Security policies and firewall rules

Learn about the security policies and firewall rules of hybrid environments.

The following requirements apply for security policies and firewall rules of hybrid environments:

Ensure that security policies and firewall rules allow traffic from all nodes in the public cloud Cloudera on cloud network to access the on-premise ports used by runtime services. For more information on the list of ports typically used by runtime components, see Ports Used by Cloudera Runtime Components.
Ensure that security policies and firewall rules allow traffic between your FreeIPA instance and your Active Directory Domain Controller. Direct communication between FreeIPA servers and Active Directory Domain Controllers is required over a range of ports for various protocols.

The following table shows the details about the essential ports that must be opened between all FreeIPA Trust Controllers and all Active Directory Domain Controllers:

Table 1.
Port	Protocol	Service Name	Direction	Purpose
53	TCP/UDP	DNS	Bidirectional	Name and service record resolution
88	TCP/UDP	Kerberos	Bidirectional	Authentication, ticket granting
123	UDP	NTP	Bidirectional	Time synchronization
135	TCP	RPC Endpoint Mapper (EPMAP)	Bidirectional	LSA RPC for trust management
138	UDP	NetBIOS Datagram Service	Bidirectional	NetBIOS communication
139	TCP	NetBIOS Session Service	Bidirectional	NetBIOS communication
389	TCP/UDP	LDAP	Bidirectional	User and group resolution, trust validation
445	TCP	SMB/CIFS	Bidirectional	Trust creation (IPC$ share access)
464	TCP/UDP	Kerberos Password Change	Bidirectional	Kerberos kpasswd service
636	TCP	LDAPS	IPA -> AD	Secure user or group resolution (if configured)
3268	TCP	LDAP Global Catalog (GC)	IPA -> AD	Forest-wide user or group lookups
3269	TCP	LDAPS Global Catalog (GC)	IPA -> AD	Secure forest-wide lookups (if configured)
49152-65535	TCP	RPC Dynamic Ports	Bidirectional	High ports for RPC communication initiated through EPMAP