Hi,
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#prereq-ports
states a list of required ports but is a little vague.
Besides NTP and DNS which ports are really essential to be open? And in
which direction? TCP/UDP?
- on an IPA server (all of the listed ports in both directions?)
take a look at table 2.1 on the document you link to. If you do not run dns or ntp, you do not need to open those ports obviously. The basic functionality is ldap (389/636 tcp) and kerberos (88/464 udp/tcp). Plus the api which requires 80/443 tcp. DNS and ntp can be run on other hosts but it makes it harder really.
- on an IPA client
The default firewalld configuration allows outgoing traffic, so if you use the default firewalld setting you need to do nothing.
If you use third party firewalls between the your seggragated subnets, you need to allow that traffic in there as well, make sure you can reach those ports from the clients to the servers.