Ports Used by Configuration

Ports Used by Configuration Manager
http://technet.microsoft.com/en-us/library/bb632618.aspx

57 out of 64 rated this helpful Rate this topic
Updated: January 1, 2012 Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2 Microsoft System Center Configuration Manager 2007 is a distributed client/server system. The distributed nature of Configuration Manager 2007 means that connections can be established between site servers, site systems, and clients. Some connections use ports that are not configurable, and some use ports that can be customized. You must verify that the required ports are available if you use any port filtering technology such as firewalls, routers, proxy servers, and IPsec.
Note
To plan your firewall configuration, if you are supporting Internet-based clients, use the following port information together with the information in Supported Scenarios for Internet-Based Client Management. In addition to port requirements, if you have Internet-based clients, you must also allow certain HTTP verbs and headers to traverse your firewall. For more information, see Prerequisites for Internet-Based Client Management.
Configurable Ports
Configuration Manager 2007 allows you to configure the ports for the following types of communication: Client to site system Client to Internet (as proxy server settings) Software update point to Internet (as proxy server settings) Software update point to WSUS server Client to reporting point
By default, the HTTP port used for client to site system communication is port 80, and the default HTTPS port is 443. Ports for client-to-site system communication over HTTP or HTTPS can be changed during Setup or in the Site Properties for your Configuration Manager site. Reporting point site system roles have configurable port settings for HTTP and HTTPS communication defined on the reporting point site system role property page. By default, users connect to the reporting point using the HTTP port 80 and HTTPS port 443. These ports are defined during installation only. To redefine the reporting point communication port, the reporting point site system must be deleted and then reinstalled.
Non-Configurable Ports
Configuration Manager does not allow you to configure ports for the following types of communication: Site to site (primary-to-primary or primary-to-secondary) Site server to site system Site server to site database server Site system to site database server Configuration Manager 2007 console to SMS Provider Configuration Manager 2007 console to the Internet
Port Details
The port listings that follow are used by Configuration Manager 2007 and do not include information for standard Windows services, such as Group Policy settings for Active Directory and Kerberos authentication. For information about Windows Server services and ports, see http://go.microsoft.com/fwlink/?LinkID=123652. The following diagram indicates connections between Configuration Manager 2007 computers. The number for the link corresponds to the table that lists the ports for that link. The arrows between the computers represent the direction of the communication. -- > indicates one computer initiates and the other computer always responds < -- > indicates that either computer can initiate
1 of 14
3/19/2012 2:33 PM
1. Site Server < -- > Site Server
Description
Server Message Block (SMB) Point to Point Tunneling Protocol (PPTP)
UDP
---
TCP
445 1723 (See note 3, RAS Sender)
2. Primary Site Server -- > Domain Controller
Description
Lightweight Directory Access Protocol (LDAP) LDAP (Secure Sockets Layer [SSL] connection) Global Catalog LDAP Global Catalog LDAP SSL RPC Endpoint Mapper RPC
UDP
-636 --135 --
TCP
389 636 3268 3269 135 DYNAMIC
3. Site Server < -- > Software Update Point

(See note 6, Communication between the site server and site systems)
2 of 14
3/19/2012 2:33 PM
Description
Server Message Block (SMB) Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)
UDP
----
TCP
445 80 or 8530 (See note 4, Windows Server Update Services) 443 or 8531 (See note 4, Windows Server Update Services)
4. Software Update Point -- > Internet
Description
Hypertext Transfer Protocol (HTTP)
UDP
--
TCP
80 (See note 1, Proxy Server port)
5. Site Server < -- > State Migration Point

Description
Server Message Block (SMB) RPC Endpoint Mapper
UDP
-135
TCP
445 135
6. Client -- > Software Update Point
Description
Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS)
UDP
---
TCP
80 or 8530 (See note 4, Windows Server Update Services) 443 or 8531 (See note 4, Windows Server Update Services)
7. Client -- > State Migration Point
Description
Hypertext Transfer Protocol (HTTP) Secure Hypertext Transfer Protocol (HTTPS) Server Message Block (SMB)
UDP
----
TCP
80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available) 445
8. Client -- > PXE Service Point
Description
Dynamic Host Configuration Protocol (DHCP) Trivial File Transfer Protocol (TFTP) Boot Information Negotiation Layer (BINL)
UDP
67 and 68 69 (See note 5, Trivial FTP (TFTP) Daemon) 4011
TCP
----
9. Site Server < -- > PXE Service Point

3 of 14
3/19/2012 2:33 PM
Description
Server Message Block (SMB) RPC Endpoint Mapper RPC
UDP
-135 --
TCP
445 135 DYNAMIC
10. Site Server < -- > System Health Validator

Description
UDP
-135 --
TCP
445 135 DYNAMIC
11. Client -- > System Health Validator

