Upload
rakesh-badaya
View
222
Download
0
Embed Size (px)
Citation preview
7/30/2019 Ports Used by Configuration
1/14
Note
Ports Used by Configuration Manager
57 out of 64 rated this helpful Rate this topic
Updated: January 1, 2012
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration
Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Microsoft System Center Configuration Manager 2007 is a distributed client/server system. The distributed nature of Configuration Manager
2007 means that connections can be established between site servers, site systems, and clients. Some connections use ports that are not
configurable, and some use ports that can be customized. You must verify that the required ports are available if you use any port filtering
technology such as firewalls, routers, proxy servers, and IPsec.
To plan your firewall configuration, if you are supporting Internet-based clients, use the following port information together with the
information in Supported Scenarios for Internet-Based Client Management. In addition to port requirements, if you have Internet-based
clients, you must also allow certain HTTP verbs and headers to traverse your firewall. For more information, see Prerequisites for
Internet-Based Client Management.
Configurable Ports
Configuration Manager 2007 allows you to configure the ports for the following types of communication:
Client to site system
Client to Internet (as proxy server settings)
Software update point to Internet (as proxy server settings)
Software update point to WSUS server
Client to reporting point
By default, the HTTP port used for client to site system communication is port 80, and the default HTTPS port is 443. Ports for client-to-site
system communication over HTTP or HTTPS can be changed during Setup or in the Site Properties for your Configuration Manager site.
Reporting point site system roles have configurable port settings for HTTP and HTTPS communication defined on the reporting point site
system role property page. By default, users connect to the reporting point using the HTTP port 80 and HTTPS port 443. These ports are
defined during installation only. To redefine the reporting point communication port, the reporting point site system must be deleted and then
reinstalled.
Non-Configurable Ports
Configuration Manager does not allow you to configure ports for the following types of communication:
Site to site (primary-to-primary or primary-to-secondary)
Site server to site system
Site server to site database server
Site system to site database server
Configuration Manager 2007 console to SMS Provider
Configuration Manager 2007 console to the Internet
Port Details
The port listings that follow are used by Configuration Manager 2007 and do not include information for standard Windows services, such as
Group Policy settings for Active Directory and Kerberos authentication. For information about Windows Server services and ports, see
http://go.microsoft.com/fwlink/?LinkID=123652 .
The following diagram indicates connections between Configuration Manager 2007 computers. The number for the link corresponds to the
table that lists the ports for that link. The arrows between the computers represent the direction of the communication.
-- > indicates one computer initiates and the other computer always responds
< -- > indicates that either computer can initiate
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
4 3/19/2012
7/30/2019 Ports Used by Configuration
2/14
1. Site Server < -- > Site Server
Description UDP TCP
2. Primary Site Server -- > Domain Controller
Description UDP TCP
3. Site Server < -- > Software Update Point
(See note 6, Communication between the site server and site systems)
Server Message Block (SMB) -- 445
Point to Point Tunneling Protocol (PPTP) -- 1723 (See note 3, RAS Sender)
Lightweight Directory Access Protocol (LDAP) -- 389
LDAP (Secure Sockets Layer [SSL] connection) 636 636
Global Catalog LDAP -- 3268
Global Catalog LDAP SSL -- 3269
RPC Endpoint Mapper 135 135
RPC -- DYNAMIC
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
4 3/19/2012
7/30/2019 Ports Used by Configuration
3/14
Description UDP TCP
4. Software Update Point -- > Internet
Description UDP TCP
5. Site Server < -- > State Migration Point
(See note 6, Communication between the site server and site systems)
Description UDP TCP
6. Client -- > Software Update Point
Description UDP TCP
7. Client -- > State Migration Point
