Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

SCCM unable to connect to clients

Posted on 2010-09-21
14
7,827 Views
Last Modified: 2013-11-21
Hello All, we are currently in the process of deploying SCCM 2007 R2 in our environment. However we our running into a problem were we are unable to access the computer using remote tools or deploy the SCCM client to the computer. It works fine when we disable the firewall but when we turn it back on it blocks anything coming from SCCM. Below is the exceptions i have added to the clients firewalls but still it wont work with the exceptions. Any ideas?

67:TCP:10.1.121.150:enabled:SMSPXEDHCP
68:TCP:10.1.121.150:enabled:SMSPXEDHCP
69:TCP:10.1.121.150:enabled:SMSPXETFTP
4011:TCP:10.1.121.150:enabled:SMSPXEBINL
445:TCP:10.1.121.150:enabled:SMSSMB
80:TCP:10.1.121.150:enabled:SMSHTTP
443:TCP:10.1.121.150:enabled:SMSHTTPS
2701:TCP:10.1.121.150:enabled:SMSRemoteControl
2701:UPD:10.1.121.150:enabled:SMSRemoteControl
2702:TCP:10.1.121.150:enabled:SMSRemoteData
2702:UPD:10.1.121.150:enabled:SMSRemoteData
135:TCP:10.1.121.150:enabled:SMSRemoteEndpoint
3389:TCP:10.1.121.150:enabled:SMSRDP
9:UPD:10.1.121.150:enabled:SMSWAKEONLAN
139:TCP:10.1.121.150:enabled:SMSSession
1433:TCP:10.1.121.150:enabled:SMSSQL
0
Comment
Question by:beck4164
  • 5
  • 4
  • 4
  • +1
14 Comments
 
LVL 14

Expert Comment

by:Abduljalil Abou Alzahab
ID: 33726937
Please check
Windows Firewall Settings for Configuration Manager Clients
http://technet.microsoft.com/en-us/library/bb694088.aspx

In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:

    * TCP port 2701

    * TCP port 2702

    * TCP port 135

Please make sure that policy is applied on the client machine, for testing
go to client machine and open CMD and run
telnet 10.1.121.150 2701
telnet 10.1.121.150 2702
telnet 10.1.121.150 135

To configure this policy, add the following string to the Show Contents dialog box for the policy:

Windows Firewall: Define port exceptions

2701:TCP:10.1.121.150:enabled:RemoteTool (TCP 2701)
2702:TCP:10.1.121.150:enabled:RemoteTool (TCP 2702)
135:TCP:10.1.121.150:enabled:RemoteTool (TCP 135)


image0051097235810133.jpg
0
 

Author Comment

by:beck4164
ID: 33727134
I have added the exception to the firewall through group policy and it is applying to the computer however when i try to telnet 10.1.121.150:2701 or any of the other ports it fails.
0
 
LVL 14

Expert Comment

by:Abduljalil Abou Alzahab
ID: 33728118
if telnet is fail, it's mean ports are still closed, try to run gpupdate on client computer and make sure that group policy is applied

can you try to telnet other ports such as 1433 or 4011?

For testing also pleas try
2701:TCP:*:enabled:RemoteTool
2702:TCP:*:enabled:RemoteTool
135:TCP:*:enabled:RemoteTool

This example is named RemoteTool and enables TCP port 2701, 2702 and 135 for all connections.

Please make sure that remote Tool agent is enable in ConfigMgr

which OS is installed for ConfigMge, check the firewall setting also on Server

0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 22

Expert Comment

by:Adam Leinss
ID: 33728629
I believe WUSER32.EXE is the actualy process that kicks off the remote control session (according to C:\windows\system32\ccm\logs\remctrl.log).  You might need a rule to allow that process access inbound/outbound, along with smsrc.exe, rcserver.exe and rclaunch.exe in C:\Windows\System32\CCM\clicomp\RemCtrl
0
 
LVL 14

Expert Comment

by:Abduljalil Abou Alzahab
ID: 33728679
Can you please send Remctrl.log
0
 
LVL 6

Expert Comment

by:TarekIsmail
ID: 33729593
HI all ,
we need to divide the question into to points

ports required to allow client push installation
=====================================

 In order to successfully use client push to install the Configuration Manager 2007 client, you must add the following as exceptions to the Windows Firewall:

File and Printer Sharing
Windows Management Instrumentation (WMI)
you can configure this two rules using GPO :
Windows Firewall: Allow remote administration exception properties
Windows Firewall: allow file and printer sharing exception

ports required for Remote Control
============================
In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:
TCP port 2701
TCP port 2702
TCP port 135

this ports are required to be opend from the SCCM console to client not from site server to the client.
=====================
also we need to open the port 80 , 443 , 67, 68 .

all other ports you mention here is not required
http://technet.microsoft.com/en-us/library/bb694088.aspx

0
 
LVL 14

Expert Comment

by:Abduljalil Abou Alzahab
ID: 33729715
as I understand from beck4164 he had problem only with remote tool?? please confirm if you have any issue with client push installation
0
 

Author Comment

by:beck4164
ID: 33734216
@a-Jaleel: Yes i am having problems with both client push install as well as remote control.

