Академический Документы
Профессиональный Документы
Культура Документы
http://technet.microsoft.com/en-us/library/bb632618.aspx
Updated: January 1, 2012 Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2 Microsoft System Center Configuration Manager 2007 is a distributed client/server system. The distributed nature of Configuration Manager 2007 means that connections can be established between site servers, site systems, and clients. Some connections use ports that are not configurable, and some use ports that can be customized. You must verify that the required ports are available if you use any port filtering technology such as firewalls, routers, proxy servers, and IPsec.
Note
To plan your firewall configuration, if you are supporting Internet-based clients, use the following port information together with the information in Supported Scenarios for Internet-Based Client Management. In addition to port requirements, if you have Internet-based clients, you must also allow certain HTTP verbs and headers to traverse your firewall. For more information, see Prerequisites for Internet-Based Client Management.
Configurable Ports
Configuration Manager 2007 allows you to configure the ports for the following types of communication: Client to site system Client to Internet (as proxy server settings) Software update point to Internet (as proxy server settings) Software update point to WSUS server Client to reporting point
By default, the HTTP port used for client to site system communication is port 80, and the default HTTPS port is 443. Ports for client-to-site system communication over HTTP or HTTPS can be changed during Setup or in the Site Properties for your Configuration Manager site. Reporting point site system roles have configurable port settings for HTTP and HTTPS communication defined on the reporting point site system role property page. By default, users connect to the reporting point using the HTTP port 80 and HTTPS port 443. These ports are defined during installation only. To redefine the reporting point communication port, the reporting point site system must be deleted and then reinstalled.
Non-Configurable Ports
Configuration Manager does not allow you to configure ports for the following types of communication: Site to site (primary-to-primary or primary-to-secondary) Site server to site system Site server to site database server Site system to site database server Configuration Manager 2007 console to SMS Provider Configuration Manager 2007 console to the Internet
Port Details
The port listings that follow are used by Configuration Manager 2007 and do not include information for standard Windows services, such as Group Policy settings for Active Directory and Kerberos authentication. For information about Windows Server services and ports, see http://go.microsoft.com/fwlink/?LinkID=123652. The following diagram indicates connections between Configuration Manager 2007 computers. The number for the link corresponds to the table that lists the ports for that link. The arrows between the computers represent the direction of the communication. -- > indicates one computer initiates and the other computer always responds < -- > indicates that either computer can initiate
1 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
Description
Server Message Block (SMB) Point to Point Tunneling Protocol (PPTP)
UDP
---
TCP
445 1723 (See note 3, RAS Sender)
Description
Lightweight Directory Access Protocol (LDAP) LDAP (Secure Sockets Layer [SSL] connection) Global Catalog LDAP Global Catalog LDAP SSL RPC Endpoint Mapper RPC
UDP
-636 --135 --
TCP
389 636 3268 3269 135 DYNAMIC
2 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
Description
Server Message Block (SMB) Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)
UDP
----
TCP
445 80 or 8530 (See note 4, Windows Server Update Services) 443 or 8531 (See note 4, Windows Server Update Services)
Description
Hypertext Transfer Protocol (HTTP)
UDP
--
TCP
80 (See note 1, Proxy Server port)
Description
Server Message Block (SMB) RPC Endpoint Mapper
UDP
-135
TCP
445 135
Description
Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)
UDP
---
TCP
80 or 8530 (See note 4, Windows Server Update Services) 443 or 8531 (See note 4, Windows Server Update Services)
Description
Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS) Server Message Block (SMB)
UDP
----
TCP
80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available) 445
Description
Dynamic Host Configuration Protocol (DHCP) Trivial File Transfer Protocol (TFTP) Boot Information Negotiation Layer (BINL)
UDP
67 and 68 69 (See note 5, Trivial FTP (TFTP) Daemon) 4011
TCP
----
3 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
Description
Server Message Block (SMB) RPC Endpoint Mapper RPC
UDP
-135 --
TCP
445 135 DYNAMIC
Description
Server Message Block (SMB) RPC Endpoint Mapper RPC
UDP
-135 --
TCP
445 135 DYNAMIC
Description
Server Message Block (SMB) RPC Endpoint Mapper RPC
UDP
-135 --
TCP
445 135 DYNAMIC
Description
Hypertext Transfer Protocol (HTTP)
UDP
--
TCP
80 (See note 2, Alternate Port Available)
Description
Server Message Block (SMB) RPC Endpoint Mapper RPC
UDP
-135 --
TCP
445 135 DYNAMIC
Description
Hypertext Transfer Protocol (HTTP)
UDP
--
TCP
80 (See note 2, Alternate Port Available)
4 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
Secure Hypertext Transfer Protocol (HTTPS) Server Message Block (SMB) Multicast Protocol
--63000-64000
Description
Server Message Block (SMB)
UDP
--
TCP
445
Description
Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)
UDP
---
TCP
80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)
Description
Hypertext Transfer Protocol (HTTP)
UDP
--
TCP
80 (See note 2, Alternate Port Available)
Description
Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)
UDP
---
TCP
80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)
Description
Server Message Block (SMB) RPC Endpoint Mapper RPC
UDP
-135 --
TCP
445 135 DYNAMIC
Description
SQL over TCP
UDP
--
TCP
1433
Description
SQL over TCP
UDP
--
TCP
1433
5 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
Description
SQL over TCP
UDP
--
TCP
1433
24. Reporting Point -- > SQL Server / Reporting Services Point -- > SQL Server
The reporting point and the Reporting Services point use the same ports. The Reporting Services point is applicable to Configuration Manager 2007 R2 only.