Description UDP TCP
8. Client -- > PXE Service Point
Description UDP TCP
9. Site Server < -- > PXE Service Point
(See note 6, Communication between the site server and site systems)
Server Message Block (SMB) -- 445
Hypertext Transfer Protocol (HTTP) -- 80 or 8530 (See note 4, Windows Server Update Services)
Secure Hypertext Transfer Protocol (HTTPS) -- 443 or 8531 (See note 4, Windows Server Update Services)
Hypertext Transfer Protocol (HTTP) -- 80 (See note 1, Proxy Server port)
Server Message Block (SMB) -- 445
RPC Endpoint Mapper 135 135
Hypertext Transfer Protocol (HTTP) -- 80 or 8530 (See note 4, Windows Server Update Services)
Secure Hypertext Transfer Protocol (HTTPS) -- 443 or 8531 (See note 4, Windows Server Update Services)
Hypertext Transfer Protocol (HTTP) -- 80 (See note 2, Alternate Port Available)
Secure Hypertext Transfer Protocol (HTTPS) -- 443 (See note 2, Alternate Port Available)
Server Message Block (SMB) -- 445
Dynamic Host Configuration Protocol (DHCP) 67 and 68 --
Trivial File Transfer Protocol (TFTP) 69 (See note 5, Trivial FTP (TFTP) Daemon) --
Boot Information Negotiation Layer (BINL) 4011 --
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
4 3/19/2012
7/30/2019 Ports Used by Configuration
4/14
Description UDP TCP
10. Site Server < -- > System Health Validator
(See note 6, Communication between the site server and site systems)
Description UDP TCP
11. Client -- > System Health Validator
The client requires the ports established by the Windows Network Access Protection client, which is dependent upon the enforcement client
being used. For example, DHCP enforcement will use ports UDP 67 and 68. IPsec enforcement will use ports TCP 80 or 443 to the Health
Registration Authority, port UDP 500 for IPsec negotiation and the additional ports needed for the IPsec filters. For more information, see theWindows Network Access Protection documentation. For help with configuring firewalls for IPsec, see http://go.microsoft.com/fwlink
/?LinkId=109499.
12. Site Server < -- > Fallback Status Point
(See note 6, Communication between the site server and site systems)
Description UDP TCP
13. Client -- > Fallback Status Point
Description UDP TCP
14. Site Server -- > Distribution Point
Description UDP TCP
15. Client -- > Distribution Point
Description UDP TCP
Server Message Block (SMB) -- 445
RPC Endpoint Mapper 135 135
RPC -- DYNAMIC
Server Message Block (SMB) -- 445
RPC Endpoint Mapper 135 135
RPC -- DYNAMIC
Server Message Block (SMB) -- 445
RPC Endpoint Mapper 135 135
RPC -- DYNAMIC
Hypertext Transfer Protocol (HTTP) -- 80 (See note 2, Alternate Port Available)
Server Message Block (SMB) -- 445
RPC Endpoint Mapper 135 135
RPC -- DYNAMIC
Hypertext Transfer Protocol (HTTP) -- 80 (See note 2, Alternate Port Available)
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
4 3/19/2012
7/30/2019 Ports Used by Configuration
5/14
16. Client -- > Branch Distribution Point
Description UDP TCP
17. Client -- > Management Point
Description UDP TCP
18. Client -- > Server Locator Point
Description UDP TCP
19. Branch Distribution Point -- > Distribution Point
Description UDP TCP
20. Site Server -- > Provider
Description UDP TCP
21. Server Locator Point -- > Microsoft SQL Server
Description UDP TCP
22. Management Point -- > SQL Server
Description UDP TCP
Secure Hypertext Transfer Protocol (HTTPS) -- 443 (See note 2, Alternate Port Available)
Server Message Block (SMB) -- 445
Multicast Protocol 63000-64000 --
Server Message Block (SMB) -- 445
Hypertext Transfer Protocol (HTTP) -- 80 (See note 2, Alternate Port Available)
Secure Hypertext Transfer Protocol (HTTPS) -- 443 (See note 2, Alternate Port Available)
Hypertext Transfer Protocol (HTTP) -- 80 (See note 2, Alternate Port Available)
Hypertext Transfer Protocol (HTTP) -- 80 (See note 2, Alternate Port Available)
Secure Hypertext Transfer Protocol (HTTPS) -- 443 (See note 2, Alternate Port Available)
Server Message Block (SMB) -- 445
RPC Endpoint Mapper 135 135
RPC -- DYNAMIC
SQL over TCP -- 1433
SQL over TCP -- 1433
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
4 3/19/2012
7/30/2019 Ports Used by Configuration
6/14
23. Provider -- > SQL Server
Description UDP TCP
24. Reporting Point -- > SQL Server / Reporting Services Point -- > SQL Server
The reporting point and the Reporting Services point use the same ports. The Reporting Services point is applicable to Configuration Manager
