KeyControl Network Requirements

For KeyControl to KeyControl and Policy Agent to KeyControl, the following ports need to be open:

• Internal protocol – TCP/443 (HTTPS) must be open between the KeyControl nodes in the cluster to support the rolling upgrade feature introduced in version 4.2.1. The KeyControl nodes must also be able to communicate on TCP/8443 and 2525. If you have a firewall between one or more nodes, you need to make sure that these ports are open.

  In addition, KeyControl uses the IP address 169.254.119.1 for internal communication. This IP address must be reserved for KeyControl.

• KeyControl webGUI – Inbound TCP/443 to administrator systems from any KeyControl server in the cluster. TCP/80 (HTTP) also needs to be open. All requests made to this port are redirected to TCP/443 so that they use HTTPS.
• KeyControl support-level access – Inbound TCP/22 (for full support) and TCP/6666 (for restricted support) from administrator systems to any KeyControl server in the cluster.
• Policy Agent to KeyControl — Inbound TCP/443 from the Policy Agent to each of the KeyControl nodes in the cluster.

For KeyControl infrastructure services, the following ports need to be open:

• DNS — Outbound UDP/53
• SMTP — Outbound mail server, typically TCP/25

• SYSLOG — An outbound UDP between 25 and 65535 if you want to use a remote syslog server. KeyControl does not currently support TCP for syslog.

• Backup and Restore via NFS — Inbound TCP and UDP/111 (portmapper), 2046 (lockd), 2047 (rpc statd), 2048 (rcp mountd), and 2049 (default NFS port)
• NTP — Outbound NTP servers, typically UDP/123 or TCP/123
• Automatic Vitals Reporting — If you enable Automatic Vitals Reporting, KeyControl must be able to send the encrypted Vitals bundle outbound to https://vitals.hytrust.com via TCP/443.