Required Network Ports

This section contains a comprehensive list of ports that are used for various communications within SUSE Manager.

You will not need to open all of these ports. Some ports only need to be opened if you are using the service that requires them.

This image shows the main ports used in SUSE Manager:

ports diagram

1. External Inbound Server Ports

External inbound ports must be opened to configure a firewall on the SUSE Manager Server to protect the server from unauthorized access.

Opening these ports allows external network traffic to access the SUSE Manager Server.

Table 1. External Port Requirements for SUSE Manager Server
Port number Protocol Used By Notes

22

Required for ssh-push and ssh-push-tunnel contact methods.

67

TCP/UDP

DHCP

Required only if clients are requesting IP addresses from the server.

69

TCP/UDP

TFTP

Required if server is used as a PXE server for automated client installation.

80

TCP

HTTP

Required temporarily for some bootstrap repositories and automated installations. Port 80 is not used to serve the Web UI.

443

TCP

HTTPS

Web UI, client, and server and proxy (tftpsync) requests.

4505

TCP

salt

Required to accept communication requests from clients. The client initiates the connection, and it stays open to receive commands from the Salt master.

4506

TCP

salt

Required to accept communication requests from clients. The client initiates the connection, and it stays open to report results back to the Salt master.

5222

TCP

osad

Required to push OSAD actions to clients.

5269

TCP

jabberd

Required to push actions to and from a proxy.

25151

TCP

Cobbler

2. External Outbound Server Ports

External outbound ports must be opened to configure a firewall on the SUSE Manager Server to restrict what the server can access.

Opening these ports allows network traffic from the SUSE Manager Server to communicate with external services.

Table 2. External Port Requirements for SUSE Manager Server
Port number Protocol Used By Notes

80

TCP

HTTP

Required for SUSE Customer Center. Port 80 is not used to serve the Web UI.

443

TCP

HTTPS

Required for SUSE Customer Center.

5269

TCP

jabberd

Required to push actions to and from a proxy.

25151

TCP

Cobbler

3. Internal Server Ports

Internal port are used internally by the SUSE Manager Server. Internal ports are only accessible from localhost.

In most cases, you will not need to adjust these ports.

Table 3. Internal Port Requirements for SUSE Manager Server
Port number Notes

2828

Satellite-search API, used by the RHN application in Tomcat and Taskomatic.

2829

Taskomatic API, used by the RHN application in Tomcat.

8005

Tomcat shutdown port.

8009

Tomcat to Apache HTTPD (AJP).

8080

Tomcat to Apache HTTPD (HTTP).

9080

Salt-API, used by the RHN application in Tomcat and Taskomatic.

32000

Port for a TCP connection to the Java Virtual Machine (JVM) that runs Taskomatic and satellite-search.

Port 32768 and higher are used as ephemeral ports. These are most often used to receive TCP connections. When a TCP connection request is received, the sender will choose one of these ephemeral port numbers to match the destination port.

You can use this command to find out which ports are ephemeral ports:

cat /proc/sys/net/ipv4/ip_local_port_range

4. External Inbound Proxy Ports

External inbound ports must be opened to configure a firewall on the SUSE Manager Proxy to protect the proxy from unauthorized access.

Opening these ports allows external network traffic to access the SUSE Manager proxy.

Table 4. External Port Requirements for SUSE Manager Proxy
Port number Protocol Used By Notes

22

Required for ssh-push and ssh-push-tunnel contact methods. Clients connected to the proxy initiate check in on the server and hop through to clients.

67

TCP/UDP

DHCP

Required only if clients are requesting IP addresses from the server.

69

TCP/UDP

TFTP

Required if the server is used as a PXE server for automated client installation.

443

TCP

HTTPS

Web UI, client, and server and proxy (tftpsync) requests.

4505

TCP

salt

Required to accept communication requests from clients. The client initiates the connection, and it stays open to receive commands from the Salt master.

4506

TCP

salt

Required to accept communication requests from clients. The client initiates the connection, and it stays open to report results back to the Salt master.

5222

TCP

Required to push OSAD actions to clients.

5269

TCP

Required to push actions to and from the server.

5. External Outbound Proxy Ports

External outbound ports must be opened to configure a firewall on the SUSE Manager Proxy to restrict what the proxy can access.

Opening these ports allows network traffic from the SUSE Manager Proxy to communicate with external services.

Table 5. External Port Requirements for SUSE Manager Proxy
Port number Protocol Used By Notes

80

Used to reach the server.

443

TCP

HTTPS

Required for SUSE Customer Center.

5269

TCP

Required to push actions to and from the server.

6. External Client Ports

External client ports must be opened to configure a firewall between the SUSE Manager Server and its clients.

In most cases, you will not need to adjust these ports.

Table 6. External Port Requirements for SUSE Manager Clients
Port number Direction Protocol Notes

22

Inbound

SSH

Required for ssh-push and ssh-push-tunnel contact methods.

80

Outbound

Used to reach the server or proxy.

5222

Outbound

TCP

Required to push OSAD actions to the server or proxy.

9090

Outbound

TCP

Required for Prometheus user interface.

9093

Outbound

TCP

Required for Prometheus alert manager.

9100

Outbound

TCP

Required for Prometheus node exporter.

9117

Outbound

TCP

Required for Prometheus Apache exporter.

9187

Outbound

TCP

Required for Prometheus PostgreSQL.

7. Required URLs

There are some URLs that SUSE Manager must be able to access to register clients and perform updates. In most cases, allowing access to these URLs is sufficient:

  • scc.suse.com

  • updates.suse.com

If you are using non-SUSE clients you might also need to allow access to other servers that provide specific packages for those operating systems. For example, if you have Ubuntu clients, you will need to be able to access the Ubuntu server.

For more information about troubleshooting firewall access for non-SUSE clients, see Troubleshooting Firewalls.