1.6 Setting Up Firewalls
It is recommended to use Access Manager Appliance with firewalls. Figure 1-6 illustrates a simple firewall setup for a basic Access Manager Appliance configuration . This is one of many possible configurations.
Figure 1-6 Access Manager Appliance and Firewall
The first firewall separates Access Manager Appliance from the Internet, allowing browsers to access the resources through specific ports.The second firewall separates Access Manager Appliance from web servers they are protecting .
This section describes the following topics:
1.6.1 Required Ports
Table 1-2 When a Firewall Separates Access Manager Appliance from Internet
|
Component |
Port |
Description |
|---|---|---|
|
NTP Server |
UDP 123 |
Access Manager Appliance must have time synchronized else the authentication fails. Configure Access Manager Appliance to use an NTP (network time protocol) server. Depending on where your NTP server is located in relationship to your firewalls, you might need to open UDP 123. |
|
DNS Servers |
UDP 53 |
Access Manager Appliance must be able to resolve DNS names. Depending upon where your DNS servers are located, you might need to open UDP 53 so that Access Manager Appliance can resolve DNS names. |
|
Remote Linux Administration Workstation |
TCP 22 |
To use SSH for remote administration of Access Manager Appliance. |
|
Access Manager Appliance |
TCP 1443 |
For communication from Administration Console to devices. |
|
TCP 8444 |
For communication from devices to Administration Console. |
|
|
TCP 1290 |
For communication from devices to the Syslog server on Administration Console. |
|
|
TCP 524 |
For NCP certificate management with NPKI. The port needs to be opened so that both the device and Administration Console can use the port. |
|
|
TCP 636 |
For secure LDAP communication from the devices to Administration Console. |
|
|
TCP 524 |
Required to synchronize the configuration data store. |
|
|
TCP 636 |
Required for the secure LDAP communication. |
|
|
TCP 8080, 8443 |
Used for the Tomcat communication. |
|
|
TCP 7801 |
Used for back-channel communication with cluster members. |
|
LDAP User Store |
TCP 524 |
Required only if the user store is eDirectory. When configuring a new eDirectory user store, NCP is used to enable Novell SecretStore by adding a SAML authentication method and storing a public key for Administration Console. It is not used in day-to-day operations. |
|
Browsers |
TCP 8080 |
For HTTP communication from browsers to Administration Console. |
|
TCP 8443 |
For HTTPS communication from browsers to Administration Console. |
|
|
TCP 8028, 8030 |
To use iMonitor or DSTrace from a client to view information about the configuration store on Administration Console. |
|
|
TCP 80 |
For HTTP communication from the client to Access Gateway. This is configurable. |
|
|
TCP 443 |
For HTTPS communication from the client to Access Gateway. This is configurable. |
|
|
Web Servers |
TCP 80 |
For HTTP communication from Access Gateway to web servers. This is configurable. |
|
TCP 443 |
For HTTPS communication from Access Gateway to web servers. This is configurable. |
NOTE:On SLES 12 SP5, you can edit this file or use YaST to configure UDP ports and internal networks.
Table 1-3 When a Firewall Separates Analytics Server from Administration Console or any Services
|
Component |
Port |
Description |
|---|---|---|
|
Administration Console |
TCP 1444 |
For communication between Administration Console and Analytics Server. |
|
Browsers |
TCP 8445 |
For HTTPS communication with Analytics Server for Access Manager Dashboard. |
|
Syslog |
TCP 1468 |
For sending Syslog messages from Access Manager components to Analytics Server. |
|
Docker |
TCP 2443 |
For Docker deployment. |
|
Remote Administration Workstation |
TCP 22 |
For communication from your remote administration workstation to Analytics Server. |
|
Upgrade Assistant Agent |
TCP 9968 |
For HTTPS communication from Upgrade Assistant agent to Administration Console or any services. |
The following syslog ports for Docker are configured for Access Gateway, Administration Console, and Identity Server so they are unique and do not conflict:
Table 1-4 Syslog Ports on Docker
|
Ports for Administration Console |
Ports for Access Gateway |
Ports for Identity Server |
|---|---|---|
|
1290 |
1490 |
1390 |
|
1291 |
1491 |
1391 |
|
1292 |
1492 |
1392 |
1.6.2 Restricted Ports
The following ports are reserved for internal use only and other applications should not use these:
- 22
- 111
- 524
- 1443
- 2443
- 3443
- 8028
- 8030
- 8080
- 8443
- 8444
- 9000
- 9001
- 55982
- 61222
- 61613
- 61616
- 61617
- 9443
- 9090
If required, use port redirection by using IP tables.
1.6.3 Sample Configurations
Access Manager Appliance in DMZ
First Firewall
If you place a firewall between browsers and Access Manager Appliance, you need to open ports so that the browsers can communicate with Access Gateway and Identity Server and Identity Server can communicate with other identity providers.
See, Figure 1-6
Table 1-5 Ports to Open in the First Firewall
|
Port |
Purpose |
|---|---|
|
TCP 80 |
For HTTP communication. |
|
TCP 443 |
For HTTPS communication. |
|
Any TCP port assigned to a reverse proxy or tunnel. |
|
|
TCP 8080 |
For HTTP communication with Identity Server. |
|
TCP 8443 |
For HTTPS communication with Identity Server. |
|
TCP 8445 |
For HTTP Identity Provider introductions. If you do not enable Identity Provider introductions, you do not need to open this port. |
|
TCP 8446 |
For HTTPS Identity Provider introductions. If you do not enable Identity Provider introductions, you do not need to open this port. |
Second Firewall
The second firewall separates web servers, LDAP servers, and Administration Console from Identity Server and Access Gateway. You need the following ports opened in the second firewall:
Table 1-6 Ports to Open in the Second Firewall
|
Port |
Purpose |
|---|---|
|
TCP 80 |
For HTTP communication with web servers. |
|
TCP 443 |
For HTTPS communication with web servers. |
|
Any TCP connect port assigned to a web server or to a tunnel. |
|
|
TCP 1443 |
For communication from Administration Console to the devices. |
|
TCP 8444 |
For communication from the devices to Administration Console. |
|
TCP 1290 |
For communication from the devices to the Syslog server installed on Administration Console. If you do not enable auditing, you do not need to open this port. |
|
TCP 524 |
For NCP certificate management in NPKI. The port needs to be opened so that both the device and Administration Console can use the port. |
|
TCP 636 |
For secure LDAP communication of configuration information. |
You need to open ports on the second firewall according to the offered services.