List of Tables
Table 1-2, When a Firewall Separates an Access Manager Component from a Global Service
Table 1-3, When a Firewall Separates Administration Console from a Component
Table 1-4, When a Firewall Separates Identity Server from a Component
Table 1-5, When a Firewall Separates Access Gateway from a Component
Table 1-6, When a Firewall Separates Analytics Server from Administration Console or any Services
Table 1-2 When a Firewall Separates an Access Manager Component from a Global Service
|
Component |
Port |
Description |
|---|---|---|
|
NTP Server |
UDP 123 |
Access Manager components must have time synchronized else the authentication fails. It is recommended to configure all components to use an network time protocol (NTP) server. Depending upon where your NTP server is located, you might need to open UDP 123, so that Access Manager components can use the NTP server. |
|
DNS Servers |
UDP 53 |
Access Manager components must be able to resolve DNS names. Depending upon where your DNS servers are located, you might need to open UDP 53, so that Access Manager components can resolve DNS names. |
|
Remote Administration Workstation |
TCP 22 |
If you want to use SSH for remote administration of Access Manager components, open TCP 22 to allow. |
Table 1-3 When a Firewall Separates Administration Console from a Component
|
Component |
Port |
Description |
|---|---|---|
|
Access Gateway, Identity Server |
TCP 1443 |
For communication from Administration Console to devices. |
|
TCP 8444 |
For communication from devices to Administration Console. |
|
|
TCP 1290 |
For communication from devices to the syslog server on Administration Console. |
|
|
TCP 524 |
For NCP certificate management with NPKI. Open this port so that both the device and Administration Console can use the port. |
|
|
TCP 636 |
For secure LDAP communication from devices to Administration Console. |
|
|
HTTP 2443 HTTP 8443 |
For the installer to communicate with Administration Console. You can close these port after installation is complete. |
|
|
Importing an Access Gateway Appliance |
ICMP |
During an import, Access Gateway Appliance sends two pings through ICMP to Administration Console. When the import has finished, you can disable the ICMP echo requests and echo replies. |
|
LDAP User Store |
TCP 524 |
Required only if the user store is eDirectory. When configuring a new eDirectory user store, NCP is used to enable Novell SecretStore by adding a SAML authentication method and storing a public key for Administration Console. It is not used in day-to-day operations. |
|
TCP 636 |
For secure LDAP communication from Administration Console to user store. |
|
|
Administration Console |
TCP 524 |
Required to synchronize the configuration data store. |
|
TCP 636 |
Required for the secure LDAP communication. |
|
TCP 8080, 8443 |
Used for the Tomcat communication. |
|
TCP 705 |
Used by Sub Agent-Master Agent communication inside Administration Console. |
|
|
UDP 161 |
Used for communication by an external Network Monitoring System with Administration Console by using SNMP. |
|
|
Browsers |
TCP 8080 |
For HTTP communication from browsers to Administration Console. |
|
TCP 8443, 2443, 2080 |
For HTTPS communication from browsers to Administration Console. NOTE:2443 and 2080 are optional ports required when Administration Console and Identity Server are collocated. |
|
|
TCP 8028, 8030 |
To use iMonitor or DSTrace from a client to view information about the configuration store on Administration Console. |
|
|
Upgrade Assistant Agent |
TCP 9968 |
For HTTPS communication from Upgrade Assistant agent to Administration Console. |
Table 1-4 When a Firewall Separates Identity Server from a Component
|
Component |
Port |
Description |
|---|---|---|
|
Access Gateway |
TCP 8080 or 8443 |
For authentication communication from Access Gateway to Identity Server. The default ports for Identity Server are TCP 8080 and 8443. They are configurable. You need to open the port that you configured for the base URL of Identity Server. |
|
TCP 80 or 443 |
For communication from Identity Server to Access Gateway ESP. This is the reverse proxy port that is assigned to be ESP (see the Reverse Proxy /Authentication page). This is usually port 80 or 443. |
|
|
Administration Console |
TCP 1443 |
For communication from Administration Console to devices. This is configurable. |
|
TCP 8444 |
For communication from Identity Server to Administration Console. |
|
|
TCP 8443 |
For Docker deployment. |
|
|
TCP 1290 |
For communication from devices to the Syslog server on Administration Console. |
|
|
TCP 524 |
For NCP certificate management with NPKI from Identity Server to Administration Console. |
|
|
TCP 636 |
For the secure LDAP communication from Identity Server to Administration Console. |
|
|
Identity Server |
TCP 8443 or 443 |
For HTTPS communication. You can use iptables to configure this for TCP 443. See Translating Identity Server Configuration Port. |
|