Description
SQL over TCP
UDP
--
TCP
1433
Description
Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)
UDP
---
TCP
80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)
Description
RPC Endpoint Mapper RPC
UDP
135 --
TCP
135 DYNAMIC
Description
Hypertext Transfer Protocol (HTTP)
UDP
--
TCP
80
Description
SQL over TCP
UDP
--
TCP
1433
Description
Lightweight Directory Access Protocol (LDAP) LDAP (Secure Sockets Layer [SSL] connection) Global Catalog LDAP Global Catalog LDAP SSL RPC Endpoint Mapper
UDP
-636 --135
TCP
389 636 3268 3269 135
6 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
RPC
--
DYNAMIC
30. Site Server -- > Reporting Point / Site Server -- > Reporting Services Point
The reporting point and the Reporting Services point use the same ports. The Reporting Services point is in Configuration Manager 2007 R2 only.
Description
Server Message Block (SMB) RPC Endpoint Mapper RPC
UDP
-135 --
TCP
445 135 DYNAMIC
Description
Server Message Block (SMB) RPC Endpoint Mapper RPC
UDP
-135 --
TCP
445 135 DYNAMIC
Description
RPC (initial connection to WMI to locate provider system)
UDP
--
TCP
135
Description
Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)
UDP
---
TCP
80 or 8530 (See note 4, Windows Server Update Services) 443 or 8531 (See note 4, Windows Server Update Services)
Description
Remote Control (control) Remote Control (data) Remote Control (RPC Endpoint Mapper) Remote Assistance (RDP and RTC)
UDP
2701 2702 ---
TCP
2701 2702 135 3389
Description
UDP
TCP
7 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
----
Description
Wake on LAN
UDP
9 (See note 2, Alternate Port Available)
TCP
--
Description
Global Catalog LDAP Global Catalog LDAP SSL
UDP
---
TCP
3268 3269
Description
SQL over TCP
UDP
--
TCP
1433
39. Site Server < -- > Asset Intelligence Synchronization Point (Configuration Manager 2007 SP1)
Description
Server Message Block (SMB) RPC Endpoint Mapper RPC
UDP
-135 --
TCP
445 135 DYNAMIC
40. Asset Intelligence Synchronization Point < -- > System Center Online (Configuration Manager 2007 SP1)
Description
Secure Hypertext Transfer Protocol (HTTPS)
UDP
--
TCP
443
41. Multicast Distribution Point -- > SQL Server (Configuration Manager 2007 R2)
Description
SQL over TCP
UDP
--
TCP
1433
42. Client status reporting host --> Client (Configuration Manager 2007 R2)
Description
RPC Endpoint Mapper
UDP
135
TCP
135
8 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
-n/a
DYNAMIC n/a
43. Client status reporting host --> Management Point (Configuration Manager 2007 R2)
Description
Server Message Block (SMB) NetBIOS Session Service
UDP
---
TCP
445 139
44. Client status reporting host --> SQL Server (Configuration Manager 2007 R2)
Description
SQL over TCP
UDP
--
TCP
1433
45. Site Server < -- > Reporting Services Point (Configuration Manager 2007 R2)
(See note 6, Communication between the site server and site systems)
Description
Server Message Block (SMB) RPC Endpoint Mapper RPC
UDP
-135 --
TCP
445 135 DYNAMIC
46. Configuration Manager Console -- > Reporting Services Point (Configuration Manager 2007 R2)
Description
Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)
UDP
---
TCP
80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)
47. Reporting Services Point -- > SQL Server (Configuration Manager 2007 R2)
Description
SQL over TCP
UDP
--
TCP
1433
Notes
1 Proxy Server port This port cannot be configured but can be routed through a configured proxy server.
2 Alternate Port Available An alternate port can be defined within Configuration Manager for this value. If a custom port has been defined, substitute that custom port when defining the IP filter information for IPsec policies or for configuring firewalls. 3 RAS Sender Configuration Manager 2007 can also use the RAS Sender with Point to Point Tunneling Protocol (PPTP) to send and receive Configuration Manager 2007 site, client, and administrative information through a firewall. Under these circumstances, the PPTP TCP 1723 port is used. 4 Windows Server Update Services WSUS can be installed either on the default Web site (port 80) or a custom Web site (port 8530).