2007 R2 only.
Description UDP TCP
25. Configuration Manager Console -- > Reporting Point
Description UDP TCP
26. Configuration Manager Console -- > Provider
Description UDP TCP
27. Configuration Manager Console -- > Internet
Description UDP TCP
28. Primary Site Server -- > SQL Server
Description UDP TCP
29. Management Point -- > Domain Controller
Description UDP TCP
SQL over TCP -- 1433
SQL over TCP -- 1433
Hypertext Transfer Protocol (HTTP) -- 80 (See note 2, Alternate Port Available)
Secure Hypertext Transfer Protocol (HTTPS) -- 443 (See note 2, Alternate Port Available)
RPC Endpoint Mapper 135 135
RPC -- DYNAMIC
Hypertext Transfer Protocol (HTTP) -- 80
SQL over TCP -- 1433
Lightweight Directory Access Protocol (LDAP) -- 389
LDAP (Secure Sockets Layer [SSL] connection) 636 636
Global Catalog LDAP -- 3268
Global Catalog LDAP SSL -- 3269
RPC Endpoint Mapper 135 135
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
4 3/19/2012
7/30/2019 Ports Used by Configuration
7/14
30. Site Server -- > Reporting Point / Site Server -- > Reporting Services Point
The reporting point and the Reporting Services point use the same ports. The Reporting Services point is in Configuration Manager 2007 R2
only.
Description UDP TCP
31. Site Server -- > Server Locator Point
(See note 6, Communication between the site server and site systems)
Description UDP TCP
32. Configuration Manager Console -- > Site Server
Description UDP TCP
33. Software Update Point -- > WSUS Synchronization Server
Description UDP TCP
34. Configuration Manager Console -- > Client
Description UDP TCP
35. Management Point < -- > Site Server
(See note 6, Communication between the site server and site systems)
Description UDP TCP
RPC -- DYNAMIC
Server Message Block (SMB) -- 445
RPC Endpoint Mapper 135 135
RPC -- DYNAMIC
Server Message Block (SMB) -- 445
RPC Endpoint Mapper 135 135
RPC -- DYNAMIC
RPC (initial connection to WMI to locate provider system) -- 135
Hypertext Transfer Protocol (HTTP) -- 80 or 8530 (See note 4, Windows Server Update Services)
Secure Hypertext Transfer Protocol (HTTPS) -- 443 or 8531 (See note 4, Windows Server Update Services)
Remote Control (control) 2701 2701
Remote Control (data) 2702 2702
Remote Control (RPC Endpoint Mapper) -- 135
Remote Assistance (RDP and RTC) -- 3389
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
4 3/19/2012
7/30/2019 Ports Used by Configuration
8/14
36. Site Server -- > Client
Description UDP TCP
37. Configuration Manager Client -- > Global Catalog Domain Controller
A Configuration Manager client does not contact a global catalog server when it is a workgroup computer or when it is configured for
Internet-only communication.
Description UDP TCP
38. PXE Service Point -- > SQL Server
Description UDP TCP
39. Site Server < -- > Asset Intelligence Synchronization Point (Configuration Manager 2007 SP1)
Description UDP TCP
40. Asset Intelligence Synchronization Point < -- > System Center Online (Configuration Manager 2007 SP1)
Description UDP TCP
41. Multicast Distribution Point -- > SQL Server (Configuration Manager 2007 R2)
Description UDP TCP
42. Client status reporting host --> Client (Configuration Manager 2007 R2)
Description UDP TCP
RPC Endpoint mapper -- 135
RPC -- DYNAMIC
Server Message Block (SMB) -- 445
Wake on LAN 9 (See note 2, Alternate Port Available) --
Global Catalog LDAP -- 3268
Global Catalog LDAP SSL -- 3269
SQL over TCP -- 1433
Server Message Block (SMB) -- 445
RPC Endpoint Mapper 135 135
RPC -- DYNAMIC
Secure Hypertext Transfer Protocol (HTTPS) -- 443
SQL over TCP -- 1433
RPC Endpoint Mapper 135 135
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
4 3/19/2012
7/30/2019 Ports Used by Configuration
9/14
43. Client status reporting host --> Management Point (Configuration Manager 2007 R2)
Description UDP TCP
44. Client status reporting host --> SQL Server (Configuration Manager 2007 R2)
Description UDP TCP
45. Site Server < -- > Reporting Services Point (Configuration Manager 2007 R2)
(See note 6, Communication between the site server and site systems)
Description UDP TCP
46. Configuration Manager Console -- > Reporting Services Point (Configuration Manager 2007 R2)
Description UDP TCP
47. Reporting Services Point -- > SQL Server (Configuration Manager 2007 R2)
Description UDP TCP
Notes
1Proxy Server port This port cannot be configured but can be routed through a configured proxy server.
