11:49 p.m.
Hi Team,
Can we install IPA replica without using 80 port instead only using 443 port? Is it
possible ?
If it is possible how can we achieve this ? [using port forwarding ? or any configuration
changes?]
If it is not possible, why ?
Regards
Sai
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this message by anyone else is
unauthorized. If you are not the intended recipient, any disclosure, copying, or
distribution of the message, or any action or omission taken by you in reliance on it, is
prohibited and may be unlawful. Please immediately contact the sender if you have received
this message in error. Further, this e-mail may contain viruses and all reasonable
precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not
liable for any damage sustained by you as a result of any virus in this e-mail. All
applicable virus checks should be carried out by you before opening this e-mail or any
attachment thereto.
Thank you - OnMobile Global Limited.
7:24 a.m.
New subject: Can we go for replica installation without using 80 port instead only using 443 port
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Team,
Can we install IPA replica without using 80 port instead only using 443
port? Is it possible ?
If it is possible how can we achieve this ? [using port forwarding ? or
any configuration changes?]
If it is not possible, why ?
Port 80 is necessary for OCSP and CRL processing. It is not likely to be
used during replica install directly but the port is checked. I assume
that the connection check is failing because this port isn't open. You
can add --skip-conncheck to avoid it.
I don't recommend closing the port though. Other than OCSP and CRL
retrieval other IPA-related traffic will be redirected from port 80 to
443 by default.
FWIW this subject is well-covered in list archives.
rob
12:16 a.m.
New subject: Can we go for replica installation without using 80 port instead only using 443 port
Hi Rob,
Thanks for the reply
The scenario here is one of our customers doesn't want to open connectivity on port 80
between central master and site replica server, instead they want to open 443 port only
Are there any other ways or any suggestions ? How can we proceed in this case ?
One option is making setup as standalone setup.[which will not participate in
replication]
Regards
Sai
-----Original Message-----
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: 14 December 2023 18:54
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com>
Subject: Re: [Freeipa-users] Can we go for replica installation without using 80 port
instead only using 443 port
CAUTION. This email originated from outside the organization. Please exercise caution
before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai via FreeIPA-users wrote:
Hi Team,
Can we install IPA replica without using 80 port instead only using
443 port? Is it possible ?
If it is possible how can we achieve this ? [using port forwarding ?
or any configuration changes?]
If it is not possible, why ?
Port 80 is necessary for OCSP and CRL processing. It is not likely to be used during
replica install directly but the port is checked. I assume that the connection check is
failing because this port isn't open. You can add --skip-conncheck to avoid it.
I don't recommend closing the port though. Other than OCSP and CRL retrieval other
IPA-related traffic will be redirected from port 80 to
443 by default.
FWIW this subject is well-covered in list archives.
rob
________________________________
DISCLAIMER: The information in this message is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this message by anyone else is
unauthorized. If you are not the intended recipient, any disclosure, copying, or
distribution of the message, or any action or omission taken by you in reliance on it, is
prohibited and may be unlawful. Please immediately contact the sender if you have received
this message in error. Further, this e-mail may contain viruses and all reasonable
precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not
liable for any damage sustained by you as a result of any virus in this e-mail. All
applicable virus checks should be carried out by you before opening this e-mail or any
attachment thereto.
Thank you - OnMobile Global Limited.
10:40 a.m.
New subject: Can we go for replica installation without using 80 port instead only using 443 port
It isn't something we support or test. You can try --skip-conncheck so
the replica installer won't quit but no guarantees that it will be
successful. And even if it is successful, no guarantees there won't be
issues in the future.
rob
Polavarapu Manideep Sai wrote:
Hi Rob,
Thanks for the reply
The scenario here is one of our customers doesn't want to open connectivity on port
80 between central master and site replica server, instead they want to open 443 port
only
Are there any other ways or any suggestions ? How can we proceed in this case ?
One option is making setup as standalone setup.[which will not participate in
replication]
Regards
Sai
-----Original Message-----
From: Rob Crittenden <rcritten(a)redhat.com>
Sent: 14 December 2023 18:54
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Polavarapu Manideep Sai <manideep.sai(a)onmobile.com>
Subject: Re: [Freeipa-users] Can we go for replica installation without using 80 port
instead only using 443 port
CAUTION. This email originated from outside the organization. Please exercise caution
before clicking on links or attachments in case of suspicion or unknown senders.
Polavarapu Manideep Sai via FreeIPA-users wrote:
> Hi Team,
>
>
>
> Can we install IPA replica without using 80 port instead only using
> 443 port? Is it possible ?
>
>
>
> If it is possible how can we achieve this ? [using port forwarding ?
> or any configuration changes?]
>
>
>
> If it is not possible, why ?
Port 80 is necessary for OCSP and CRL processing. It is not likely to be used during
replica install directly but the port is checked. I assume that the connection check is
failing because this port isn't open. You can add --skip-conncheck to avoid it.
I don't recommend closing the port though. Other than OCSP and CRL retrieval other
IPA-related traffic will be redirected from port 80 to
443 by default.
FWIW this subject is well-covered in list archives.
rob
________________________________
DISCLAIMER: The information in this message is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this message by anyone else
is unauthorized. If you are not the intended recipient, any disclosure, copying, or
distribution of the message, or any action or omission taken by you in reliance on it, is
prohibited and may be unlawful. Please immediately contact the sender if you have received
this message in error. Further, this e-mail may contain viruses and all reasonable
precaution to minimize the risk arising there from is taken by OnMobile. OnMobile is not
liable for any damage sustained by you as a result of any virus in this e-mail. All
applicable virus checks should be carried out by you before opening this e-mail or any
attachment thereto.
Thank you - OnMobile Global Limited.
139
days inactive
158
days old
freeipa-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Polavarapu Manideep Sai -
Rob Crittenden