Systems in a UCS domain must be able to establish TCP/UDP connections to the DC master for several services.
If a firewall or other port-blocking devices are used in a site-configuration, this functionallity may be disturbed and ports must be opened directly.
You need to allow ICMP for ping.
The following ports are essential:
| Port | Protocol | Service |
| 22 | TCP | SSH |
| 53 | TCP/UDP | Nameserver |
| 67 | UDP | DHCP |
| 88 | TCP/UDP | Kerberos |
| 123 | TCP/UDP | NTP |
| 443 | TCP | HTTPS |
| 464 | TCP/UDP | Kerberos |
| 749 | TCP/UDP | Kerberos |
| 6669 | TCP | Univention Directory Notifier |
| 6670 | TCP | Univention Management Console |
| 7389 | TCP/UDP | LDAP |
| 7636 | TCP/UDP | LDAPS |
| 11212 | TCP | stunnel |
The following ports are used if Samba 4 is in use:
This is also applicable for AD Connections.
| Port | Protocol | Service |
| 135 | TCP/UDP | RPC |
| 389 | TCP/UDP | Samba4 LDAP |
| 445 | TCP/UDP | SMB |
| 636 | TCP/UDP | Samba4 LDAPS |
| 873 | TCP | Rsync |
| 1024-1300 | TCP/UDP | Samba <=4.6 / Dynamic RPC Ports |
| 49152-65535 | TCP/UDP | Samba >=4.7 / Dynamic RPC Ports |
TechNet: Protecting Windows RPC Traffic
| 3268 | TCP/UDP | Samba 4/Global Catalog over LDAP |
| 3269 | TCP/UDP | Samba 4/Global Catalog over LDAPS |
The following ports could be used by specific services, like UVMM:
| Port | Protocol | Service |
| 80 | TCP | HTTP-access to repository |
| 5900-5999 | TCP/UDP | UVMM/vnc |
| 16514 | TCP | UVMM/libvirtd |
| 49152-49215 | TCP/UDP | UVMM/migration |
The post-install routines of UCS packages are creating exceptions for the Univention-Firewall themselve, of course - appropriate exceptions are only needed if external firewall solutions are used.
Ping should also be accessable
Additional information