TCP 7801 |
For back-channel communication with cluster members. You must enable the multicast traffic on this port. This port is configurable. NOTE:For Docker deployment, use TCP port 7901. |
|
|
LDAP User Stores |
TCP 636 |
For secure LDAP communication from Identity Server to the LDAP user store. |
|
Service Providers |
TCP 8445 |
If you have enabled identity provider introductions, open a port to allow HTTPS communication from the user’s browser to the service provider. |
|
TCP 8446 |
If you have enabled identity provider introductions, open a port to allow HTTPS communication from the user’s browser to the service consumer. |
|
|
Browsers |
TCP 8080 |
For HTTP communication from a browser to Identity Server. You can use iptables to configure this for TCP 80. SeeTranslating Identity Server Configuration Port. |
|
TCP 8443 |
For HTTPS communication from a browser to Identity Server. You can use iptables to configure this for TCP 443. See Translating Identity Server Configuration Port. |
|
|
CRL and OCSP Servers |
Configurable |
If you are using x.509 certificates that include an AIA or CRL Distribution Point attribute, you need to open the port required to talk to that server. Ports 80/443 are the most common ports, but the LDAP ports 389/636 can also be used. |
|
Active Directory Server with Kerberos |
TCP 88, UDP 88 |
For communication with KDC on the Active Directory Server for Kerberos authentication. |
|
Upgrade Assistant Agent |
TCP 9968 |
For HTTPS communication from Upgrade Assistant agent to Identity Server. |
Table 1-5 When a Firewall Separates Access Gateway from a Component
|
Component |
Port |
Description |
|---|---|---|
|
Identity Server |
TCP 8080 or 8443 |
For authentication communication from Access Gateway to Identity Server. The default ports are TCP 8080 and 8443, which are configurable. You need to open the port of the base URL of Identity Server. |
|
TCP 80 or 443 |
For communication from Identity Server to ESP of Access Gateway. This is the reverse proxy port that is assigned to be ESP (see the Reverse Proxy /Authentication page). This is usually port 80 or 443. |
|
|
Administration Console |
TCP 1443 |
For communication from Administration Console to Access Gateway. This is configurable. |
|
TCP 8444 |
For communication from Access Gateway to Administration Console. |
|
|
TCP 1290 |
For communication from devices to the Syslog server on Administration Console. |
|
|
TCP 524 |
For NCP certificate management with NPKI from Access Gateway to Administration Console. |
|
|
TCP 636 |
For secure LDAP communication from Access Gateway to Administration Console. |
|
|
Access Gateway |
TCP 7801 |
For back-channel communication with cluster members. You must enable the multicast traffic option on this port. This port is configurable. It is set by Identity Server cluster configuration that Access Gateway trusts. See Configuring a Cluster with Multiple Identity Servers in the NetIQ Access Manager 5.0 Administration Guide. |
|
TCP 80 or 443 |
For communication among Embedded Service Providers (ESP) of the Access Gateway cluster members. This is the reverse proxy port that is assigned to be ESP (see the Reverse Proxy /Authentication page). This is usually port 80 or 443. This port is configurable. |
|
|
Access Gateway Appliance Configuration console (https://<access_gateway_appliance-IP address>:9443) |
TCP 9090 or 9443 |
For using the Jetty service on the appliance Configuration console. For information about the Configuration console, see Configuring Access Gateway Appliance. |
|
TCP 1099 |
For the Java RMI communication. |
|
|
Browsers/Clients |
TCP 80 |
For HTTP communication from the client to Access Gateway. This is configurable. |
|
TCP 443 |
For HTTPS communication from the client to Access Gateway. This is configurable. |
|
|
Web Servers |
TCP 80 |
For HTTP communication from Access Gateway to web servers. This is configurable. |
|
TCP 443 |
For HTTPS communication from Access Gateway to web servers. This is configurable. |
|
|
Upgrade Assistant Agent |
TCP 9968 |
For HTTPS communication from Upgrade Assistant agent to Access Gateway. |
Table 1-6 When a Firewall Separates Analytics Server from Administration Console or any Services
|
Component |
Port |
Description |
|---|---|---|
|
Administration Console |
TCP 1444 |
For communication between Administration Console and Analytics Server. |
|
Browsers |
TCP 8445 |
For HTTPS communication with Analytics Server for Access Manager Dashboard. |
|
Syslog |
TCP 1468 |
For sending Syslog messages from Access Manager components to Analytics Server. |
|
Docker |
TCP 2443 |
For Docker deployment. |
|
Remote Administration Workstation |
TCP 22 |
For communication from your remote administration workstation to Analytics Server. |
|
Upgrade Assistant Agent |
TCP 9968 |
For HTTPS communication from Upgrade Assistant agent to Administration Console or any services. |
NOTE:On SLES, you can use YaST to configure UDP ports and internal networks.
