Is it really necessary to open so many ports to the master?

UCS - Univention Corporate Server
, ,
#1

Hello all,

the situation is that we use UCS also in the DMZ for nextcloud, Kopano, rocketchat and more. So for security we open not all port to the domain masterserver. So i found these very fine description: Which TCP / UDP ports on the DC master must be accessable by other UCS systems? thanks at this point.

So some questions about the services. I think it is depending on what we use or what we need at specific time, on what ports we should really open to the domain master.

So what to an UCS Slaveserver over SSH?

UDN i think this is Replication right, so this is needed for LDAP Replication, right?

UMC, for what is this needed, maybe that i can update Application directly from the master?

“Stunnel”, this is for saml, but if i have running Nexcloud and Co, yes they use saml, but this feature is working, but port is closed, so it is really needed?

And the last one HTTPS. Don’t also not know for this.

If some whitepaper or documentation for this exist, i will be read this too. So very thanks for help! :slight_smile:

Best Regards
boospy

#2

It is a good question in my opinion and I would be interested in an answer as well. Opening so many ports for members in a DMZ does not “feel good”.

#3

Here are the Portlist:

UCS-LDAP TCP/7389 UDP/7389
UCS-Kerberos TCP/88 TCP/464 TCP/749 UDP/88 UDP/464 UDP/749
UCS-LDAP Samba4 TCP/636 TCP/389 UDP/636 UDP/389
UCS-LDAPS TCP/7636 UDP/7636
UCS Software-Monitor PGSQL TCP/5432 (Softwaremonitor)
UCS Stunnel SAML TCP/11212
UCS Directory Notifier Replication TCP/6669
UCS Management Console TCP/6670
UCS Zertifikatscheck TCP/443 TCP/80
DNS 53 TCP/UDP
DCE-RPC 135 TCP/UDP
SMB TCP445

I have allowed in the DMZ with ACL’s only the part that is used for operations. Only for updates the port forwarding is deactivated and the ACL’s are opened internally.

1 Like
Mastodon