2 Alternate Port Available An alternate port can be defined within Configuration Manager for this value. If a custom port has been
defined, substitute that custom port when defining the IP filter information for IPsec policies or for configuring firewalls.
3 RAS Sender Configuration Manager 2007 can also use the RAS Sender with Point to Point Tunneling Protocol (PPTP) to send and
receive Configuration Manager 2007 site, client, and administrative information through a firewall. Under these circumstances, the PPTP TCP
1723 port is used.
4 Windows Server Update Services WSUS can be installed either on the default Web site (port 80) or a custom Web site (port 8530).
After installation, the port can be changed. You do not have to use the same port number throughout the site hierarchy.
If the HTTP port is 80, the HTTPS port must be 443.
If the HTTP port is anything else, the HTTPS port must be 1 higherfor example, 8530 and 8531.
5 Trivial FTP (TFTP) Daemon The Trivial FTP (TFTP) Daemon system service does not require a user name or password and is an integral
RPC -- DYNAMIC
ICMPv4 Type 8 (Echo) or
ICMPv6 Type 128 (Echo Request)
n/a n/a
Server Message Block (SMB) -- 445
NetBIOS Session Service -- 139
SQL over TCP -- 1433
Server Message Block (SMB) -- 445
RPC Endpoint Mapper 135 135
RPC -- DYNAMIC
Hypertext Transfer Protocol (HTTP) -- 80 (See note 2, Alternate Port Available)
Secure Hypertext Transfer Protocol (HTTPS) -- 443 (See note 2, Alternate Port Available)
SQL over TCP -- 1433
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
4 3/19/2012
7/30/2019 Ports Used by Configuration
10/14
part of the Windows Deployment Services (WDS). The Trivial FTP Daemon service implements support for the TFTP protocol defined by the
following RFCs:
RFC 350TFTP
RFC 2347Option extension
RFC 2348Block size option
RFC 2349Time-out interval, and transfer size options
Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on UDP port 69 but respond from a
dynamically allocated high port. Therefore, enabling this port will allow the TFTP service to receive incoming TFTP requests but will not allow
the selected server to respond to those requests. Allowing the selected server to respond to inbound TFTP requests cannot be accomplished
unless the TFTP server is configured to respond from port 69.
6 Communication between the site server and site systems By default, communication between the site server and site systems is
bi-directional. The site server initiates communication to configure the site system, and then most site systems connect back to the site
server to send back status information. Reporting points and distribution points do not send back status information. If you select Allow only
site server initiated data transfers from this site system on the site system properties, the site system will never initiate communication
back to the site server.
7 Ports used by distribution points for application virtualization streaming A distribution point enabled to support application
virtualization can be configured to use either HTTP or HTTPS. This feature is available in Configuration Manager 2007 R2 only.
Configuration Manager Remote Control Ports
When you use NetBIOS over TCP/IP for Configuration Manager 2007 Remote Control, the ports described in the following table are used.
Description UDP TCP
AMT Out of Band Management Ports (Configuration Manager 2007 SP1)
When you use the out of band management feature in Configuration Manager 2007 SP1, the following ports are used.
A. Site Server Out of Band Service Point
Description UDP TCP
B. AMT Management Controller --> Out of Band Service Point
Description UDP TCP
C. Out of Band Service Point --> AMT Management Controller
Description UDP TCP
RPC Endpoint Mapping -- 135
Name resolution 137 --
Messaging 138 --
Client Sessions -- 139
Server Message Block (SMB) -- 445
RPC Endpoint Mapper 135 135
RPC -- DYNAMIC
Provisioning out of band (not applicable to in-band provisioning) -- 9971 (configurable)
Discovery -- 16992
Power control, provisioning, and discovery -- 16993
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
14 3/19/2012
7/30/2019 Ports Used by Configuration
11/14
Note
D. Out of Band Management Console --> AMT Management Controller
Description UDP TCP
Ports Used by Configuration Manager Client Installation
The ports that are using during client installation depend on the client deployment method. See Ports Used During Configuration Manager
Client Deployment for a list of ports for each client deployment method. For information about how to configure Windows Firewall on the
client for client installation and post-installation communication, see Windows Firewall Settings for Configuration Manager Clients.
