager 3.1 SP2 Identity Server Guide.

CRL and OCSP Servers

Configurable

If you are using x.509 certificates that include an AIA or CRL Distribution Point attribute, you need to open the port required to talk to that server. Ports 80/443 are the most common ports, but the LDAP ports 389/636 can also be used.

Active Directory Server with Kerberos

TCP 88, UDP 88

For communication with the KDC on the Active Directory Server for Kerberos authentication.

Table 4-4 When a Firewall Separates the Access Gateway from a Component

Component

Port

Description

Identity Server

TCP 8080 or 8443

For authentication communication from the Access Gateway to the Identity Server. The default ports are TCP 8080 and 8443, which are configurable. You need to open the port of the Base URL of the Identity Server.

 

TCP 80 or 443

For communication from the Identity Server to the Embedded Service Provider of the Access Gateway. This is the reverse proxy port that is assigned to be Embedded Service Provider (see the Reverse Proxy /Authentication page). This is usually either port 80 or 443.

Administration Console

TCP 1443

For communication from the Administration Console to the Access Gateway. This is configurable.

 

TCP 8444

For communication from the Access Gateway to the Administration Console.

 

TCP 289

For communication from the Access Gateway to the Novell Audit server on the Administration Console.

 

TCP 524

For NCP certificate management with NPKI from the Access Gateway to the Administration Console.

 

TCP 636

For secure LDAP communication from the Access Gateway to the Administration Console.

ESP Enabled SSL VPN

N/A. The ESP enabled SSL VPN server never communicates directly with the Access Gateway.

Traditional SSL VPN

TCP 8080

(Access Gateway Appliance) For HTTP communication from the Access Gateway to the SSL VPN.

TCP 8443

(Access Gateway Appliance) If SSL has been enabled between the Access Gateway and the SSL VPN, TCP 8443 needs to be opened for HTTPS communication from the Access Gateway to the SSL VPN.

J2EE Agent

Only required if the Access Gateway is configured to protect the J2EE server as a Web server.

TCP 8080, 8443

For communication from the Access Gateway to the JBoss server. These are the default ports. They are configurable.

TCP 9080, 9443

For communication from the Access Gateway to the WebSphere server. These are the default ports. They are configurable.

TCP 7001, 7002

For communication from the Access Gateway to the WebLogic server. These are the default ports. They are configurable.

Access Gateway

TCP 7801, 7802

For back-channel communication with cluster members. You need the first port plus 1.

The initial port (7801) is configurable. It is set by the Identity Server cluster configuration that the Access Gateway trusts. SeeConfiguring a Cluster with Multiple Identity Servers in the Novell Access Manager 3.1 SP2 Identity Server Guide.

Browsers/Clients

TCP 80

For HTTP communication from the client to the Access Gateway. This is configurable.

TCP 443

For HTTPS communication from the client to the Access Gateway. This is configurable.

Web Servers

TCP 80

For HTTP communication from the Access Gateway to the Web servers. This is configurable.

 

TCP 443

For HTTPS communication from the Access Gateway to the Web servers. This is configurable.

Table 4-5 When a Firewall Separates the Traditional SSL VPN from a Component

Component

Port

Description

Access Gateway

TCP 8080

For HTTP communication from the Access Gateway to the SSL VPN.

TCP 8443

If SSL has been enabled between the Access Gateway and the SSL VPN, TCP 8443 needs to be opened for HTTPS communication from the Access Gateway to the SSL VPN.

Identity Server

N/A. The SSL VPN never communicates directly with the Identity Server.

Administration Console

TCP 1443

For communication from the Administration Console to the SSL VPN. This is configurable.

TCP 8444

For communication from the SSL VPN to the Administration Console.

TCP 289

For communication from the SSL VPN to the Novell Audit server on the Administration Console.

TCP 524

For NCP certificate management with NPKI from the SSL VPN to the Administration Console.

TCP 636

For secure LDAP communication from the SSL VPN to the Administration Console.

J2EE Agent

N/A. The SSL VPN never communicates with the J2EE Agent.

SSL VPN Server

TCP 8900

For communication between the cluster members. This is a default port. You can use any other free port.

Browsers

TCP 8080

TCP 8443

For HTTP communication.

For HTTPS communication.

SOCKS server

TCP 7777

For SOCKS communication from the SSL VPN to the SOCKS server. This is the default port for access to the SSL VPN, but it can be configured to use TCP 443.

OpenVPN

UDP 7777

For OpenVPN server communication. This is the default port for access to the SSL VPN, but it can be configured to use UDP 443.

Application Servers (E-mail, Telnet, Thin Client, etc.)

TCP 22

For SSH communication from the SSL VPN to the application server.

TCP 23

For Telnet communication from the SSL VPN to the application server.

Application ports

Specific to the application that SSL VPN is providing access to.