The client requires the ports established by the Windows Network Access Protection client, which is dependent upon the enforcement client being used. For example, DHCP enforcement will use ports UDP 67 and 68. IPsec enforcement will use ports TCP 80 or 443 to the Health Registration Authority, port UDP 500 for IPsec negotiation and the additional ports needed for the IPsec filters. For more information, see the Windows Network Access Protection documentation. For help with configuring firewalls for IPsec, see http://go.microsoft.com/fwlink /?LinkId=109499.
12. Site Server < -- > Fallback Status Point

Description
UDP
-135 --
TCP
445 135 DYNAMIC
13. Client -- > Fallback Status Point
Description
UDP
--
TCP
80 (See note 2, Alternate Port Available)
14. Site Server -- > Distribution Point
Description
UDP
-135 --
TCP
445 135 DYNAMIC
15. Client -- > Distribution Point
Description
UDP
--
TCP
4 of 14
3/19/2012 2:33 PM
Secure Hypertext Transfer Protocol (HTTPS) Server Message Block (SMB) Multicast Protocol
--63000-64000
443 (See note 2, Alternate Port Available) 445 --
16. Client -- > Branch Distribution Point
Description
Server Message Block (SMB)
UDP
--
TCP
445
17. Client -- > Management Point
Description
UDP
---
TCP
80 (See note 2, Alternate Port Available) 443 (See note 2, Alternate Port Available)
18. Client -- > Server Locator Point
Description
UDP
--
TCP
19. Branch Distribution Point -- > Distribution Point
Description
UDP
---
TCP
20. Site Server -- > Provider
Description
UDP
-135 --
TCP
445 135 DYNAMIC
21. Server Locator Point -- > Microsoft SQL Server
Description
SQL over TCP
UDP
--
TCP
1433
22. Management Point -- > SQL Server
Description
SQL over TCP
UDP
--
TCP
1433
5 of 14
3/19/2012 2:33 PM
23. Provider -- > SQL Server
Description
SQL over TCP
UDP
--
TCP
1433
24. Reporting Point -- > SQL Server / Reporting Services Point -- > SQL Server
The reporting point and the Reporting Services point use the same ports. The Reporting Services point is applicable to Configuration Manager 2007 R2 only.
Description
SQL over TCP
UDP
--
TCP
1433
25. Configuration Manager Console -- > Reporting Point
Description
UDP
---
TCP
26. Configuration Manager Console -- > Provider
Description
RPC Endpoint Mapper RPC
UDP
135 --
TCP
135 DYNAMIC
27. Configuration Manager Console -- > Internet
Description
UDP
--
TCP
80
28. Primary Site Server -- > SQL Server
Description
SQL over TCP
UDP
--
TCP
1433
29. Management Point -- > Domain Controller
Description
Lightweight Directory Access Protocol (LDAP) LDAP (Secure Sockets Layer [SSL] connection) Global Catalog LDAP Global Catalog LDAP SSL RPC Endpoint Mapper
UDP
-636 --135
TCP
389 636 3268 3269 135
6 of 14
3/19/2012 2:33 PM
RPC
--
DYNAMIC
30. Site Server -- > Reporting Point / Site Server -- > Reporting Services Point
The reporting point and the Reporting Services point use the same ports. The Reporting Services point is in Configuration Manager 2007 R2 only.
Description
UDP
-135 --
TCP
445 135 DYNAMIC
31. Site Server -- > Server Locator Point

Description
UDP
-135 --
TCP
445 135 DYNAMIC
32. Configuration Manager Console -- > Site Server
Description
RPC (initial connection to WMI to locate provider system)
UDP
--
TCP
135
33. Software Update Point -- > WSUS Synchronization Server
Description
UDP
---
TCP
80 or 8530 (See note 4, Windows Server Update Services) 443 or 8531 (See note 4, Windows Server Update Services)
34. Configuration Manager Console -- > Client
Description
Remote Control (control) Remote Control (data) Remote Control (RPC Endpoint Mapper) Remote Assistance (RDP and RTC)
UDP
2701 2702 ---
TCP
2701 2702 135 3389
35. Management Point < -- > Site Server

Description
UDP
TCP
7 of 14
3/19/2012 2:33 PM
RPC Endpoint mapper RPC Server Message Block (SMB)
----
135 DYNAMIC 445
36. Site Server -- > Client
Description
Wake on LAN
UDP
TCP
--
37. Configuration Manager Client -- > Global Catalog Domain Controller

