Security

Hi,

Anyone knows what ports that Clearpass 6.0 uses in a cluster to join cluster/sync and so on?

I may need to deploy a Clearpass cluster with different nodes that is separated by firewalls.

Tried to find info in the 6.0 User Guide but didn't have any luck there.

---

@christian-ns wrote:

Hi,

 

Anyone knows what ports that Clearpass 6.0 uses in a cluster to join cluster/sync and so on?

I may need to deploy a Clearpass cluster with different nodes that is separated by firewalls.

 

Tried to find info in the 6.0 User Guide but didn't have any luck there.

 

---

• UDP Port 123 NTP (Subscriber to publisher)
• TCP Port 443 HTTPS (Bi-directional)
• TCP Port 5432 PostgreSQL for DB replication (Subscriber to publisher)

Even better, after seeing your question, our Technical Publications team just produced the document "Suggested Open Ports for Adding CPPM to Your Network"  here:

http://support.arubanetworks.com/DOCUMENTATION/tabid/77/DMXModule/512/Command/Core_Download/Default.aspx?EntryId=10535

That document does not document specifically which ports are needed for Firmware and Posture & Profile Data Updates. When communicating via a proxy server Posture & Profile Data Updates succeed most of the time via the default ports (80 and 443), but the firmware update and subscription part, do they use the same ports?

Johan

Hello, we just updated our 5K controllers to 6.3.0, and are now seeing TCP 4231 bi-directional traffic blocked in our firewalls. Can you tell us what this port is used for, and if it is necessary for operations? Can the document be updated so we can reference it?

Also, our controllers are in a separate subnets, and we would like to take advantage of the new Standby Publisher failover feature. Which port does the keepalive use for the failover? Does it monitor the already defined SSL or Postgres traffic, or is there another port that we need to open in the firewalls?

Thanks!

• TCP Port 4231 NetWatch (Post Authentication module and the node where Insight is enabled)

Thanks for the reply! I don't have access to the Partner site to see that document. Any chance it can be uploaded to the general support website?

Also, can you provide a response to what ports/services ClearPass is monitoring for its Publisher -> Standby Publisher automated failover?

Clear Pass Policy Manager (CPPM)

Go to Configuration >> Identity >> Sources. Add a new source of type AD, go to primary tab. Look for connection security, this changes the port # listed on that screen automatically (typically 389 or 636).

You can also plug in a value for that port manually.

CPPM cluster (subscriber-publisher)

• UDP Port 123 NTP (Subscriber to publisher)
• TCP Port 443 HTTPS (Bi-directional)
• TCP Port 5432 PostgreSQL for DB replication (Subscriber to publisher)
• TCP Port 80 HTTP (Between Nodes)
• TCP Port 4231 NetWatch (Post Authentication module and the node where Insight is enabled)

CPPM To ClearPass Guest

• 443 HTTPS

ClearPass Policy Manager/Guest

Port Service

• 3799 For RFC 3576 to work.
• 1812 RADIUS
• 1813 RADIUS Accounting Server
• 80 HTTP
• 443 HTTPS

ClearPass Internet Access requirements

Question: What internet access does ClearPass require for normal operation and why?

Answer: ClearPass requires access to the following URL for checking for updated plugins:

http://clearpass.arubanetworks.com (legacy http://www.amigopod.com/webservice)

This uses TCP ports 80 and 443. If an access control list will be created on a firewall to allow this traffic, please note that the IP address that clearpass.arubanetworks.com resolves to is subject to change. If you find that you are unable to get plugin updates with a valid subscription ID, then make sure this access is allowed.

For Remote Assist feature in ClearPass 6.3, ClearPass needs to be able to open a TCP 443 connection to remoteassist.arubanetworks.com.

CPPM to Active Directory

From: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/4ea85317-56c3-446d-9736-bfd046fc589c

The following is the list of services and their ports used for Active Directory communication:

• UDP Port 88 for Kerberos authentication
• UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
• TCP Port 139 and UDP 138 for File Replication Service between domain controllers. (Probably not necessary for CPPM)
• UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
• TCP and UDP Port 445 for File Replication Service (Probably not necessary for CPPM)
• TCP and UDP Port 464 for Kerberos Password Change
• TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
• TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

CPPM to Onguard client

• 6658 TCP for Onguard client to communicate with CPPM. Otherwise client doesn't appear in Onguard Activity tab and will likely cause Onguard PA to send health information every 3 minutes or so.

Amigopod / ClearPass Guest

• External Updates - HTTP(80) and HTTPS(443) to clearpass.arubanetworks.com for plugin updates and network tests.
• NTP - UDP port 123
• Mail - generally TCP 25 or 465.
• High Availability - SSH(22), HTTPS(443) and Multicast between the two servers. Multicast settings are within the HA configuration.
• RADIUS - UDP 1812, 1813, 3799 between controller and Amigopod.

Misc Ports that are needed

• 389 tcp/udp LDAP Lightweight Directory Access Protocol
• 636 tcp/udp LDAP protocol over TLS/SSL (was sldap)
• 3269 tcp/udp Microsoft Global Catalog with LDAP/SSL
• 53 tcp/udp DNS

This is great, exactly what I'm looking for!

We ran a Vulnerability Assessment scan of our CP-500, and everything that came up was on your list, except for one port:

TCP 4949, assigned by IANA to Munin Resource Monitoring Tool.

Can you please define what ClearPass is using this port for?

Thanks!