Response from Kunal Rao:
If your appserver sits behind a firewall blocking internet access, you must allow access to the following IP's if you would like to automate the downloading for HotFixes.
220.127.116.11 - WIN - http://xml.shavlik.com – port 80
18.104.22.168 - WIN - http://download.windowsupdate.com
22.214.171.124 - WIN - http://download.microsoft.com
126.96.36.199 - RedHat - https://rhn.redhat.com (still the analysis will happen against the RH Repo over protocol specified in the patch analysis params, by default it will use NSH protocol over 4750)
188.8.131.52 - Sun - http://sunsolve.sun.com
184.108.40.206 - AIX - http://www14.software.ibm.com
HPUX – this is SWA repo server over NSH as well.
Kunal thanks for the info. I am trying to concentrate on external firewall information. I need to generate the DEST_IP, PORT, and PROTO information for Experian to give their Network Security team in order to open ports. For Red Hat it will still need to download from the RHN via port 80 correct?
Do you know which port SWA uses – it looks like it might be 8088?
Forum thread here: https://www.bladelogic.com/community/thread.jspa?threadID=3366
it may need to download from rhn - depends on how they plan on getting the rpms down - if they want to automate that or they will only pull down the redhat updates when they get cut - eg 4.4, 4.5, 4.6 etc
not sure about swa - open up the vpc scripts and have a look.
I am running into the same issue where the network security team hear needs specific ips and ports to be open. And where they do not want to allow by address.
I am currently running into the following error:
Warning Nov 29, 2010 5:42:33 PM Error while downloading payload for rpm : emacspeak-23.0-3.el5.noarch.rpm, com.bmc.sa.patchfeed.FeedException: Error occurred while logging to RHN.
I have requested the following IP's, but it appears I am missing some. Any suggestings on where I can verfiy this list?
220.127.116.11 - Redhat - rhn.redhat.com:443 TCP / 80 TCP
18.104.22.168 - Redhat - download.rhn.redhat.com:80 TCP
22.214.171.124 - Redhat - www.redhat.com:443 TCP
126.96.36.199 - Redhat - xmlrpc.rhn.redhat.com:443 TCP
though when I ping www.redhat.com from one of the application servers it replies with 188.8.131.52, so I'm not sure if there is a range here that I need to request for. I currently to not have that address open.
Is content-web.rhn.redhat.com also required? Any suggestions on what else needed to be opened? I wanted to get so I wouldn't have to make multiple request to keep opening ports and ips.
I have verified that the credentials for the user is good since I was able to log into the RHN website.
Any direction would be greatly appreciated!
When I implemented RedHat patching I passed the following url:s to the network team based on the info I found in the appserver.log. After a few tries it worked but I can't be more precise than this unfortunately. Hopefully it will give you some help.
those ips are subject to change w/o much notice. redhat also added the 'access.redhat.com' to the list.