Ports Used by Configuration

7/30/2019 Ports Used by Configuration

1/14

Note

Ports Used by Configuration Manager

57 out of 64 rated this helpful Rate this topic

Updated: January 1, 2012

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration

Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

Microsoft System Center Configuration Manager 2007 is a distributed client/server system. The distributed nature of Configuration Manager

2007 means that connections can be established between site servers, site systems, and clients. Some connections use ports that are not

configurable, and some use ports that can be customized. You must verify that the required ports are available if you use any port filtering

technology such as firewalls, routers, proxy servers, and IPsec.

To plan your firewall configuration, if you are supporting Internet-based clients, use the following port information together with the

information in Supported Scenarios for Internet-Based Client Management. In addition to port requirements, if you have Internet-based

clients, you must also allow certain HTTP verbs and headers to traverse your firewall. For more information, see Prerequisites for

Internet-Based Client Management.

Configurable Ports

Configuration Manager 2007 allows you to configure the ports for the following types of communication:

Client to site system

Client to Internet (as proxy server settings)

Software update point to Internet (as proxy server settings)

Software update point to WSUS server

Client to reporting point

By default, the HTTP port used for client to site system communication is port 80, and the default HTTPS port is 443. Ports for client-to-site

system communication over HTTP or HTTPS can be changed during Setup or in the Site Properties for your Configuration Manager site.

Reporting point site system roles have configurable port settings for HTTP and HTTPS communication defined on the reporting point site

system role property page. By default, users connect to the reporting point using the HTTP port 80 and HTTPS port 443. These ports are

defined during installation only. To redefine the reporting point communication port, the reporting point site system must be deleted and then

reinstalled.

Non-Configurable Ports

Configuration Manager does not allow you to configure ports for the following types of communication:

Site to site (primary-to-primary or primary-to-secondary)

Site server to site system

Site server to site database server

Site system to site database server

Configuration Manager 2007 console to SMS Provider

Configuration Manager 2007 console to the Internet

Port Details

The port listings that follow are used by Configuration Manager 2007 and do not include information for standard Windows services, such as

Group Policy settings for Active Directory and Kerberos authentication. For information about Windows Server services and ports, see

http://go.microsoft.com/fwlink/?LinkID=123652 .

The following diagram indicates connections between Configuration Manager 2007 computers. The number for the link corresponds to the

table that lists the ports for that link. The arrows between the computers represent the direction of the communication.

-- > indicates one computer initiates and the other computer always responds

< -- > indicates that either computer can initiate

Used by Configuration Manager http://technet.microsoft.com/en-us/library/bb632

4 3/19/2012


2/14

1. Site Server < -- > Site Server

Description UDP TCP

2. Primary Site Server -- > Domain Controller

Description UDP TCP

3. Site Server < -- > Software Update Point

(See note 6, Communication between the site server and site systems)

Server Message Block (SMB) -- 445

Point to Point Tunneling Protocol (PPTP) -- 1723 (See note 3, RAS Sender)

Lightweight Directory Access Protocol (LDAP) -- 389

LDAP (Secure Sockets Layer [SSL] connection) 636 636

Global Catalog LDAP -- 3268

Global Catalog LDAP SSL -- 3269

RPC Endpoint Mapper 135 135

RPC -- DYNAMIC


4 3/19/2012


3/14

Description UDP TCP

4. Software Update Point -- > Internet

Description UDP TCP

5. Site Server < -- > State Migration Point


Description UDP TCP

6. Client -- > Software Update Point

Description UDP TCP

7. Client -- > State Migration Point

Description UDP TCP

8. Client -- > PXE Service Point

Description UDP TCP

9. Site Server < -- > PXE Service Point



Hypertext Transfer Protocol (HTTP) -- 80 or 8530 (See note 4, Windows Server Update Services)

Secure Hypertext Transfer Protocol (HTTPS) -- 443 or 8531 (See note 4, Windows Server Update Services)

Hypertext Transfer Protocol (HTTP) -- 80 (See note 1, Proxy Server port)





Hypertext Transfer Protocol (HTTP) -- 80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS) -- 443 (See note 2, Alternate Port Available)


Dynamic Host Configuration Protocol (DHCP) 67 and 68 --

Trivial File Transfer Protocol (TFTP) 69 (See note 5, Trivial FTP (TFTP) Daemon) --