Ports Used by Windows Server
The following table lists some of the key ports that Windows Server uses and their respective functions. For a more complete list of Windows
Server services and network ports requirements, see http://go.microsoft.com/fwlink/?LinkID=123652 .
Description UDP TCP
Connecting with Microsoft SQL Server
If you use the TCP/IP Net-Library, enable port 1433 on the firewall. Use the Hosts file or an advanced connection string for host name
resolution.
If you use named pipes over TCP/IP, enable port 139 for NetBIOS functions. NetBIOS should be used only for troubleshooting Kerberos
issues.
TCP/IP is required for network communications to allow Kerberos authentication. Named pipes communication is not required for
Configuration Manager 2007 site database operations and should be used only to troubleshoot Kerberos authentication issues.
The default instance of SQL Server uses TCP port 1433 for network communications. When you use a named instance, the port number is
dynamically assigned. Configuration Manager does not support manually changing or defining the port number for either the default instance
or named instances of SQL Server.
We do not recommend that you enable UDP ports 137 and 138 for NetBIOS name resolution by using B-node broadcasts. Instead, you can
use a WINS server or an LMHOSTS file for name resolution.
Installation Requirements for Internet-Based Site Systems
The Internet-based management point, software update point, and fallback status point use the following ports for installation and repair:
Site server --> site system: RPC endpoint mapper using UDP and TCP port 135.
Site server --> site system: RPC dynamic TCP ports.
Site server < --> site system: Server message blocks (SMB) using TCP port 445.
Distribution points do not install until the first package is targeted to them. Package installations on distribution points require the following
RPC ports:
Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135.
Site server --> distribution point: RPC dynamic TCP ports.
Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the dynamic ports that are used with RPC,
you can use the Microsoft RPC configuration tool (rpccfg.exe) to configure a limited range of ports for these RPC packets. For more
information about the RPC configuration tool, see http://go.microsoft.com/fwlink/?LinkId=124096 .
General management tasks -- 16993
Serial over LAN and IDE redirection -- 16995
Domain Name System (DNS) 53 53
Dynamic Host Configuration Protocol (DHCP) 67 and 68 --
NetBIOS Name Resolution 137 --
NetBIOS Datagram Service 138 --
NetBIOS Session Service -- 139
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
14 3/19/2012
7/30/2019 Ports Used by Configuration
12/14
Important
Before you install these site systems, ensure that the remote registry service is running on the site system server and that you have
specified a site system installation account if the site system is in a different Active Directory forest without a trust relationship. For more
information, see How to Configure the Site System Installation Account.
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
14 3/19/2012
7/30/2019 Ports Used by Configuration
13/14
10/10/2011
IngridG
4/16/2011
Carol Bailey
1/28/2011
johnny mango
2/26/2010
Carol Bailey
11/13/2009
Donec
See Also
Concepts
Windows Firewall Settings for Configuration Manager Clients
Other Resources
Technical Reference for Configuration Manager Security
For additional information, see Configuration Manager 2007 Information and Support.To contact the documentation team, email [email protected].
Did you find this helpful? Yes No
Community Content
Please add addional protocol for DNS
Within the section "Ports used by Windows Server", only the UDP protocol is listed for DNS. If the DNS string becomes larger, it switches over to TCP. So TCPprotocol must also be allowed with port 53 to communicate with DNS. It caused us one day of searching after closing down the firewall using the information in
this article.
RE: Port calculator
To answer the question about the difference between a management point and proxy management point - there is no difference in the ports. They both function
the same, which is why you don't see a site system role option in the wizard for the proxy management point when you install site systems in secondary sites.
The proxy management point is a concept term to describe placement in the hierarchy.
Port calculator
It would be great if there could be a "port calculator" - a spreadsheet into which you could add your server names, IP addresses and roles, and then it fires out a
list of all the ports you'd need to open which you could then pass on to the security team so they open them.
Also, not sure what difference there would be in the ports for a "Management Server" and "Proxy Management Server" which isn't mentioned here.
Re: Error with number of connection - PXE service point to SQL
Thanks for pointing this out - now corrected.
Error with number of connection - PXE service point to SQL
Real number in the picture is 38.
nonsense, but....
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632
14 3/19/2012
7/30/2019 Ports Used by Configuration
14/14
Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632