You’ll need to ensure that hosts can reach the installation and configuration management servers. Usually, this only must be done once per VLAN/Firewall context.
We keep track of what foreman subnets are known to work with Foreman under the Infrastructure -> Subnets | Parameters menu.
Requesting Firewall Rules
Determine your SOURCE
It is a good practice to request rules be made subnet to subnet as opposed to making rules for individual hosts. It is often the case that host IP’s change, or additional hosts are required.
To determine the CIDR format for your subnet, do the following:
- Login to Infoblox/Hostreg
- Search for an IP address in your subnet (upper right hand corner)
- Just below the navigation tabs at the top of the screen, you will see a trail of “breadcrumbs” Your CIDR is the just before the IP address for which you just searched.
The destination subnets are fixed.
The Foreman/Puppet servers are located in VLAN 2142, so always use
220.127.116.11/23 as your destination network.
Once you’ve filed in the source and destination in the firewall tool, You’ll need to “add” the following three entries
Puppet uses TCP port 8140 to communicate with it’s agents, and Foreman needs to deliver configuration information on both the http:// and https:// ports.
|Protocol||Port Range||Buisness Justification|
You can use the following as a template to make your requests via the ComTech Firewall Request Tool
Ports for PXE
If you are installing hosts with PXE, you need to ensure that the foreman server, as well as the TFTP hosts holding the boot files, are accessible.
The tftp servers currently reside in VLAN 30, though they are scheduled to move to a firewalled VLAN. Be sure that you don’t have any blocks stoping tftp on
It is extremely rare for a subnet on campus to not be properly configured for PXE booting.
Ports for Foreman “Smart Proxies”
If you are establishing a Foreman “smart proxy” in one of your networks, you
will need to allow
tcp/8443 from our servers in
to your network (destination)
Note that this is in addition to the rules above, and that the source and destination networks are reversed.Edit me