PDA

View Full Version : SLES 11 SP4 External firewall setup to enable online updates



marcinstec
30-Jan-2017, 15:42
Hi,

I'm suse-rookie so pointing me to the right documentation is more than enough :-)

Which ip's/ports I should open in my corpo firewall to enable online updates ?
I have totally isolated SLES 11 SP4 for SAP systems, however I can enable some limited communication for specific external IP's/ports. Is there any reference which addresses is suse_register and zypper using to get registered and updates ?
I considering setting up SMT , but still the same limitations applly.

regards
marcin

ab
30-Jan-2017, 17:03
This thread from last year may help:

https://forums.suse.com/showthread.php?8107-Firewall-Rules-for-updates-and-patches

The SUSE Manager documentation has changed since then, but I presume the
same information is in there. If you really are completely locked down
you'd also need DNS to work, probably, in addition to HTTPS over TCP 443.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

jmozdzen
31-Jan-2017, 18:30
Hi marcin,

Hi,

I'm suse-rookie so pointing me to the right documentation is more than enough :-)

Which ip's/ports I should open in my corpo firewall to enable online updates ?
I have totally isolated SLES 11 SP4 for SAP systems, however I can enable some limited communication for specific external IP's/ports. Is there any reference which addresses is suse_register and zypper using to get registered and updates ?
I considering setting up SMT , but still the same limitations applly.

since this is a corporate firewall, another answer might be "probably no additional ones - just make sure your system(s) can access the HTTPS proxy." ;)

Regards,
J

marcinstec
31-Jan-2017, 20:39
Hi, ab & jmozdzen,

Thanks for the advices. I did what you told me to - it works.
Unfortunately I local security guys are a little too strict about it so I'm gonna have to run netstat -anp or nethogs to find out exact IPs :-\
I'll post my findings later.

Thanks for your help!
marcin

marcinstec
01-Feb-2017, 21:59
I had to enable http communication to secure-www.novell.com. It looks registration script needs to be redirected by the website to https.
Now I'm facing some more common problem: I get this message "Online Repositories do not need to be changed." while I'm configuring online updates via yast.
System has appeared on my SCC account after I issued this command:
suse_register -a email=myself@my-company.com -a regcode-sles=XXXXXXXXXXX -a addressid=ZZZZZZZ -a moniker=tsm1lz -L suse_register.log
Then I'm runing "Configure on-line updates" in yast. It tells me that on-line repos are not set, and enables me to go through registration again. It is successfull but tells me
"Online Repositories do not need to be changed."
Now I' stuck. I have seen these threads:
https://forums.suse.com/showthread.php?5389-Software-repositories-did-not-need-to-be-changed
and
https://forums.suse.com/archive/index.php/t-603.html
But the solutions over there didn't worked for me.

jmozdzen
07-Feb-2017, 17:54
Hi,

> It tells me that on-line repos are not set, and enables me to go through registration again. It is successfull but tells me "Online Repositories do not need to be changed."

You might want to take acloser look into suse_register.log, where the XML responses from the registration server ought to report the required repositories, and where errors would be logged.

I take it that the system's registration details in SCC report the correct license association?

Regards,
J

marcinstec
02-May-2017, 11:32
I've just found my thread looking for other answers... Just for an update: It just needed some time. I left the system for couple of days, and late I accidentially ran zypper refresh, lr, patch and everything worked fine. It seems SCC needed some time to process the registrations.