Network Requirements

This section details the networking and port requirements for SUSE Manager.

1. Fully Qualified Domain Name (FQDN)

The SUSE Manager server must resolve its FQDN correctly. If the FQDN cannot be resolved, it can cause serious problems in a number of different components.

For more information about configuring the hostname and DNS, see https://documentation.suse.com/sles/15-SP4/html/SLES-all/cha-network.html#sec-network-yast-change-host.

2. Hostname and IP Address

To ensure that the SUSE Manager domain name can be resolved by its clients, both server and client machines must be connected to a working DNS server. You also need to ensure that reverse lookups are correctly configured.

For more information about setting up a DNS server, see https://documentation.suse.com/sles/15-SP4/html/SLES-all/cha-dns.html.

3. Air-gapped Deployment

If you are on an internal network and do not have access to SUSE Customer Center, you can use an Air-gapped Deployment.

In a production environment, the SUSE Manager Server and clients should always use a firewall. For a comprehensive list of the required ports, see Required Network Ports.

4. Ports

This section contains a comprehensive list of ports that are used for various communications within SUSE Manager.

You will not need to open all of these ports. Some ports only need to be opened if you are using the service that requires them.

4.1. External Inbound Server Ports

External inbound ports must be opened to configure a firewall on the SUSE Manager Server to protect the server from unauthorized access.

Opening these ports allows external network traffic to access the SUSE Manager Server.

Table 1. External Port Requirements for SUSE Manager Server
Port number Protocol Used By Notes

22

Required for ssh-push and ssh-push-tunnel contact methods.

67

TCP/UDP

DHCP

Required only if clients are requesting IP addresses from the server.

69

TCP/UDP

TFTP

Required if server is used as a PXE server for automated client installation.

80

TCP

HTTP

Required temporarily for some bootstrap repositories and automated installations.

443

TCP

HTTPS

Serves the Web UI, client, and server and proxy (tftpsync) requests.

4505

TCP

salt

Required to accept communication requests from clients. The client initiates the connection, and it stays open to receive commands from the Salt master.

4506

TCP

salt

Required to accept communication requests from clients. The client initiates the connection, and it stays open to report results back to the Salt master.

25151

TCP

Cobbler

4.2. External Outbound Server Ports

External outbound ports must be opened to configure a firewall on the SUSE Manager Server to restrict what the server can access.

Opening these ports allows network traffic from the SUSE Manager Server to communicate with external services.

Table 2. External Port Requirements for SUSE Manager Server
Port number Protocol Used By Notes

80

TCP

HTTP

Required for SUSE Customer Center. Port 80 is not used to serve the Web UI.

443

TCP

HTTPS

Required for SUSE Customer Center.

25151

TCP

Cobbler

4.3. Internal Server Ports

Internal port are used internally by the SUSE Manager Server. Internal ports are only accessible from localhost.

In most cases, you will not need to adjust these ports.

Table 3. Internal Port Requirements for SUSE Manager Server
Port number Notes

2828

Satellite-search API, used by the RHN application in Tomcat and Taskomatic.

2829

Taskomatic API, used by the RHN application in Tomcat.

8005

Tomcat shutdown port.

8009

Tomcat to Apache HTTPD (AJP).

8080

Tomcat to Apache HTTPD (HTTP).

9080

Salt-API, used by the RHN application in Tomcat and Taskomatic.

32000

Port for a TCP connection to the Java Virtual Machine (JVM) that runs Taskomatic and satellite-search.

Port 32768 and higher are used as ephemeral ports. These are most often used to receive TCP connections. When a TCP connection request is received, the sender will choose one of these ephemeral port numbers to match the destination port.

You can use this command to find out which ports are ephemeral ports:

cat /proc/sys/net/ipv4/ip_local_port_range

4.4. External Inbound Proxy Ports

External inbound ports must be opened to configure a firewall on the SUSE Manager Proxy to protect the proxy from unauthorized access.

Opening these ports allows external network traffic to access the SUSE Manager proxy.

Table 4. External Port Requirements for SUSE Manager Proxy
Port number Protocol Used By Notes

22

Required for ssh-push and ssh-push-tunnel contact methods. Clients connected to the proxy initiate check in on the server and hop through to clients.

67

TCP/UDP

DHCP

Required only if clients are requesting IP addresses from the server.

69

TCP/UDP

TFTP

Required if the server is used as a PXE server for automated client installation.

443

TCP

HTTPS

Web UI, client, and server and proxy (tftpsync) requests.

4505

TCP

salt

Required to accept communication requests from clients. The client initiates the connection, and it stays open to receive commands from the Salt master.

4506

TCP

salt

Required to accept communication requests from clients. The client initiates the connection, and it stays open to report results back to the Salt master.

4.5. External Outbound Proxy Ports

External outbound ports must be opened to configure a firewall on the SUSE Manager Proxy to restrict what the proxy can access.

Opening these ports allows network traffic from the SUSE Manager Proxy to communicate with external services.

Table 5. External Port Requirements for SUSE Manager Proxy
Port number Protocol Used By Notes

80

Used to reach the server.

443

TCP

HTTPS

Required for SUSE Customer Center.

4.6. External Client Ports

External client ports must be opened to configure a firewall between the SUSE Manager Server and its clients.

In most cases, you will not need to adjust these ports.

Table 6. External Port Requirements for SUSE Manager Clients
Port number Direction Protocol Notes

22

Inbound

SSH

Required for ssh-push and ssh-push-tunnel contact methods.

80

Outbound

Used to reach the server or proxy.

9090

Outbound

TCP

Required for Prometheus user interface.

9093

Outbound

TCP

Required for Prometheus alert manager.

9100

Outbound

TCP

Required for Prometheus node exporter.

9117

Outbound

TCP

Required for Prometheus Apache exporter.

9187

Outbound

TCP

Required for Prometheus PostgreSQL.

4.7. Required URLs

There are some URLs that SUSE Manager must be able to access to register clients and perform updates. In most cases, allowing access to these URLs is sufficient:

  • scc.suse.com

  • updates.suse.com

If you are using non-SUSE clients you might also need to allow access to other servers that provide specific packages for those operating systems. For example, if you have Ubuntu clients, you will need to be able to access the Ubuntu server.

For more information about troubleshooting firewall access for non-SUSE clients, see Troubleshooting Firewalls.