Table of Contents
The following flows from the Nodes to the Rudder Root Server have to be allowed:
- Port 5309, TCP
- CFEngine communication port, used to communicate the policies to the rudder nodes.
- Port 443, TCP, for nodes
- WebDAV/HTTPS communication port, used to send inventory and fetch the id of the Rudder Server.
- Port 514, TCP/UDP
- Syslog port, used to centralize reports.
And this one is optional:
- Port 5310, TCP
-
CFEngine communication port, used to communicate the policies to the Rudder
nodes when debugging communication between a Node and a policy server
with the
rudder server debugcommand.
Open the following flow from the clients desktop to the Rudder Root Server:
- Port 443, TCP, for users
- HTTP/S communication port, used to access the Rudder web interface.
These flows are recommended for compatibility:
- Port 80, TCP, for nodes
- WebDAV/HTTP communication port, kept for compatibility with pre-3.1 nodes and AIX nodes.
These flows are used to add features to Rudder:
- CFEngine Enterprise
- Managing Windows machines requires the commercial version of CFEngine, called Enterprise. It needs to open the port 5308 TCP from the Node to the Rudder Root Server.
This version used to be called Nova before.
By default, Rudder relies on the Node declared hostnames to identify them, for security reasons. It is required that each Node hostname can be resolved to its IP address that will be used to contact the Rudder Server.
If you can not make every node resolution consistent, it is possible to remove this constraint by unticking "Use reverse DNS lookups on nodes to reinforce authentication to policy server:" in the Administration - Settings tab of the Rudder web interface.