After installation, the port can be changed. You do not have to use the same port number throughout the site hierarchy. If the HTTP port is 80, the HTTPS port must be 443. If the HTTP port is anything else, the HTTPS port must be 1 higherfor example, 8530 and 8531. 5 Trivial FTP (TFTP) Daemon The Trivial FTP (TFTP) Daemon system service does not require a user name or password and is an integral
9 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
part of the Windows Deployment Services (WDS). The Trivial FTP Daemon service implements support for the TFTP protocol defined by the following RFCs: RFC 350TFTP RFC 2347Option extension RFC 2348Block size option RFC 2349Time-out interval, and transfer size options
Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on UDP port 69 but respond from a dynamically allocated high port. Therefore, enabling this port will allow the TFTP service to receive incoming TFTP requests but will not allow the selected server to respond to those requests. Allowing the selected server to respond to inbound TFTP requests cannot be accomplished unless the TFTP server is configured to respond from port 69. 6 Communication between the site server and site systems By default, communication between the site server and site systems is bi-directional. The site server initiates communication to configure the site system, and then most site systems connect back to the site server to send back status information. Reporting points and distribution points do not send back status information. If you select Allow only site server initiated data transfers from this site system on the site system properties, the site system will never initiate communication back to the site server. 7 Ports used by distribution points for application virtualization streaming A distribution point enabled to support application virtualization can be configured to use either HTTP or HTTPS. This feature is available in Configuration Manager 2007 R2 only.
Description
RPC Endpoint Mapping Name resolution Messaging Client Sessions
UDP
-137 138 --
TCP
135 --139
Description
Server Message Block (SMB) RPC Endpoint Mapper RPC B. AMT Management Controller --> Out of Band Service Point
UDP
-135 --
TCP
445 135 DYNAMIC
Description
Provisioning out of band (not applicable to in-band provisioning) C. Out of Band Service Point --> AMT Management Controller
UDP
--
TCP
9971 (configurable)
Description
Discovery Power control, provisioning, and discovery
UDP
---
TCP
16992 16993
10 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
Description
General management tasks Serial over LAN and IDE redirection
UDP
---
TCP
16993 16995
Description
Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) NetBIOS Name Resolution NetBIOS Datagram Service NetBIOS Session Service
UDP
53 67 and 68 137 138 --
TCP
53 ---139
Note
TCP/IP is required for network communications to allow Kerberos authentication. Named pipes communication is not required for Configuration Manager 2007 site database operations and should be used only to troubleshoot Kerberos authentication issues. The default instance of SQL Server uses TCP port 1433 for network communications. When you use a named instance, the port number is dynamically assigned. Configuration Manager does not support manually changing or defining the port number for either the default instance or named instances of SQL Server. We do not recommend that you enable UDP ports 137 and 138 for NetBIOS name resolution by using B-node broadcasts. Instead, you can use a WINS server or an LMHOSTS file for name resolution.
Distribution points do not install until the first package is targeted to them. Package installations on distribution points require the following RPC ports: Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135. Site server --> distribution point: RPC dynamic TCP ports.
Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the dynamic ports that are used with RPC, you can use the Microsoft RPC configuration tool (rpccfg.exe) to configure a limited range of ports for these RPC packets. For more information about the RPC configuration tool, see http://go.microsoft.com/fwlink/?LinkId=124096.
11 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
Important
Before you install these site systems, ensure that the remote registry service is running on the site system server and that you have specified a site system installation account if the site system is in a different Active Directory forest without a trust relationship. For more information, see How to Configure the Site System Installation Account.
12 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
See Also
Concepts Windows Firewall Settings for Configuration Manager Clients Other Resources Technical Reference for Configuration Manager Security
For additional information, see Configuration Manager 2007 Information and Support. To contact the documentation team, email SMSdocs@microsoft.com.
Yes
No
Community Content
Please add addional protocol for DNS
Within the section "Ports used by Windows Server", only the UDP protocol is listed for DNS. If the DNS string becomes larger, it switches over to TCP. So TCP protocol must also be allowed with port 53 to communicate with DNS. It caused us one day of searching after closing down the firewall using the information in this article.
10/10/2011 IngridG
Port calculator
It would be great if there could be a "port calculator" - a spreadsheet into which you could add your server names, IP addresses and roles, and then it fires out a list of all the ports you'd need to open which you could then pass on to the security team so they open them. Also, not sure what difference there would be in the ports for a "Management Server" and "Proxy Management Server" which isn't mentioned here.
11/13/2009 Donec
13 of 14
3/19/2012 2:33 PM
http://technet.microsoft.com/en-us/library/bb632618.aspx
14 of 14
3/19/2012 2:33 PM