?
Solved

SCCM unable to connect to clients

Posted on 2010-09-21
14
Medium Priority
?
8,431 Views
Last Modified: 2013-11-21
Hello All, we are currently in the process of deploying SCCM 2007 R2 in our environment. However we our running into a problem were we are unable to access the computer using remote tools or deploy the SCCM client to the computer. It works fine when we disable the firewall but when we turn it back on it blocks anything coming from SCCM. Below is the exceptions i have added to the clients firewalls but still it wont work with the exceptions. Any ideas?

67:TCP:10.1.121.150:enabled:SMSPXEDHCP
68:TCP:10.1.121.150:enabled:SMSPXEDHCP
69:TCP:10.1.121.150:enabled:SMSPXETFTP
4011:TCP:10.1.121.150:enabled:SMSPXEBINL
445:TCP:10.1.121.150:enabled:SMSSMB
80:TCP:10.1.121.150:enabled:SMSHTTP
443:TCP:10.1.121.150:enabled:SMSHTTPS
2701:TCP:10.1.121.150:enabled:SMSRemoteControl
2701:UPD:10.1.121.150:enabled:SMSRemoteControl
2702:TCP:10.1.121.150:enabled:SMSRemoteData
2702:UPD:10.1.121.150:enabled:SMSRemoteData
135:TCP:10.1.121.150:enabled:SMSRemoteEndpoint
3389:TCP:10.1.121.150:enabled:SMSRDP
9:UPD:10.1.121.150:enabled:SMSWAKEONLAN
139:TCP:10.1.121.150:enabled:SMSSession
1433:TCP:10.1.121.150:enabled:SMSSQL
0
Comment
Question by:beck4164
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 4
  • +1
14 Comments
 
LVL 14

Expert Comment

by:Abduljalil Abou Alzahab
ID: 33726937
Please check
Windows Firewall Settings for Configuration Manager Clients
http://technet.microsoft.com/en-us/library/bb694088.aspx

In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:

    * TCP port 2701

    * TCP port 2702

    * TCP port 135

Please make sure that policy is applied on the client machine, for testing
go to client machine and open CMD and run
telnet 10.1.121.150 2701
telnet 10.1.121.150 2702
telnet 10.1.121.150 135

To configure this policy, add the following string to the Show Contents dialog box for the policy:

Windows Firewall: Define port exceptions

2701:TCP:10.1.121.150:enabled:RemoteTool (TCP 2701)
2702:TCP:10.1.121.150:enabled:RemoteTool (TCP 2702)
135:TCP:10.1.121.150:enabled:RemoteTool (TCP 135)


image0051097235810133.jpg
0
 

Author Comment

by:beck4164
ID: 33727134
I have added the exception to the firewall through group policy and it is applying to the computer however when i try to telnet 10.1.121.150:2701 or any of the other ports it fails.
0
 
LVL 14

Expert Comment

by:Abduljalil Abou Alzahab
ID: 33728118
if telnet is fail, it's mean ports are still closed, try to run gpupdate on client computer and make sure that group policy is applied

can you try to telnet other ports such as 1433 or 4011?

For testing also pleas try
2701:TCP:*:enabled:RemoteTool
2702:TCP:*:enabled:RemoteTool
135:TCP:*:enabled:RemoteTool

This example is named RemoteTool and enables TCP port 2701, 2702 and 135 for all connections.

Please make sure that remote Tool agent is enable in ConfigMgr

which OS is installed for ConfigMge, check the firewall setting also on Server

0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 22

Expert Comment

by:Adam Leinss
ID: 33728629
I believe WUSER32.EXE is the actualy process that kicks off the remote control session (according to C:\windows\system32\ccm\logs\remctrl.log).  You might need a rule to allow that process access inbound/outbound, along with smsrc.exe, rcserver.exe and rclaunch.exe in C:\Windows\System32\CCM\clicomp\RemCtrl
0
 
LVL 14

Expert Comment

by:Abduljalil Abou Alzahab
ID: 33728679
Can you please send Remctrl.log
0
 
LVL 6

Expert Comment

by:TarekIsmail
ID: 33729593
HI all ,
we need to divide the question into to points

ports required to allow client push installation
=====================================

 In order to successfully use client push to install the Configuration Manager 2007 client, you must add the following as exceptions to the Windows Firewall:

File and Printer Sharing
Windows Management Instrumentation (WMI)
you can configure this two rules using GPO :
Windows Firewall: Allow remote administration exception properties
Windows Firewall: allow file and printer sharing exception

ports required for Remote Control
============================
In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:
TCP port 2701
TCP port 2702
TCP port 135

this ports are required to be opend from the SCCM console to client not from site server to the client.
=====================
also we need to open the port 80 , 443 , 67, 68 .

all other ports you mention here is not required
http://technet.microsoft.com/en-us/library/bb694088.aspx

0
 
LVL 14

Expert Comment

by:Abduljalil Abou Alzahab
ID: 33729715
as I understand from beck4164 he had problem only with remote tool?? please confirm if you have any issue with client push installation
0
 

Author Comment

by:beck4164
ID: 33734216
@a-Jaleel: Yes i am having problems with both client push install as well as remote control.