Boot Information Negotiation Layer (BINL) 4011 --


4 3/19/2012


4/14

Description UDP TCP

10. Site Server < -- > System Health Validator


Description UDP TCP

11. Client -- > System Health Validator

The client requires the ports established by the Windows Network Access Protection client, which is dependent upon the enforcement client

being used. For example, DHCP enforcement will use ports UDP 67 and 68. IPsec enforcement will use ports TCP 80 or 443 to the Health

Registration Authority, port UDP 500 for IPsec negotiation and the additional ports needed for the IPsec filters. For more information, see theWindows Network Access Protection documentation. For help with configuring firewalls for IPsec, see http://go.microsoft.com/fwlink

/?LinkId=109499.

12. Site Server < -- > Fallback Status Point


Description UDP TCP

13. Client -- > Fallback Status Point

Description UDP TCP

14. Site Server -- > Distribution Point

Description UDP TCP

15. Client -- > Distribution Point

Description UDP TCP



RPC -- DYNAMIC



RPC -- DYNAMIC



RPC -- DYNAMIC




RPC -- DYNAMIC



4 3/19/2012


5/14

16. Client -- > Branch Distribution Point

Description UDP TCP

17. Client -- > Management Point

Description UDP TCP

18. Client -- > Server Locator Point

Description UDP TCP

19. Branch Distribution Point -- > Distribution Point

Description UDP TCP

20. Site Server -- > Provider

Description UDP TCP

21. Server Locator Point -- > Microsoft SQL Server

Description UDP TCP

22. Management Point -- > SQL Server

Description UDP TCP



Multicast Protocol 63000-64000 --









RPC -- DYNAMIC

SQL over TCP -- 1433



4 3/19/2012


6/14

23. Provider -- > SQL Server

Description UDP TCP

24. Reporting Point -- > SQL Server / Reporting Services Point -- > SQL Server

The reporting point and the Reporting Services point use the same ports. The Reporting Services point is applicable to Configuration Manager

2007 R2 only.

Description UDP TCP

25. Configuration Manager Console -- > Reporting Point

Description UDP TCP

26. Configuration Manager Console -- > Provider

Description UDP TCP

27. Configuration Manager Console -- > Internet

Description UDP TCP

28. Primary Site Server -- > SQL Server

Description UDP TCP

29. Management Point -- > Domain Controller

Description UDP TCP






RPC -- DYNAMIC

Hypertext Transfer Protocol (HTTP) -- 80


Lightweight Directory Access Protocol (LDAP) -- 389

LDAP (Secure Sockets Layer [SSL] connection) 636 636





4 3/19/2012


7/14

30. Site Server -- > Reporting Point / Site Server -- > Reporting Services Point

The reporting point and the Reporting Services point use the same ports. The Reporting Services point is in Configuration Manager 2007 R2

only.

Description UDP TCP

31. Site Server -- > Server Locator Point


Description UDP TCP

32. Configuration Manager Console -- > Site Server

Description UDP TCP

33. Software Update Point -- > WSUS Synchronization Server

Description UDP TCP

34. Configuration Manager Console -- > Client

Description UDP TCP

35. Management Point < -- > Site Server


Description UDP TCP

RPC -- DYNAMIC



RPC -- DYNAMIC



RPC -- DYNAMIC

RPC (initial connection to WMI to locate provider system) -- 135



Remote Control (control) 2701 2701

Remote Control (data) 2702 2702

Remote Control (RPC Endpoint Mapper) -- 135

Remote Assistance (RDP and RTC) -- 3389


4 3/19/2012


8/14

36. Site Server -- > Client

Description UDP TCP

37. Configuration Manager Client -- > Global Catalog Domain Controller

A Configuration Manager client does not contact a global catalog server when it is a workgroup computer or when it is configured for

Internet-only communication.