A Configuration Manager client does not contact a global catalog server when it is a workgroup computer or when it is configured for Internet-only communication.
Description
Global Catalog LDAP Global Catalog LDAP SSL
UDP
---
TCP
3268 3269
38. PXE Service Point -- > SQL Server
Description
SQL over TCP
UDP
--
TCP
1433
39. Site Server < -- > Asset Intelligence Synchronization Point (Configuration Manager 2007 SP1)
Description
UDP
-135 --
TCP
445 135 DYNAMIC
40. Asset Intelligence Synchronization Point < -- > System Center Online (Configuration Manager 2007 SP1)
Description
Secure Hypertext Transfer Protocol (HTTPS)
UDP
--
TCP
443
41. Multicast Distribution Point -- > SQL Server (Configuration Manager 2007 R2)
Description
SQL over TCP
UDP
--
TCP
1433
42. Client status reporting host --> Client (Configuration Manager 2007 R2)
Description
RPC Endpoint Mapper
UDP
135
TCP
135
8 of 14
3/19/2012 2:33 PM
RPC ICMPv4 Type 8 (Echo) or ICMPv6 Type 128 (Echo Request)
-n/a
DYNAMIC n/a
43. Client status reporting host --> Management Point (Configuration Manager 2007 R2)
Description
Server Message Block (SMB) NetBIOS Session Service
UDP
---
TCP
445 139
44. Client status reporting host --> SQL Server (Configuration Manager 2007 R2)
Description
SQL over TCP
UDP
--
TCP
1433
45. Site Server < -- > Reporting Services Point (Configuration Manager 2007 R2)
Description
UDP
-135 --
TCP
445 135 DYNAMIC
46. Configuration Manager Console -- > Reporting Services Point (Configuration Manager 2007 R2)
Description
UDP
---
TCP
47. Reporting Services Point -- > SQL Server (Configuration Manager 2007 R2)
Description
SQL over TCP
UDP
--
TCP
1433
Notes
1 Proxy Server port This port cannot be configured but can be routed through a configured proxy server.
2 Alternate Port Available An alternate port can be defined within Configuration Manager for this value. If a custom port has been defined, substitute that custom port when defining the IP filter information for IPsec policies or for configuring firewalls. 3 RAS Sender Configuration Manager 2007 can also use the RAS Sender with Point to Point Tunneling Protocol (PPTP) to send and receive Configuration Manager 2007 site, client, and administrative information through a firewall. Under these circumstances, the PPTP TCP 1723 port is used. 4 Windows Server Update Services WSUS can be installed either on the default Web site (port 80) or a custom Web site (port 8530).
After installation, the port can be changed. You do not have to use the same port number throughout the site hierarchy. If the HTTP port is 80, the HTTPS port must be 443. If the HTTP port is anything else, the HTTPS port must be 1 higherfor example, 8530 and 8531. 5 Trivial FTP (TFTP) Daemon The Trivial FTP (TFTP) Daemon system service does not require a user name or password and is an integral
9 of 14
3/19/2012 2:33 PM
part of the Windows Deployment Services (WDS). The Trivial FTP Daemon service implements support for the TFTP protocol defined by the following RFCs: RFC 350TFTP RFC 2347Option extension RFC 2348Block size option RFC 2349Time-out interval, and transfer size options
Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on UDP port 69 but respond from a dynamically allocated high port. Therefore, enabling this port will allow the TFTP service to receive incoming TFTP requests but will not allow the selected server to respond to those requests. Allowing the selected server to respond to inbound TFTP requests cannot be accomplished unless the TFTP server is configured to respond from port 69. 6 Communication between the site server and site systems By default, communication between the site server and site systems is bi-directional. The site server initiates communication to configure the site system, and then most site systems connect back to the site server to send back status information. Reporting points and distribution points do not send back status information. If you select Allow only site server initiated data transfers from this site system on the site system properties, the site system will never initiate communication back to the site server. 7 Ports used by distribution points for application virtualization streaming A distribution point enabled to support application virtualization can be configured to use either HTTP or HTTPS. This feature is available in Configuration Manager 2007 R2 only.
Configuration Manager Remote Control Ports

When you use NetBIOS over TCP/IP for Configuration Manager 2007 Remote Control, the ports described in the following table are used.
Description
RPC Endpoint Mapping Name resolution Messaging Client Sessions
UDP
-137 138 --
TCP
135 --139
AMT Out of Band Management Ports (Configuration Manager 2007 SP1)

When you use the out of band management feature in Configuration Manager 2007 SP1, the following ports are used. A. Site Server <--> Out of Band Service Point
Description
Server Message Block (SMB) RPC Endpoint Mapper RPC B. AMT Management Controller --> Out of Band Service Point
UDP
-135 --
TCP
445 135 DYNAMIC
Description
Provisioning out of band (not applicable to in-band provisioning) C. Out of Band Service Point --> AMT Management Controller
UDP
--
TCP
9971 (configurable)
Description
Discovery Power control, provisioning, and discovery
UDP
---
TCP
16992 16993
10 of 14
3/19/2012 2:33 PM
D. Out of Band Management Console --> AMT Management Controller
Description
General management tasks Serial over LAN and IDE redirection
UDP
---
TCP
16993 16995
Ports Used by Configuration Manager Client Installation