Attached is the results from the telnet and the remote control log.

@TarekIsmail all of those ports have been opened as outlined in my original post I listed all of the ports we have opened through GPO
telnet.JPG
RemoteControl.log
0
 
LVL 6

Accepted Solution

by:
TarekIsmail earned 2000 total points
ID: 33736508
HI all ,

I have check again the firewall setting for client push installation, and i found the configured ports in your post will not help enough to allow the client push installation, more i have copy and past the firewall rule descrition for the two required firewall roles:

Windows Firewall: Allow remote administration exception properties
-----------------------------------------------------------------------------------
Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Component Object Model (DCOM). Additionally, on Windows XP Professional with at least SP2 and Windows Server 2003 with at least SP1, this policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034.  On Windows Vista, this policy setting does not control connections to SVCHOST.EXE and LSASS.EXE.

If you enable this policy setting, Windows Firewall allows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP addresses or subnets from which these incoming messages are allowed.

If you disable or do not configure this policy setting, Windows Firewall does not open TCP port 135 or 445. Also, on Windows XP Professional with at least SP2 and Windows Server 2003 with at least SP1, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from receiving unsolicited incoming messages, and prevents hosted services from opening additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 445, it does not conflict with the "Windows Firewall: Allow file and printer sharing exception" policy setting.

Note: Malicious users often attempt to attack networks and computers using RPC and DCOM. We recommend that you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST.exe or LSASS.exe or if they require RPC and DCOM communication. If they do not, then do not enable this policy setting.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file and printer sharing exception," "Windows Firewall: Allow inbound remote administration exception," and "Windows Firewall: Define inbound port exceptions."

Windows Firewall: allow file and printer sharing exception
----------------------------------------------------------------------
Allows inbound file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445.

If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is selected and administrators cannot clear it.

If you disable this policy setting, Windows Firewall blocks these ports, which prevents this computer from sharing files and printers. If an administrator attempts to open any of these ports by adding them to a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is cleared and administrators cannot select it.

If you do not configure this policy setting, Windows Firewall does not open these ports. Therefore, the computer cannot share files or printers unless an administrator uses other policy settings to open the required ports. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is cleared. Administrators can change this check box.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo requests (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file and printer sharing exception," "Windows Firewall: Allow inbound remote administration exception," and "Windows Firewall: Define inbound port exceptions."


SO i still recommend to use this olny two firewall policy in addition to open the ports Remote controle

ports required for Remote Control
============================
In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:
TCP port 2701
TCP port 2702
TCP port 135

 this ports are required to be opend from the SCCM console to client not from site server to the client.
=====================
in addition  we need to open the port 80 , 443 , 67, 68 .

I hope my comment give you the right answer to your question!
Good Luck!
Tarek Ismail
0
 
LVL 14

Expert Comment

by:Abduljalil Abou Alzahab
ID: 33739484
Microsoft TechNet  Publish all information about  Windows Firewall Settings for Configuration Manager Clients
http://technet.microsoft.com/en-us/library/bb694088.aspx

Don't forget to check firewall setting on the server, if it's on and not managed by group policy try to open required ports or turn it off for testing propose only and test
0
 
LVL 6

Expert Comment

by:TarekIsmail
ID: 33760392
Hi , any news , I hope everything goes in the right ways.
0
 

Author Comment

by:beck4164
ID: 33769398
Sorry it took so long to try what you guys have posted, I have tried adding the exceptions you have recommended and I am unable to install the sccm client, I keep getting the error

---> Unable to connect to WMI on remote machine, error = 0x800706ba.

Any ideas as the only way I don't get this error is when I disable the firewall but that isn't really an option.
0
 
LVL 6

Assisted Solution

by:TarekIsmail
TarekIsmail earned 2000 total points
ID: 33772461
0
 

Author Closing Comment

by:beck4164
ID: 33773801
Followed what you guys said and recreated the policy with your suggestions and then i was able to push out the client.
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is my 3rd article on SCCM in recent weeks, the 1st (http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_Server_2008/A_4466-A-beginners-guide-to-installing-SCCM2007-on-Windows-2008-R2-Server.html) dealing with installat…
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question