Problem Statement

The global Registration process to register a system through an external capsule server cannot be done by just having access to port 443 enabled towards the capsule server. The process forces an end-user to open connectivity toward port 9090 of the Capsule server as well to do the registration. 

User Experience & Workflow

if we only talk about subscription-manager, It can register a system with satellite through an external capsule over port 443 itself. No additional ports are required. 

Those who want to use openscap would be the only consumers needing to open port 9090 traffic as well from Hosts -> Capsules. 

When the Global Registration process was introduced, It required the execution of a curl command to fetch a script generated based on a template in satellite which will eventually do the registration + some post-registration work. 

For Satellites, it works fine but for External capsules, The curl command cannot be used over port 443. It has to be invoked via port 9090 of the capsule to fetch the templates from the satellite and then do the needful. But this generated a hard requirement for end-users to have communication opened toward port 443 as well as 9090 of the capsule. 

If the end-user is not concerned about openscap and just wants to use satellite and capsule for OS patching, The open connection to port 9090 becomes a liability for them, specifically when it is only used one time during the registration.

Requirements

End-users should not need to open any additional ports connectivity toward capsule except 443  if the sole purpose is to do registration and OS patching. 

Business Impact

As explained above