Table 1-7, Table 1-8, and Table 1-9 are intended for use in configuring the security groups in cloud deployments. The security groups, by default, do not restrict the outbound ports. Therefore, these tables include only the inbound ports.
Table 1-7 Administration Console on Cloud
|
Component |
Port |
Traffic Direction |
Description |
|---|---|---|---|
|
Access Gateway, Identity Server |
TCP 1290 |
Inbound |
For communication from devices to the Syslog server on Administration Console. |
|
TCP 2443 |
Inbound |
For the installer to communicate with Administration Console. |
|
|
TCP 8444 |
Inbound |
For communication from devices to Administration Console. |
|
|
TCP 524 |
Inbound |
For NCP certificate management with NPKI. Open this port so that both the device and Administration Console can use the port. |
|
|
TCP 636 |
Inbound |
For secure LDAP communication from devices to Administration Console. |
|
|
Access Gateway |
TCP 1289 |
Inbound |
For importing Access Gateway into Administration Console. |
|
SSH |
TCP 22 |
Inbound |
For accessing Administration Console using SSH. |
|
Access Gateway |
ICMP |
Inbound |
For importing Access Gateway. |
|
Upgrade Assistant Agent |
TCP 9968 |
Inbound |
For HTTPS communication from Upgrade Assistant agent to Administration Console on Cloud. |
Table 1-8 Identity Server on Cloud
|
Component |
Port |
Traffic Direction |
Description |
|---|---|---|---|
|
Administration Console |
TCP 1443 |
Inbound |
For communication from Administration Console to devices. This is configurable. |
|
TCP 524 |
Inbound |
For NCP certificate management with NPKI from Identity Server to Administration Console. |
|
|
Identity Server |
TCP 7801 |
Inbound |
For the back-channel communication with cluster members. You must enable the multicast traffic option on this port. This port is configurable. |
|
SSH |
TCP 22 |
Inbound |
For accessing Identity Server using SSH. |
|
Access Gateway, Browsers |
TCP 8443 |
Inbound |
For authentication communication from Access Gateway to Identity Server. For HTTPS communication from a browser to Identity Server's base URL when the default ports are used. |
|
Upgrade Assistant Agent |
TCP 9968 |
Inbound |
For HTTPS communication from Upgrade Assistant agent to Identity Server on Cloud. |
Table 1-9 Access Gateway on Cloud
|
Component |
Port |
Traffic Direction |
Description |
|---|---|---|---|
|
Service Providers |
TCP 8445 |
Inbound |
If you have enabled identity provider introductions, open a port to allow HTTPS communication from the user’s browser to the service provider. |
|
TCP 8446 |
Inbound |
If you have enabled identity provider introductions, open a port to allow HTTPS communication from the user’s browser to the service consumer. |
|
|
Access Gateway |
TCP 7801 |
Inbound |
For back-channel communication with cluster members. You must enable the multicast traffic option on this port. |
|
Administration Console |
TCP 1443 |
Inbound |
For communication from Administration Console to Access Gateway. This is configurable. |
|
SSH |
TCP 22 |
Inbound |
For accessing Administration Console using SSH. |
|
Identity Server |
TCP 80 or 443 |
Inbound |
For communication from Identity Server to Access Gateway ESP. This is the reverse proxy port that is assigned to be ESP. |
|
Browsers/Clients |
TCP 443 |
Inbound |
For HTTPS communication from workstation browsers to Access Gateway. |
|
TCP 80 |
Inbound |
For HTTP communication from workstation browsers to Access Gateway. |
|
|
Upgrade Assistant Agent |
TCP 9968 |
Inbound |
For HTTPS communication from Upgrade Assistant agent to Access Gateway on Cloud. |
The following syslog ports for Docker are configured for Access Gateway, Administration Console, and Identity Server so they are unique and do not conflict:
Table 1-10 Syslog Ports on Docker
|
Ports for Administration Console |
Ports for Access Gateway |
Ports for Identity Server |
|---|---|---|
|
1290 |
1490 |
1390 |
|
1291 |
1491 |
1391 |
|
1292 |
1492 |
1392 |