Description UDP TCP

38. PXE Service Point -- > SQL Server

Description UDP TCP

39. Site Server < -- > Asset Intelligence Synchronization Point (Configuration Manager 2007 SP1)

Description UDP TCP

40. Asset Intelligence Synchronization Point < -- > System Center Online (Configuration Manager 2007 SP1)

Description UDP TCP

41. Multicast Distribution Point -- > SQL Server (Configuration Manager 2007 R2)

Description UDP TCP

42. Client status reporting host --> Client (Configuration Manager 2007 R2)

Description UDP TCP

RPC Endpoint mapper -- 135

RPC -- DYNAMIC


Wake on LAN 9 (See note 2, Alternate Port Available) --






RPC -- DYNAMIC

Secure Hypertext Transfer Protocol (HTTPS) -- 443




4 3/19/2012


9/14

43. Client status reporting host --> Management Point (Configuration Manager 2007 R2)

Description UDP TCP

44. Client status reporting host --> SQL Server (Configuration Manager 2007 R2)

Description UDP TCP

45. Site Server < -- > Reporting Services Point (Configuration Manager 2007 R2)


Description UDP TCP

46. Configuration Manager Console -- > Reporting Services Point (Configuration Manager 2007 R2)

Description UDP TCP

47. Reporting Services Point -- > SQL Server (Configuration Manager 2007 R2)

Description UDP TCP

Notes

1Proxy Server port This port cannot be configured but can be routed through a configured proxy server.

2 Alternate Port Available An alternate port can be defined within Configuration Manager for this value. If a custom port has been

defined, substitute that custom port when defining the IP filter information for IPsec policies or for configuring firewalls.

3 RAS Sender Configuration Manager 2007 can also use the RAS Sender with Point to Point Tunneling Protocol (PPTP) to send and

receive Configuration Manager 2007 site, client, and administrative information through a firewall. Under these circumstances, the PPTP TCP

1723 port is used.

4 Windows Server Update Services WSUS can be installed either on the default Web site (port 80) or a custom Web site (port 8530).

After installation, the port can be changed. You do not have to use the same port number throughout the site hierarchy.

If the HTTP port is 80, the HTTPS port must be 443.

If the HTTP port is anything else, the HTTPS port must be 1 higherfor example, 8530 and 8531.

5 Trivial FTP (TFTP) Daemon The Trivial FTP (TFTP) Daemon system service does not require a user name or password and is an integral

RPC -- DYNAMIC

ICMPv4 Type 8 (Echo) or

ICMPv6 Type 128 (Echo Request)

n/a n/a


NetBIOS Session Service -- 139




RPC -- DYNAMIC





4 3/19/2012


10/14

part of the Windows Deployment Services (WDS). The Trivial FTP Daemon service implements support for the TFTP protocol defined by the

following RFCs:

RFC 350TFTP

RFC 2347Option extension

RFC 2348Block size option

RFC 2349Time-out interval, and transfer size options

Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on UDP port 69 but respond from a

dynamically allocated high port. Therefore, enabling this port will allow the TFTP service to receive incoming TFTP requests but will not allow

the selected server to respond to those requests. Allowing the selected server to respond to inbound TFTP requests cannot be accomplished

unless the TFTP server is configured to respond from port 69.

6 Communication between the site server and site systems By default, communication between the site server and site systems is

bi-directional. The site server initiates communication to configure the site system, and then most site systems connect back to the site

server to send back status information. Reporting points and distribution points do not send back status information. If you select Allow only

site server initiated data transfers from this site system on the site system properties, the site system will never initiate communication

back to the site server.

7 Ports used by distribution points for application virtualization streaming A distribution point enabled to support application

virtualization can be configured to use either HTTP or HTTPS. This feature is available in Configuration Manager 2007 R2 only.

Configuration Manager Remote Control Ports

When you use NetBIOS over TCP/IP for Configuration Manager 2007 Remote Control, the ports described in the following table are used.

Description UDP TCP

AMT Out of Band Management Ports (Configuration Manager 2007 SP1)

When you use the out of band management feature in Configuration Manager 2007 SP1, the following ports are used.

A. Site Server Out of Band Service Point

Description UDP TCP

B. AMT Management Controller --> Out of Band Service Point

Description UDP TCP

C. Out of Band Service Point --> AMT Management Controller

Description UDP TCP

RPC Endpoint Mapping -- 135

Name resolution 137 --

Messaging 138 --

Client Sessions -- 139



RPC -- DYNAMIC

Provisioning out of band (not applicable to in-band provisioning) -- 9971 (configurable)

Discovery -- 16992

Power control, provisioning, and discovery -- 16993


14 3/19/2012


11/14

Note

D. Out of Band Management Console --> AMT Management Controller

Description UDP TCP

Ports Used by Configuration Manager Client Installation

The ports that are using during client installation depend on the client deployment method. See Ports Used During Configuration Manager

Client Deployment for a list of ports for each client deployment method. For information about how to configure Windows Firewall on the

client for client installation and post-installation communication, see Windows Firewall Settings for Configuration Manager Clients.

