Required Network Ports

Table of Contents

1. External Inbound Server Ports
2. External Outbound Server Ports
3. Internal Server Ports
4. External Inbound Proxy Ports
5. External Outbound Proxy Ports
6. External Client Ports
7. Required URLs

This section contains a comprehensive list of ports that are used for various communications within SUSE Manager.

You will not need to open all of these ports. Some ports only need to be opened if you are using the service that requires them.

This image shows the main ports used in SUSE Manager:

1. External Inbound Server Ports

External inbound ports must be opened to configure a firewall on the SUSE Manager Server to protect the server from unauthorized access.

Opening these ports allows external network traffic to access the SUSE Manager Server.

Table 1. External Port Requirements for SUSE Manager Server
Port number	Protocol	Used By	Notes
22			Required for ssh-push and ssh-push-tunnel contact methods.
67	TCP/UDP	DHCP	Required only if clients are requesting IP addresses from the server.
69	TCP/UDP	TFTP	Required if server is used as a PXE server for automated client installation.
80	TCP	HTTP	Required temporarily for some bootstrap repositories and automated installations. Port 80 is not used to serve the Web UI.
443	TCP	HTTPS	Web UI, client, and server and proxy (`tftpsync`) requests.
4505	TCP	salt	Required to accept communication requests from clients. The client initiates the connection, and it stays open to receive commands from the Salt master.
4506	TCP	salt	Required to accept communication requests from clients. The client initiates the connection, and it stays open to report results back to the Salt master.
5222	TCP	osad	Required to push OSAD actions to clients.
5269	TCP	jabberd	Required to push actions to and from a proxy.
25151	TCP	Cobbler

2. External Outbound Server Ports

External outbound ports must be opened to configure a firewall on the SUSE Manager Server to restrict what the server can access.

Opening these ports allows network traffic from the SUSE Manager Server to communicate with external services.

Table 2. External Port Requirements for SUSE Manager Server
Port number	Protocol	Used By	Notes
80	TCP	HTTP	Required for SUSE Customer Center. Port 80 is not used to serve the Web UI.
443	TCP	HTTPS	Required for SUSE Customer Center.
5269	TCP	jabberd	Required to push actions to and from a proxy.
25151	TCP	Cobbler

3. Internal Server Ports

Internal port are used internally by the SUSE Manager Server. Internal ports are only accessible from localhost.

In most cases, you will not need to adjust these ports.

Table 3. Internal Port Requirements for SUSE Manager Server
Port number	Notes
2828	Satellite-search API, used by the RHN application in Tomcat and Taskomatic.
2829	Taskomatic API, used by the RHN application in Tomcat.
8005	Tomcat shutdown port.
8009	Tomcat to Apache HTTPD (AJP).
8080	Tomcat to Apache HTTPD (HTTP).
9080	Salt-API, used by the RHN application in Tomcat and Taskomatic.
32000	Port for a TCP connection to the Java Virtual Machine (JVM) that runs Taskomatic and satellite-search.

Port 32768 and higher are used as ephemeral ports. These are most often used to receive TCP connections. When a TCP connection request is received, the sender will choose one of these ephemeral port numbers to match the destination port.

You can use this command to find out which ports are ephemeral ports:

cat /proc/sys/net/ipv4/ip_local_port_range

4. External Inbound Proxy Ports

External inbound ports must be opened to configure a firewall on the SUSE Manager Proxy to protect the proxy from unauthorized access.

Opening these ports allows external network traffic to access the SUSE Manager proxy.

Table 4. External Port Requirements for SUSE Manager Proxy
Port number	Protocol	Used By	Notes
22			Required for ssh-push and ssh-push-tunnel contact methods. Clients connected to the proxy initiate check in on the server and hop through to clients.
67	TCP/UDP	DHCP	Required only if clients are requesting IP addresses from the server.
69	TCP/UDP	TFTP	Required if the server is used as a PXE server for automated client installation.
443	TCP	HTTPS	Web UI, client, and server and proxy (`tftpsync`) requests.
4505	TCP	salt	Required to accept communication requests from clients. The client initiates the connection, and it stays open to receive commands from the Salt master.
4506	TCP	salt	Required to accept communication requests from clients. The client initiates the connection, and it stays open to report results back to the Salt master.
5222	TCP		Required to push OSAD actions to clients.
5269	TCP		Required to push actions to and from the server.

5. External Outbound Proxy Ports

External outbound ports must be opened to configure a firewall on the SUSE Manager Proxy to restrict what the proxy can access.

Opening these ports allows network traffic from the SUSE Manager Proxy to communicate with external services.

Table 5. External Port Requirements for SUSE Manager Proxy
Port number	Protocol	Used By	Notes
80			Used to reach the server.
443	TCP	HTTPS	Required for SUSE Customer Center.
5269	TCP		Required to push actions to and from the server.

6. External Client Ports

External client ports must be opened to configure a firewall between the SUSE Manager Server and its clients.

In most cases, you will not need to adjust these ports.

Table 6. External Port Requirements for SUSE Manager Clients
Port number	Direction	Protocol	Notes
22	Inbound	SSH	Required for ssh-push and ssh-push-tunnel contact methods.
80	Outbound		Used to reach the server or proxy.
5222	Outbound	TCP	Required to push OSAD actions to the server or proxy.
9090	Outbound	TCP	Required for Prometheus user interface.
9093	Outbound	TCP	Required for Prometheus alert manager.
9100	Outbound	TCP	Required for Prometheus node exporter.
9117	Outbound	TCP	Required for Prometheus Apache exporter.
9187	Outbound	TCP	Required for Prometheus PostgreSQL.

7. Required URLs

There are some URLs that SUSE Manager must be able to access to register clients and perform updates. In most cases, allowing access to these URLs is sufficient:

scc.suse.com
updates.suse.com

If you are using non-SUSE clients you might also need to allow access to other servers that provide specific packages for those operating systems. For example, if you have Ubuntu clients, you will need to be able to access the Ubuntu server.

For more information about troubleshooting firewall access for non-SUSE clients, see Troubleshooting Firewalls.