Applies to: All versions of Centrify Deployment Manager.
What firewall ports need to be opened between a machine running Centrify Deployment Manager (DM) located on an internal network and Centrify Unix servers separated by a firewall?.
Centrify's Deployment Manager uses standard protocols like telnet and SSH to discover Unix servers and so there are no special ports besides port 22 (ssh) and 23 (telnet). For a Unix server to talk to a DC separated by a firewall, please follow:
KB-0029: Firewall port settings for Centrify Direct Control.
Additionally, Deployment Manager uses the 'https' protocol (outbound 443) to communicate with the Centrify Support Portal to download binaries and catalog files.
Many Deployment Manager operations require a connection to a remote computer. By default, Deployment Manager uses a two-step process for these operations to optimize performance:
In the first step, Deployment Manager sends a ping request to each specified IP address to verify that the computer is reachable. If a computer responds within a configurable number of seconds, Deployment Manager then connects to the computer using telnet or SSH to gather information. Computers that don’t respond to the ping request are skipped. Sending a ping request to each computer is a relatively lightweight operation and it eliminates the overhead associated with attempting to connect to computers that are not reachable.
In certain cases, however, computers that do not respond to a ping command can still be accessed using SSH or telnet.
For example, computers hosted in a cloud environment or isolated behind a corporate firewall may fail to respond to the ping request, but allow a connection from a remote shell. For these situations, Deployment Manager provides a network option that allows control of the preliminary ping request. If the ping request is disabled, some operations, such as the discovery of computers on the network, may take longer to complete, but Deployment Manager will not skip any computers that are available for SSH or telnet connections.
To control the ping request for testing network connections:
1) Select the Centrify Deployment Manager node, right-click, then click Options.
2) Click the Network tab.
3) Select "Enable ping in computer connection" and set the ping time out value if you want to keep the default behavior but change the time allowed for a response to the ping request. Enabling the ping request improves the performance of operations that connect to remote computers, but may miss computers that are accessible using ssh or telnet.
To skip the ping request, deselect "Enable ping in computer connection". With this setting, Deployment Manager attempts to connect to every computer matching the criteria specified; such as an IP subnet or IP address range. Disabling the ping request allows Deployment Manager to find computers it would not find with ping enabled, but operations take longer to complete than with ping enabled.
4) Click OK to save the information.