Ports Used by Windows Server

The following table lists some of the key ports that Windows Server uses and their respective functions. For a more complete list of Windows

Server services and network ports requirements, see http://go.microsoft.com/fwlink/?LinkID=123652 .

Description UDP TCP

Connecting with Microsoft SQL Server

If you use the TCP/IP Net-Library, enable port 1433 on the firewall. Use the Hosts file or an advanced connection string for host name

resolution.

If you use named pipes over TCP/IP, enable port 139 for NetBIOS functions. NetBIOS should be used only for troubleshooting Kerberos

issues.

TCP/IP is required for network communications to allow Kerberos authentication. Named pipes communication is not required for

Configuration Manager 2007 site database operations and should be used only to troubleshoot Kerberos authentication issues.

The default instance of SQL Server uses TCP port 1433 for network communications. When you use a named instance, the port number is

dynamically assigned. Configuration Manager does not support manually changing or defining the port number for either the default instance

or named instances of SQL Server.

We do not recommend that you enable UDP ports 137 and 138 for NetBIOS name resolution by using B-node broadcasts. Instead, you can

use a WINS server or an LMHOSTS file for name resolution.

Installation Requirements for Internet-Based Site Systems

The Internet-based management point, software update point, and fallback status point use the following ports for installation and repair:

Site server --> site system: RPC endpoint mapper using UDP and TCP port 135.

Site server --> site system: RPC dynamic TCP ports.

Site server < --> site system: Server message blocks (SMB) using TCP port 445.

Distribution points do not install until the first package is targeted to them. Package installations on distribution points require the following

RPC ports:

Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135.

Site server --> distribution point: RPC dynamic TCP ports.

Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the dynamic ports that are used with RPC,

you can use the Microsoft RPC configuration tool (rpccfg.exe) to configure a limited range of ports for these RPC packets. For more

information about the RPC configuration tool, see http://go.microsoft.com/fwlink/?LinkId=124096 .

General management tasks -- 16993

Serial over LAN and IDE redirection -- 16995

Domain Name System (DNS) 53 53

Dynamic Host Configuration Protocol (DHCP) 67 and 68 --

NetBIOS Name Resolution 137 --

NetBIOS Datagram Service 138 --

NetBIOS Session Service -- 139


14 3/19/2012


12/14

Important

Before you install these site systems, ensure that the remote registry service is running on the site system server and that you have

specified a site system installation account if the site system is in a different Active Directory forest without a trust relationship. For more

information, see How to Configure the Site System Installation Account.


14 3/19/2012


13/14

10/10/2011

IngridG

4/16/2011

Carol Bailey

1/28/2011

johnny mango

2/26/2010

Carol Bailey

11/13/2009

Donec

See Also

Concepts

Windows Firewall Settings for Configuration Manager Clients

Other Resources

Technical Reference for Configuration Manager Security

For additional information, see Configuration Manager 2007 Information and Support.To contact the documentation team, email [email protected].

Did you find this helpful? Yes No

Community Content

Please add addional protocol for DNS

Within the section "Ports used by Windows Server", only the UDP protocol is listed for DNS. If the DNS string becomes larger, it switches over to TCP. So TCPprotocol must also be allowed with port 53 to communicate with DNS. It caused us one day of searching after closing down the firewall using the information in

this article.

RE: Port calculator

To answer the question about the difference between a management point and proxy management point - there is no difference in the ports. They both function

the same, which is why you don't see a site system role option in the wizard for the proxy management point when you install site systems in secondary sites.

The proxy management point is a concept term to describe placement in the hierarchy.

Port calculator

It would be great if there could be a "port calculator" - a spreadsheet into which you could add your server names, IP addresses and roles, and then it fires out a

list of all the ports you'd need to open which you could then pass on to the security team so they open them.

Also, not sure what difference there would be in the ports for a "Management Server" and "Proxy Management Server" which isn't mentioned here.

Re: Error with number of connection - PXE service point to SQL

Thanks for pointing this out - now corrected.

Error with number of connection - PXE service point to SQL

Real number in the picture is 38.

nonsense, but....


14 3/19/2012


14/14


Documents

Ports Used by Configuration