Note that the extensions probably will require internet access as well. Here is what I got from my DNS server in lab:
clearpass.arubanetworks.com - Normal updatesregistry-1.docker.io - Extension search/installationauth.docker.io - Extension search/installationaruba-skyhook.firebaseio.com - Skyhook used by one of my extensionsWhat you could consider is allowing the updates server, then the ones that Danny shared, and if you have an issue during updates or extension install temporarily allow all outbound from your ClearPass, once done close your firewall again. Enabling logging on the DNS server that ClearPass uses may also help, as the URLs may differ based on which extensions you use.
The token in 6.10 for updates download is likely to make things better as the token is retrieved by your browser and then used by ClearPass to authenticate to clearpass.arubanetworks.com. ClearPass does not reach out to the actual authentication server during the generation of the updates token.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 14, 2021 06:00 AM
From: Alex Sharaz
Subject: clearpass update URLs
Hi all,
I have a cppm cluster sitting behind a firewall that basically blocks internet access from the subnet the cppm servers are installed on. This hasn't been too bad as all i do normally is download the firmware release or fingerprint update manually and install stuff that way.
However, i now want to install some extensions on this server and am a bit stuck because of course the cluster members don't have Internet access.
Only solution seems to be external access via a proxy server but I need to know the URLs that need to be allowed. Don't know what level of regex is allowed when specifying the URL to connect to.
So ... is there a list of urls used to pull all downloads required by a cppm server .. including extensions
or is there a way of obtaining extensions manually.
Methinks the move of cppm 6.0 to use of tokens could screw things up even more :-(
RGds
Alex
------------------------------
Alex Sharaz
------------------------------