Description of problem:
Customer wanted to lock down access between Satellite and CDN (without using an HTTP proxy).
The following is the authoritative document that describes the required access, which got passed on to the infosec firewall team:
(Section 2.5, Table 2.3).
The section is definitely a documentation bug.
It states what is needed is:
cdn.redhat.com 443 (HTTPS)
access.redhat.com 443 (HTTPS)
A second set of instructions can be found in the section detailing setting up access through an HTTP proxy - same document, section 3.4.2, item 3: https://access.redhat.com/documentation/en-us/red_hat_satellite/6.3/html-single/installation_guide/#configuring_satellite_http_proxy
subscription.rhsm.redhat.com 443 (HTTPS)
cdn.redhat.com 443 (HTTPS)
*.akamaiedge.net 443 (HTTPS)
cert-api.access.redhat.com (if using Red Hat Insights) 443 (HTTPS)
api.access.redhat.com (if using Red Hat Insights) 443 (HTTPS)
Note when making the same info available in section 2, the subnote about using Red Hat's CIDR IP addresses should also be carried across, as some customers will refuse to open blanket access to Akamai for sensible security reasons.
A third set of (again, different) instructions can be found in the KB article describing this:
The instructions here read that what needs to be opened is:
subscription.rhn.redhat.com:443 [https] (presumably no longer needed)
subscription.rhsm.redhat.com:443 [https] (This is the new default address in newer versions of RHEL 7)
*.akamaiedge.net:443 [https] OR *.akamaitechnologies.com:443 [https]
Version-Release number of selected component (if applicable):
Steps to Reproduce:
3 different and inconsistent sets of instructions
1. Consistent information.
2. Fewer sources of truth.
Section Number and Name:
Describe the issue:
Suggestions for improvement:
Thank you for raising this bug.
Re. Table 2.3, are you suggesting this change:
Re. the Knowledgebase *solution*. Note that DocsTeam does not maintain the KBase solutions; they are created by GSS but any one in Red Hat can fix them.
The part "subscription.rhn.redhat.com:443 [https] AND subscription.rhsm.redhat.com:443 [https] " was added by Craig Donnelly. I would not like to remove the AND without asking him why it needs to be there.
In Kbase solution you added " AND subscription.rhsm.redhat.com:443 [https]" after "subscription.rhn.redhat.com:443 [https]".
Is it now safe to remove that rhn URL and just have:
or will older installs of RHEL6 and 5 still try to use rhn URL?
This is fine.
The subscription.rhn url is what will be seen inside RHEL 5 + 6 by default in /etc/rhsm.conf.
In RHEL 7 after a certain point, subscription.rhsm became default.
Both links are currently usable, but subscription.rhsm should be recommended anywhere this is solid documentation around this, and it will work for all versions of RHEL that can use subscription-manager.
Thank you Craig
Seems for legacy reasons we cannot remove subscription.rhn.redhat.com from the KBase you linked to in comment 0
I will copy the paragraph with the link to the list of IP addresses from the "Configuring Satellite Server with HTTP Proxy" section to underneath Table 2.3
 https://access.redhat.com/solutions/65300[How to access Red Hat Subscription Manager (RHSM) through a firewall or proxy]
 https://access.redhat.com/articles/1525183[Public CIDR Lists for Red Hat]
These changes are now live on the customer portal