Mandatory flows

The following flows from the Nodes to the Rudder Root Server have to be allowed:

Port 5309, TCP
CFEngine communication port, used to communicate the policies to the rudder nodes.
Port 443, TCP, for nodes
WebDAV/HTTPS communication port, used to send inventory and fetch the id of the Rudder Server.
Port 514, TCP/UDP
Syslog port, used to centralize reports.

And this one is optional:

Port 5310, TCP
CFEngine communication port, used to communicate the policies to the Rudder nodes when debugging communication between a Node and a policy server with the rudder server debug command.

Open the following flow from the clients desktop to the Rudder Root Server:

Port 443, TCP, for users
HTTP/S communication port, used to access the Rudder web interface.

Optional flows

These flows are recommended for compatibility:

Port 80, TCP, for nodes
WebDAV/HTTP communication port, kept for compatibility with pre-3.1 nodes and AIX nodes.

These flows are used to add features to Rudder:

CFEngine Enterprise
Managing Windows machines requires the commercial version of CFEngine, called Enterprise. It needs to open the port 5308 TCP from the Node to the Rudder Root Server.

This version used to be called Nova before.

DNS - Name resolution

By default, Rudder relies on the Node declared hostnames to identify them, for security reasons. It is required that each Node hostname can be resolved to its IP address that will be used to contact the Rudder Server.

If you can not make every node resolution consistent, it is possible to remove this constraint by unticking "Use reverse DNS lookups on nodes to reinforce authentication to policy server:" in the Administration - Settings tab of the Rudder web interface.