Firewall on same machine as the SSL VPN

tun0

SSL VPN creates a tunnel that needs to be open on the internal networks list of the machine. For configuration information, see the following Note.

NOTE:If you are running the SSL VPN on SUSE Linux Enterprise Server (SLES) 9 with a firewall, you cannot use YaST to configure the firewall for access to UDP ports and internal networks. You need to edit the /etc/sysconfig/SuSEfirewall2 file and add lines similar to the following:

FW_SERVICES_EXT_UDP=7777
FW_DEV_INT=tun0

On SLES 10, you can edit this file or use YaST to configure UDP ports and internal networks.

Table 4-6 When a Firewall Separates the ESP-Enabled SSL VPN from a Component

Component

Port

Description

Identity Server

TCP 8080 or 8443

For authentication communication from the SSL VPN server to the Identity Server. TCP 8080 and 8443 are the default ports. They are configurable. You need to open the port of the Base URL of the Identity Server.

For communication from the Identity Server to the Embedded Service Provider of the SSL VPN server. This is the Embedded Service Provider Base URL on the Configuration page. The default values are TCP 8080 and 8443.

Administration Console

TCP 1443

For communication from the Administration Console to the SSL VPN. This is configurable.

TCP 8444

For communication from the SSL VPN to the Administration Console.

TCP 289

For communication from the SSL VPN to the Novell Audit server on the Administration Console.

TCP 524

For NCP certificate management with NPKI from the SSL VPN to the Administration Console.

TCP 636

For secure LDAP communication from the SSL VPN to the Administration Console.

ESP-Enabled SSL VPN

TCP 7801 and 8900

For communication between the cluster members. 8900 is a default port. You can use any other free port instead of 8900.

J2EE Agent

N/A. The SSL VPN never communicates with the J2EE Agent.

Browsers

TCP 8080

TCP 8443

For HTTP communication.

For HTTPS communication.

SOCKS server

TCP 7777

For SOCKS communication from the SSL VPN to the SOCKS server. This is the default port for access to the SSL VPN, but it can be configured to use TCP 443.

OpenVPN

TCP 7777

For OpenVPN server communication. This is the default port for access to the SSL VPN, but it can be configured to use UDP 443.

Application Servers (E-mail, Telnet, Thin Client, etc.)

TCP 22

For SSH communication from the SSL VPN to the application server.

TCP 23

For Telnet communication from the SSL VPN to the application server.

Application ports

Specific to the application that SSL VPN is providing access to.

Firewall on same machine as the SSL VPN

tun0

SSL VPN creates a tunnel that needs to be open on the internal networks list of the machine. For configuration information, see the following Note.

NOTE:If you are running the SSL VPN on SLES 9 with a firewall, you cannot use YaST to configure the firewall for access to UDP ports and internal networks. You need to edit the /etc/sysconfig/SuSEfirewall2 file and add lines similar to the following:

FW_SERVICES_EXT_UDP=7777
FW_DEV_INT=tun0

On SLES 10 and SLES 11, you can edit this file or use YaST to configure UDP ports and internal networks.

Table 4-7 When a Firewall Separates the J2EE Agent from a Component

Component

Port

Description

Administration Console

TCP 1443

For communication from the Administration Console to the J2EE Agent. This is configurable.

TCP 8444

For communication from the J2EE Agent to the Administration Console.

TCP 289

For communication from the J2EE Agent to the Novell Audit server on the Administration Console.

\

TCP 524

For NCP certificate management with NPKI from the J2EE Agent to the Administration Console.

TCP 636

For secure LDAP communication from the J2EE Agent to the Administration Console.

Identity Server

TCP 8080 or 8443

For authentication communication from the J2EE Agent to the Identity Server and from the Identity Server to the J2EE Agent. TCP 8080 and 8443 are the default ports. They are configurable. You need to open the port of the Base URL of the Identity Server. See Translating the Identity Server Configuration Port in the Novell Access Manager 3.1 SP2 Identity Server Guide.

Access Gateway

Only required if the Access Gateway is configured to protect the J2EE server as a Web server.

TCP 8080, 8443

For communication from the Access Gateway to the JBoss server. These are the default ports. They are configurable.

TCP 9080, 9443

For communication from the Access Gateway to the WebSphere server. These are the default ports. They are configurable.

TCP 7001, 7002

For communication from the Access Gateway to the WebLogic server. These are the default ports. They are configurable.

SSL VPN

N/A. The J2EE Agent never communicates with the SSL VPN.

Browsers

TCP 8080, 8443

For communication from the browser to the JBoss server. These are the default ports. They are configurable.

TCP 9080, 9443

For communication from the browser to the WebSphere server. These are the default ports. They are configurable.

TCP 7001, 7002

For communication from the browser to the WebLogic server. These are the default ports. They are configurable.