|Question||What ports do i need on my Firewall for CPPM?|
Below are the details.
Between any two Mobility Controllers:
IPSec (UDP ports 500 and 4500) and ESP (protocol 50). PAPI between a master and a local controller is encapsulated in IPSec.
IP-IP (protocol 94) and UDP port 443 if Layer-3 mobility is enabled.
GRE (protocol 47) if tunneling guest traffic over GRE to DMZ controller.
IKE (UDP 500).
ESP (protocol 50).
IPSEC/NAT-T (UDP 4500).
Between a Mobility Controller and an AP
PAPI (UDP port 8211). If the AP uses DNS to discover the LMS controller, the AP first attempts to connect to the master controller. (Also allow DNS (UDP port 53) traffic from the AP to the DNS server.)
PAPI (UDP port 8211). All APs running as Air Monitors (AMs) require a permanent PAPI connection to the master controller.
FTP (TCP port 21).
TFTP (UDP port 69) all APs, if there is no local image on the AP (for example, a new AP) the AP will use TFTP to retrieve the initial image.
NTP (UDP port 123).
SYSLOG (UDP port 514).
PAPI Message Heartbeats(UDP port 8211)(8209)
GRE Tunnel Heartbeats (protocol 47).
Between a Mobility Controller and a Mobility Access Switch
UDP port 5999 is required between CPPM and the controller if Airgroup CoA is being used
PAPI (UDP port 8211)
GRE (Protocol 47)
ICMP (Echo-Request/Echo-Reply) ICMP is used to verify reachability when "backup-controller-ip" is enabled.
Clear Pass Policy Manager (CPPM)
Go to Configuration >> Identity >> Sources. Add a new source of type AD, go to primary tab. Look for connection security, this changes the port # listed on that screen automatically (typically 389 or 636).
You can also plug in a value for that port manually.
CPPM cluster (subscriber-publisher)
UDP Port 123 NTP (Subscriber to publisher)
TCP Port 443 HTTPS (Bi-directional)
TCP Port 5432 PostgreSQL for DB replication (Subscriber to publisher)
TCP Port 80 HTTP (Between Nodes)
CPPM To ClearPass Guest
ClearPass Policy Manager/Guest Port Service
3799 For RFC 3576 to work.
1813 RADIUS Accounting Server
ClearPass Internet Access requirements
Question: What internet access does ClearPass require for normal operation and why?
Answer: ClearPass requires access to the following URL for checking for updated plugins:
http://clearpass.arubanetworks.com (legacy http://www.amigopod.com/webservice)
This uses TCP ports 80 and 443. If an access control list will be created on a firewall to allow this traffic, please note that the IP address that clearpass.arubanetworks.com resolves to is subject to change. If you find that you are unable to get plugin updates with a valid subscription ID, then make sure this access is allowed.
CPPM to Active Directory
The following is the list of services and their ports used for Active Directory communication:
UDP Port 88 for Kerberos authentication
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
TCP Port 139 and UDP 138 for File Replication Service between domain controllers. (Probably not necessary for CPPM)
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
TCP and UDP Port 445 for File Replication Service (Probably not necessary for CPPM)
TCP and UDP Port 464 for Kerberos Password Change
TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
CPPM to Onguard client
6658 TCP for Onguard client to communicate with CPPM. Otherwise client doesn't appear in Onguard Activity tab
Amigopod / ClearPass Guest
External Updates - HTTP(80) and HTTPS(443) to clearpass.arubanetworks.com for plugin updates and network tests.
NTP - UDP port 123
Mail - generally TCP 25 or 465.
High Availability - SSH(22), HTTPS(443) and Multicast between the two servers. Multicast settings are within the HA configuration.
RADIUS - UDP 1812, 1813, 3799 between controller and Amigopod.