For Red Hat Satellite to effectively manage and communicate with all components within your infrastructure, ensuring the correct network ports are open and correctly configured is paramount. This is especially crucial for Satellite Capsule Servers, which act as regional hubs distributing content and services to managed hosts. This article delves into the essential network ports required for Satellite Capsule Servers to function optimally, providing a comprehensive guide for system administrators.
Understanding and properly configuring these ports is not just about connectivity; it’s about ensuring the smooth operation of your entire Red Hat Satellite environment. Whether you are using hardware firewalls or cloud-based network security groups, meticulous port management is key. Some cloud environments, by default, isolate machines, necessitating specific configurations to enable communication, much like traditional firewalls. Furthermore, if you employ application-based firewalls, you must configure them to allow the applications detailed below, or ideally, permit open port communication based on protocol for streamlined operations.
Integrated Capsule Considerations
Red Hat Satellite Server inherently includes an integrated Capsule. Any host directly connected to the Satellite Server is considered a client of this integrated Capsule. This definition includes the base operating system on which the Satellite Server itself is running. Effectively, the Satellite Server manages itself through its integrated Capsule.
Clients Beyond the Integrated Capsule
Hosts that are clients of Capsules, separate from Satellite’s integrated Capsule, do not require direct access to the Satellite Server. Their communication is routed through the Capsule Server. For a deeper understanding of network topologies involving Capsules, refer to the Red Hat Satellite documentation on Capsule Networking. Remember that required ports can fluctuate based on your specific Satellite configuration and the services you utilize.
For a detailed and dynamically updated list of ports, the Red Hat Knowledgebase solution Red Hat Satellite List of Network Ports is an invaluable resource.
The following tables outline the necessary destination ports and the direction of network traffic for various Satellite Capsule Server operations.
Table 1.2 Ports for Satellite to Red Hat CDN Communication
| Port | Protocol | Service | Required For |
|---|---|---|---|
| 443 | TCP | HTTPS | Subscription Management Services (access.redhat.com) and connecting to the Red Hat CDN (cdn.redhat.com). |
Satellite Server requires unrestricted access to the Red Hat CDN (Content Delivery Network). For an exhaustive list of IP addresses used by cdn.redhat.com, consult the Red Hat Customer Portal Knowledgebase article Public CIDR Lists for Red Hat. This is essential for configuring firewall rules to permit outbound traffic to the CDN.
Table 1.3 Ports for Browser-based User Interface Access to Satellite
| Port | Protocol | Service | Required For |
|---|---|---|---|
| 443 | TCP | HTTPS | Browser-based UI access to Satellite |
| 80 | TCP | HTTP | Redirection to HTTPS for web UI access to Satellite (Optional) |
These ports are crucial for administrators to access the Red Hat Satellite web interface. Port 80 is optional but recommended for automatically redirecting HTTP requests to the more secure HTTPS on port 443.
Table 1.4 Ports for Client to Satellite Communication
| Port | Protocol | Service | Required For |
|---|---|---|---|
| 80 | TCP | HTTP | Anaconda, yum, for obtaining Katello certificates, templates, and for downloading iPXE firmware |
| 443 | TCP | HTTPS | Subscription Management Services, yum, Telemetry Services, and for connection to the Katello Agent |
| 5646 | TCP | AMQP | The Capsule Qpid dispatch router to the Qpid dispatch router in Satellite |
| 5647 | TCP | AMQP | Katello Agent to communicate with Satellite’s Qpid dispatch router |
| 8000 | TCP | HTTP | Anaconda to download kickstart templates to hosts, and for downloading iPXE firmware |
| 8140 | TCP | HTTPS | Puppet agent to Puppet master connections |
| 9090 | TCP | HTTPS | Sending SCAP reports to the integrated Capsule, for the discovery image during provisioning, and for communicating with Satellite Server to copy the SSH keys for Remote Execution (Rex) configuration |
| 7 | TCP and UDP | ICMP | External DHCP on a Client to Satellite network, ICMP ECHO to verify IP address is free (Optional) |
| 53 | TCP and UDP | DNS | Client DNS queries to a Satellite’s integrated Capsule DNS service (Optional) |
| 67 | UDP | DHCP | Client to Satellite’s integrated Capsule broadcasts, DHCP broadcasts for Client provisioning from a Satellite’s integrated Capsule (Optional) |
| 69 | UDP | TFTP | Clients downloading PXE boot image files from a Satellites’ integrated Capsule for provisioning (Optional) |
| 5000 | TCP | HTTPS | Connection to Katello for the Docker registry (Optional) |
Any managed host directly connected to the Satellite Server functions as a client of the integrated Capsule, emphasizing the importance of these ports for core management functionalities.
Table 1.5 Ports for Satellite to Capsule Communication
| Port | Protocol | Service | Required for |
|---|---|---|---|
| 443 | TCP | HTTPS | Connections to the Pulp server in the Capsule |
| 9090 | TCP | HTTPS | Connections to the proxy in the Capsule |
| 80 | TCP | HTTP | Downloading a bootdisk (Optional) |
These ports facilitate communication between the Satellite Server and external Capsule Servers, enabling content synchronization and delegated management tasks.
Table 1.6 Optional Network Ports
| Port | Protocol | Service | Required For |
|---|---|---|---|
| 22 | TCP | SSH | Satellite and Capsule originated communications, for Remote Execution (Rex) and Ansible. |
| 443 | TCP | HTTPS | Satellite originated communications, for vCenter compute resource. |
| 5000 | TCP | HTTP | Satellite originated communications, for compute resources in OpenStack or for running containers. |
| 22, 16514 | TCP | SSH, SSL/TLS | Satellite originated communications, for compute resources in libvirt. |
| 389, 636 | TCP | LDAP, LDAPS | Satellite originated communications, for LDAP and secured LDAP authentication sources. |
| 5900 to 5930 | TCP | SSL/TLS | Satellite originated communications, for NoVNC console in web UI to hypervisors. |
These optional ports expand the capabilities of your Satellite infrastructure, enabling features like remote execution, integration with virtualization platforms, and external authentication sources. Carefully consider your environment’s needs when deciding to enable these ports.
Conclusion
Correctly configuring “Satellite Capsule Server Ports” is a foundational step in deploying and maintaining a robust Red Hat Satellite infrastructure. By ensuring these ports are open and properly routed, you pave the way for seamless communication between all components, from the Satellite Server and Capsules to client systems and the Red Hat CDN. Regularly review your firewall configurations and consult the Red Hat Knowledgebase for the most up-to-date port requirements to guarantee the continued health and efficiency of your Satellite environment.
