SUSE Support

Here When You Need Us

Accessing SUSE Customer Center and SUSE registry behind a firewall and/or through a proxy

This document (000021034) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server

Situation

Network traffic is restricted by Firewall and/or Proxy.
These rules prevent access to SUSE Customer Center/SCC (for registration or access via browser) or SUSE registry - registry.suse.com - (to download container images).

Resolution


Domain/Host Name Allowlisting

* The firewall needs to allow connections to the following domains (for both ports: 80 and 443):

system registration

scc.suse.com:<port>, updates.suse.com:<port>, installer-updates.suse.com:<port>

website access

scc.suse.com:<port>, customer-uploads.suse.com:<port>, static.scc.suse.com:<port>

container image downloads

scc.suse.com:<port>, registry.suse.com:<port>, registry-storage.suse.com:<port>, registry.rancher.com:<port>



IP Address Allowlisting

* If IP address whitelisting is needed, the current list of IPs for updates.suse.com installer-updates.suse.com is:

North America

152.199.5.130

Europe

152.199.22.115

Asia

152.199.40.103

Mainland China

154.55.117.6, 154.55.117.8



* The current list of IPs for scc.suse.com and registry.suse.com are: 

99.83.188.102

75.2.43.231



* Static assets and support case attachments are served via AWS CloudFront.
CloudFront IP addresses may change over time. 
The current list of possible IP addresses can be obtained as follows:

- CloudFront (customer-uploads.suse.com, registry-storage.suse.com, static.scc.suse.com)

$ curl https://ip-ranges.amazonaws.com/ip-ranges.json -o ip-ranges.json

$ jq -r '.prefixes[] | select(.service=="CLOUDFRONT") | .ip_prefix' < ip-ranges.json | sort


For reference, AWS (Amazon Web Services) publishes its current IP address ranges in JSON format. To view the current ranges, download the .json file at: AWS IP address ranges  (https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html)



Proxy Setup

* A Proxy needs to allow for the "Authorization" and "System-Token" headers to be passed to the SUSE Customer Center.
Whether a proxy is filtering these headers can be checked with:

$ curl -X POST -H "Authorization: Basic dXNlcjpwYXNzd29yZA==" -H "System-Token: testtoken" https://scc.suse.com/debug/reflect

The output of the command should contain the values for HTTP_AUTHORIZATION and HTTP_SYSTEM_TOKEN that were provided in the command.


* Verify the proxy doesn't break the certification or a certificate wasn't installed correctly

$ openssl s_client -connect scc.suse.com:443 -showcerts -servername scc.suse.com

This should return "CONNECTED" and a successful SSL handshake. If it doesn't, the SUSE Knowledge Base article "How to verify openssl certification chain" can be used to check and debug the certificate status.
 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000021034
  • Creation Date: 04-Apr-2023
  • Modified Date:26-Jul-2024
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

tick icon

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

tick icon

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

tick icon

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.