Network Configuration
The opsi server is compatible with both IPv4 and IPv6 protocols.
The server typically operates with a dual-stack configuration, meaning it uses IPv4 and IPv6 addresses/routes simultaneously within the network. This dual capability facilitates communication between devices and services that support both IPv4 and IPv6. |
Used Protocols and Ports
The opsi server requires internet access through HTTP and HTTPS, particularly for accessing package repositories of the underlying Linux distribution (such as https://download.opensuse.org/) and the opsi packages (https://opsipackages.43.opsi.org/), as well as for accessing Grafana addons and similar services.
If you are using a proxy server, please refer to the section Proxy Configuration for more information. |
The opsi server and its services also rely on the following network protocols and ports:
-
53/tcp+udp: For DNS queries.
-
4447/tcp: Used for accessing the opsi config server and the opsi package sources of the depot server.
-
445/tcp or 22/tcp: Different protocols and ports for deploying the
opsi-deploy-client-agent
, depending on the client’s operating system. Windows clients need access via the CIFS protocol (445/tcp), while Linux and macOS clients require SSH access (22/tcp). -
4441/tcp: Depending on the HostControl configuration (refer to section The hostcontrol.conf File), the opsi server communicates with the client agent over 4441/tcp.
-
4447/tcp: This is the standard port for the central opsi service
opsiconfd
(see chapter opsiconfd Service). All clients, depot servers, and admin devices need access to this port. -
445/tcp: For accessing the opsi depot server via Samba/CIFS (refer to chapter Samba). This is not required if the depot server is accessed via WebDAV.
For Netboot services using TFTP, access to additional ports is necessary (see chapter TFTP Server). Additionally, to enable SSH access to the opsi server, incoming connections on 22/tcp must be permitted. |
Proxy Configuration
If you need to access through an HTTP proxy, it’s recommended to set the proxy settings at a system-wide level using environment variables. These should be entered into the /etc/environment
file.
Keep in mind that the names of these environment variables consist only of lowercase letters. |
-
http_proxy
: Configures the proxy for HTTP connections. It requires the full URL, including if authentication is needed:
http_proxy=http://<user>:<password>@<proxy-address>:<port>
-
https_proxy
: Similar tohttp_proxy
but for HTTPS connections:
https_proxy=https://<proxy-address>:<port>
-
no_proxy
: Lists addresses that should bypass the proxy. Use commas to separate multiple addresses:
no_proxy=127.0.0.1,localhost,mydomain.example,hostname.domain.com:8080
Remember these rules for addresses:-
Only use lowercase letters.
-
Include IP addresses only for direct access via IPs, as no name resolution occurs for exceptions.
-
CIDR notation for IP address ranges (like
192.168.0.0/24
) is not supported. -
Always include exceptions for
localhost
and127.0.0.1
. -
Wildcards and regular expressions are not supported.
-
Treat each name as a suffix, so
domain.com
applies to all hostnames ending indomain.com
. -
Optionally, add a specific port after a colon for each address to confine the exception to that port.
-
Here’s an example for setting up the /etc/environment
file:
http_proxy=http://10.1.1.1:8080
https_proxy=https://10.1.1.1:8080
no_proxy=127.0.0.1,localhost,company.tld
To apply the changes to the currently running shell, execute the following commands:
set -a; source /etc/environment; set +a
For Suse distributions, the NO_PROXY parameter in the /etc/sysconfig/proxy file needs to be adjusted. Set NO_PROXY=127.0.0.1,localhost,company.tld as appropriate.
|
If the access to opsiconfd
is channeled through a proxy, the service requests will appear to originate from the IP address of the proxy. As a result, all functionalities that rely on the client’s IP address, such as networks
, admin-networks
, update-ip
, or max-session-per-ip
, might not operate correctly. To address this, you can define trusted proxy addresses using the trusted-proxies
parameter. When a connection comes from a trusted proxy, the server will look at the X-Forwarded-For
header to ascertain the real IP address of the client.
Example:
admin-networks=[192.168.10.0/24]
trusted-proxies=[192.178.16.27]