Portal-Firewall rules diff from documentation

[spitzerr]

The Firewall Rules for Portal seem a little bit messed up according to this Documentation:
https://enterprise.arcgis.com/en/portal/latest/administer/linux/ports-used-by-portal-for-arcgis.htm
compared with

arcgis-powershell-dsc/Modules/ArcGIS/Configuration/ArcGISConfigure.ps1

Lines 751 to 828 in 2fcd4f5

	$IsMultiMachinePortal = (($AllNodes | Where-Object { $_.Role -icontains 'Portal' } | Measure-Object).Count -gt 1)
	if($IsMultiMachinePortal -or ($ConfigData.PortalEndPoint -as [ipaddress]))
	{
	xFirewall Portal_FirewallRules
	{
	Name = "PortalforArcGIS"
	DisplayName = "Portal for ArcGIS"
	DisplayGroup = "Portal for ArcGIS"
	Ensure = 'Present'
	Access = "Allow"
	State = "Enabled"
	Profile = ("Domain","Private","Public")
	LocalPort = ("7080","7443","7654")
	Protocol = "TCP"
	}
	$Depends += @('[xFirewall]Portal_FirewallRules')
	}
	else
	{ # If single machine, need to open 7443 to allow federation over private portal URL and 6443 for changeServerRole
	xFirewall Portal_FirewallRules
	{
	Name = "PortalforArcGIS"
	DisplayName = "Portal for ArcGIS"
	DisplayGroup = "Portal for ArcGIS"
	Ensure = 'Present'
	Access = "Allow"
	State = "Enabled"
	Profile = ("Domain","Private","Public")
	LocalPort = ("7443")
	Protocol = "TCP"
	}
	xFirewall ServerFederation_FirewallRules
	{
	Name = "ArcGISforServer-Federation"
	DisplayName = "ArcGIS for Server"
	DisplayGroup = "ArcGIS for Server"
	Ensure = 'Present'
	Access = "Allow"
	State = "Enabled"
	Profile = ("Domain","Private","Public")
	LocalPort = ("6443")
	Protocol = "TCP"
	}
	}
	if($IsMultiMachinePortal)
	{
	xFirewall Portal_Database_OutBound
	{
	Name = "PortalforArcGIS-Outbound"
	DisplayName = "Portal for ArcGIS Outbound"
	DisplayGroup = "Portal for ArcGIS Outbound"
	Ensure = 'Present'
	Access = "Allow"
	State = "Enabled"
	Profile = ("Domain","Private","Public")
	RemotePort = ("7654","7120","7220", "7005", "7099", "7199", "5701", "5702") # Elastic Search uses 7120,7220 and Postgres uses 7654 for replication, Hazelcast uses 5701 and 5702 (extra 2 ports for situations where unable to get port)
	Direction = "Outbound"
	Protocol = "TCP"
	}
	$Depends += @('[xFirewall]Portal_Database_OutBound')
	xFirewall Portal_Database_InBound
	{
	Name = "PortalforArcGIS-Inbound"
	DisplayName = "Portal for ArcGIS Inbound"
	DisplayGroup = "Portal for ArcGIS Inbound"
	Ensure = 'Present'
	Access = "Allow"
	State = "Enabled"
	Profile = ("Domain","Private","Public")
	LocalPort = ("7120","7220", "5701", "5702") # Elastic Search uses 7120,7220, Hazelcast uses 5701 and 5702
	Protocol = "TCP"
	}
	$Depends += @('[xFirewall]Portal_Database_InBound')
	}

From my perspective following Things should be reviewed:

• Open 7080 in first else branch as well.
• Don't open 6443 on any part as it is ArcGIS Server Port and is only necessary if ArcGIS Server is installed on that machine.
• Port 5703 is missing for HA-Portal (IsMultimachinePortal)
• According to Docu Ports 7120, 7220 and 7654 are only local ports (so Outbound should be sufficent)

Could you please advise on these findings?

[shailesh91]

• Opened 7080 in first else branch as well.
• Opening 6443 ArcGIS Server Port if ArcGIS Server is installed on that machine.
• Added Port 5703 for HA-Portal (IsMultimachinePortal)
• Port 7654 Requires Inbound and Outbound Rules as PGSQL needs for a Master-Slave Relationship
• Still Evaluating permission required on ports 7120, 7220.

[spitzerr]

@shailesh91 Did you come around this:

Still Evaluating permission required on ports 7120, 7220.

[shailesh91]

@spitzerr For now, we are opening both inbound and outbound ports for 7120 and 7220 in case of HA Portal.