The ports that are using during client installation depend on the client deployment method. See Ports Used During Configuration Manager Client Deployment for a list of ports for each client deployment method. For information about how to configure Windows Firewall on the client for client installation and post-installation communication, see Windows Firewall Settings for Configuration Manager Clients.
Ports Used by Windows Server

The following table lists some of the key ports that Windows Server uses and their respective functions. For a more complete list of Windows Server services and network ports requirements, see http://go.microsoft.com/fwlink/?LinkID=123652.
Description
Domain Name System (DNS) Dynamic Host Configuration Protocol (DHCP) NetBIOS Name Resolution NetBIOS Datagram Service NetBIOS Session Service
UDP
53 67 and 68 137 138 --
TCP
53 ---139
Connecting with Microsoft SQL Server

If you use the TCP/IP Net-Library, enable port 1433 on the firewall. Use the Hosts file or an advanced connection string for host name resolution. If you use named pipes over TCP/IP, enable port 139 for NetBIOS functions. NetBIOS should be used only for troubleshooting Kerberos issues.
Note
TCP/IP is required for network communications to allow Kerberos authentication. Named pipes communication is not required for Configuration Manager 2007 site database operations and should be used only to troubleshoot Kerberos authentication issues. The default instance of SQL Server uses TCP port 1433 for network communications. When you use a named instance, the port number is dynamically assigned. Configuration Manager does not support manually changing or defining the port number for either the default instance or named instances of SQL Server. We do not recommend that you enable UDP ports 137 and 138 for NetBIOS name resolution by using B-node broadcasts. Instead, you can use a WINS server or an LMHOSTS file for name resolution.
Installation Requirements for Internet-Based Site Systems

The Internet-based management point, software update point, and fallback status point use the following ports for installation and repair: Site server --> site system: RPC endpoint mapper using UDP and TCP port 135. Site server --> site system: RPC dynamic TCP ports. Site server < --> site system: Server message blocks (SMB) using TCP port 445.
Distribution points do not install until the first package is targeted to them. Package installations on distribution points require the following RPC ports: Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135. Site server --> distribution point: RPC dynamic TCP ports.
Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the dynamic ports that are used with RPC, you can use the Microsoft RPC configuration tool (rpccfg.exe) to configure a limited range of ports for these RPC packets. For more information about the RPC configuration tool, see http://go.microsoft.com/fwlink/?LinkId=124096.
11 of 14
3/19/2012 2:33 PM
Important
Before you install these site systems, ensure that the remote registry service is running on the site system server and that you have specified a site system installation account if the site system is in a different Active Directory forest without a trust relationship. For more information, see How to Configure the Site System Installation Account.
12 of 14
3/19/2012 2:33 PM
See Also
Concepts Windows Firewall Settings for Configuration Manager Clients Other Resources Technical Reference for Configuration Manager Security
For additional information, see Configuration Manager 2007 Information and Support. To contact the documentation team, email SMSdocs@microsoft.com.
Did you find this helpful?
Yes
No
Community Content
Please add addional protocol for DNS
Within the section "Ports used by Windows Server", only the UDP protocol is listed for DNS. If the DNS string becomes larger, it switches over to TCP. So TCP protocol must also be allowed with port 53 to communicate with DNS. It caused us one day of searching after closing down the firewall using the information in this article.
10/10/2011 IngridG
RE: Port calculator

To answer the question about the difference between a management point and proxy management point - there is no difference in the ports. They both function the same, which is why you don't see a site system role option in the wizard for the proxy management point when you install site systems in secondary sites. The proxy management point is a concept term to describe placement in the hierarchy.
4/16/2011 Carol Bailey
Port calculator
It would be great if there could be a "port calculator" - a spreadsheet into which you could add your server names, IP addresses and roles, and then it fires out a list of all the ports you'd need to open which you could then pass on to the security team so they open them. Also, not sure what difference there would be in the ports for a "Management Server" and "Proxy Management Server" which isn't mentioned here.
1/28/2011 johnny mango
Re: Error with number of connection - PXE service point to SQL

Thanks for pointing this out - now corrected.
2/26/2010 Carol Bailey
Error with number of connection - PXE service point to SQL

Real number in the picture is 38. nonsense, but....
11/13/2009 Donec
2012 Microsoft. All rights reserved.
13 of 14
3/19/2012 2:33 PM
14 of 14
3/19/2012 2:33 PM

Ports Used by Configuration

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Ports Used by Configuration

Загружено:

Авторское право:

Доступные форматы

Ports Used by Configuration Manager