Clear Pass Policy Manager (CPPM)
Go to Configuration >> Identity >> Sources. Add a new source of type AD, go to primary tab. Look for connection security, this changes the port # listed on that screen automatically (typically 389 or 636).
You can also plug in a value for that port manually.
CPPM cluster (subscriber-publisher)
- UDP Port 123 NTP (Subscriber to publisher)
- TCP Port 443 HTTPS (Bi-directional)
- TCP Port 5432 PostgreSQL for DB replication (Subscriber to publisher)
- TCP Port 80 HTTP (Between Nodes)
- TCP Port 4231 NetWatch (Post Authentication module and the node where Insight is enabled)
CPPM To ClearPass Guest
ClearPass Policy Manager/Guest
Port Service
- 3799 For RFC 3576 to work.
- 1812 RADIUS
- 1813 RADIUS Accounting Server
- 80 HTTP
- 443 HTTPS
ClearPass Internet Access requirements
Question: What internet access does ClearPass require for normal operation and why?
Answer: ClearPass requires access to the following URL for checking for updated plugins:
http://clearpass.arubanetworks.com (legacy http://www.amigopod.com/webservice)
This uses TCP ports 80 and 443. If an access control list will be created on a firewall to allow this traffic, please note that the IP address that clearpass.arubanetworks.com resolves to is subject to change. If you find that you are unable to get plugin updates with a valid subscription ID, then make sure this access is allowed.
For Remote Assist feature in ClearPass 6.3, ClearPass needs to be able to open a TCP 443 connection to remoteassist.arubanetworks.com.
CPPM to Active Directory
From: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/4ea85317-56c3-446d-9736-bfd046fc589c
The following is the list of services and their ports used for Active Directory communication:
- UDP Port 88 for Kerberos authentication
- UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
- TCP Port 139 and UDP 138 for File Replication Service between domain controllers. (Probably not necessary for CPPM)
- UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
- TCP and UDP Port 445 for File Replication Service (Probably not necessary for CPPM)
- TCP and UDP Port 464 for Kerberos Password Change
- TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
- TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
CPPM to Onguard client
- 6658 TCP for Onguard client to communicate with CPPM. Otherwise client doesn't appear in Onguard Activity tab and will likely cause Onguard PA to send health information every 3 minutes or so.
Amigopod / ClearPass Guest
- External Updates - HTTP(80) and HTTPS(443) to clearpass.arubanetworks.com for plugin updates and network tests.
- NTP - UDP port 123
- Mail - generally TCP 25 or 465.
- High Availability - SSH(22), HTTPS(443) and Multicast between the two servers. Multicast settings are within the HA configuration.
- RADIUS - UDP 1812, 1813, 3799 between controller and Amigopod.
Misc Ports that are needed
- 389 tcp/udp LDAP Lightweight Directory Access Protocol
- 636 tcp/udp LDAP protocol over TLS/SSL (was sldap)
- 3269 tcp/udp Microsoft Global Catalog with LDAP/SSL
- 53 tcp/udp DNS