Attached is the results from the telnet and the remote control log.

@TarekIsmail all of those ports have been opened as outlined in my original post I listed all of the ports we have opened through GPO
telnet.JPG
RemoteControl.log
0
 
LVL 6

Accepted Solution

by:
TarekIsmail earned 500 total points
ID: 33736508
HI all ,

I have check again the firewall setting for client push installation, and i found the configured ports in your post will not help enough to allow the client push installation, more i have copy and past the firewall rule descrition for the two required firewall roles:

Windows Firewall: Allow remote administration exception properties
-----------------------------------------------------------------------------------
Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Component Object Model (DCOM). Additionally, on Windows XP Professional with at least SP2 and Windows Server 2003 with at least SP1, this policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034.  On Windows Vista, this policy setting does not control connections to SVCHOST.EXE and LSASS.EXE.

If you enable this policy setting, Windows Firewall allows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP addresses or subnets from which these incoming messages are allowed.

If you disable or do not configure this policy setting, Windows Firewall does not open TCP port 135 or 445. Also, on Windows XP Professional with at least SP2 and Windows Server 2003 with at least SP1, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from receiving unsolicited incoming messages, and prevents hosted services from opening additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 445, it does not conflict with the "Windows Firewall: Allow file and printer sharing exception" policy setting.

Note: Malicious users often attempt to attack networks and computers using RPC and DCOM. We recommend that you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST.exe or LSASS.exe or if they require RPC and DCOM communication. If they do not, then do not enable this policy setting.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file and printer sharing exception," "Windows Firewall: Allow inbound remote administration exception," and "Windows Firewall: Define inbound port exceptions."

Windows Firewall: allow file and printer sharing exception
----------------------------------------------------------------------
Allows inbound file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445.

If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is selected and administrators cannot clear it.

If you disable this policy setting, Windows Firewall blocks these ports, which prevents this computer from sharing files and printers. If an administrator attempts to open any of these ports by adding them to a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is cleared and administrators cannot select it.

If you do not configure this policy setting, Windows Firewall does not open these ports. Therefore, the computer cannot share files or printers unless an administrator uses other policy settings to open the required ports. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is cleared. Administrators can change this check box.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo requests (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file and printer sharing exception," "Windows Firewall: Allow inbound remote administration exception," and "Windows Firewall: Define inbound port exceptions."


SO i still recommend to use this olny two firewall policy in addition to open the ports Remote controle

ports required for Remote Control
============================
In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:
TCP port 2701
TCP port 2702
TCP port 135

 this ports are required to be opend from the SCCM console to client not from site server to the client.
=====================
in addition  we need to open the port 80 , 443 , 67, 68 .

I hope my comment give you the right answer to your question!
Good Luck!
Tarek Ismail
0
 
LVL 14

Expert Comment

by:Abduljalil Abou Alzahab
ID: 33739484
Microsoft TechNet  Publish all information about  Windows Firewall Settings for Configuration Manager Clients
http://technet.microsoft.com/en-us/library/bb694088.aspx

Don't forget to check firewall setting on the server, if it's on and not managed by group policy try to open required ports or turn it off for testing propose only and test
0
 
LVL 6

Expert Comment

by:TarekIsmail
ID: 33760392
Hi , any news , I hope everything goes in the right ways.
0
 

Author Comment

by:beck4164
ID: 33769398
Sorry it took so long to try what you guys have posted, I have tried adding the exceptions you have recommended and I am unable to install the sccm client, I keep getting the error

---> Unable to connect to WMI on remote machine, error = 0x800706ba.

Any ideas as the only way I don't get this error is when I disable the firewall but that isn't really an option.
0
 
LVL 6

Assisted Solution

by:TarekIsmail
TarekIsmail earned 500 total points
ID: 33772461
0
 

Author Closing Comment

by:beck4164
ID: 33773801
Followed what you guys said and recreated the policy with your suggestions and then i was able to push out the client.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The question has been asked on multiple occasions as to how best to do printing in a remote desktop or terminal services environment.   It seems that this particular question has plagued several people and most especially as Terminal Services, as…
On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question