Solved

SCCM unable to connect to clients

Posted on 2010-09-21
14
7,440 Views
Last Modified: 2013-11-21
Hello All, we are currently in the process of deploying SCCM 2007 R2 in our environment. However we our running into a problem were we are unable to access the computer using remote tools or deploy the SCCM client to the computer. It works fine when we disable the firewall but when we turn it back on it blocks anything coming from SCCM. Below is the exceptions i have added to the clients firewalls but still it wont work with the exceptions. Any ideas?

67:TCP:10.1.121.150:enabled:SMSPXEDHCP
68:TCP:10.1.121.150:enabled:SMSPXEDHCP
69:TCP:10.1.121.150:enabled:SMSPXETFTP
4011:TCP:10.1.121.150:enabled:SMSPXEBINL
445:TCP:10.1.121.150:enabled:SMSSMB
80:TCP:10.1.121.150:enabled:SMSHTTP
443:TCP:10.1.121.150:enabled:SMSHTTPS
2701:TCP:10.1.121.150:enabled:SMSRemoteControl
2701:UPD:10.1.121.150:enabled:SMSRemoteControl
2702:TCP:10.1.121.150:enabled:SMSRemoteData
2702:UPD:10.1.121.150:enabled:SMSRemoteData
135:TCP:10.1.121.150:enabled:SMSRemoteEndpoint
3389:TCP:10.1.121.150:enabled:SMSRDP
9:UPD:10.1.121.150:enabled:SMSWAKEONLAN
139:TCP:10.1.121.150:enabled:SMSSession
1433:TCP:10.1.121.150:enabled:SMSSQL
0
Comment
Question by:beck4164
  • 5
  • 4
  • 4
  • +1
14 Comments
 
LVL 13

Expert Comment

by:Abduljalil Abolzahab
Comment Utility
Please check
Windows Firewall Settings for Configuration Manager Clients
http://technet.microsoft.com/en-us/library/bb694088.aspx

In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:

    * TCP port 2701

    * TCP port 2702

    * TCP port 135

Please make sure that policy is applied on the client machine, for testing
go to client machine and open CMD and run
telnet 10.1.121.150 2701
telnet 10.1.121.150 2702
telnet 10.1.121.150 135

To configure this policy, add the following string to the Show Contents dialog box for the policy:

Windows Firewall: Define port exceptions

2701:TCP:10.1.121.150:enabled:RemoteTool (TCP 2701)
2702:TCP:10.1.121.150:enabled:RemoteTool (TCP 2702)
135:TCP:10.1.121.150:enabled:RemoteTool (TCP 135)


image0051097235810133.jpg
0
 

Author Comment

by:beck4164
Comment Utility
I have added the exception to the firewall through group policy and it is applying to the computer however when i try to telnet 10.1.121.150:2701 or any of the other ports it fails.
0
 
LVL 13

Expert Comment

by:Abduljalil Abolzahab
Comment Utility
if telnet is fail, it's mean ports are still closed, try to run gpupdate on client computer and make sure that group policy is applied

can you try to telnet other ports such as 1433 or 4011?

For testing also pleas try
2701:TCP:*:enabled:RemoteTool
2702:TCP:*:enabled:RemoteTool
135:TCP:*:enabled:RemoteTool

This example is named RemoteTool and enables TCP port 2701, 2702 and 135 for all connections.

Please make sure that remote Tool agent is enable in ConfigMgr

which OS is installed for ConfigMge, check the firewall setting also on Server

0
 
LVL 22

Expert Comment

by:Adam Leinss
Comment Utility
I believe WUSER32.EXE is the actualy process that kicks off the remote control session (according to C:\windows\system32\ccm\logs\remctrl.log).  You might need a rule to allow that process access inbound/outbound, along with smsrc.exe, rcserver.exe and rclaunch.exe in C:\Windows\System32\CCM\clicomp\RemCtrl
0
 
LVL 13

Expert Comment

by:Abduljalil Abolzahab
Comment Utility
Can you please send Remctrl.log
0
 
LVL 6

Expert Comment

by:TarekIsmail
Comment Utility
HI all ,
we need to divide the question into to points

ports required to allow client push installation
=====================================

 In order to successfully use client push to install the Configuration Manager 2007 client, you must add the following as exceptions to the Windows Firewall:

File and Printer Sharing
Windows Management Instrumentation (WMI)
you can configure this two rules using GPO :
Windows Firewall: Allow remote administration exception properties
Windows Firewall: allow file and printer sharing exception

ports required for Remote Control
============================
In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:
TCP port 2701
TCP port 2702
TCP port 135

this ports are required to be opend from the SCCM console to client not from site server to the client.
=====================
also we need to open the port 80 , 443 , 67, 68 .

all other ports you mention here is not required
http://technet.microsoft.com/en-us/library/bb694088.aspx

0
 
LVL 13

Expert Comment

by:Abduljalil Abolzahab
Comment Utility
as I understand from beck4164 he had problem only with remote tool?? please confirm if you have any issue with client push installation
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:beck4164
Comment Utility
@a-Jaleel: Yes i am having problems with both client push install as well as remote control.

Attached is the results from the telnet and the remote control log.

@TarekIsmail all of those ports have been opened as outlined in my original post I listed all of the ports we have opened through GPO
telnet.JPG
RemoteControl.log
0
 
LVL 6

Accepted Solution

by:
TarekIsmail earned 500 total points
Comment Utility
HI all ,

I have check again the firewall setting for client push installation, and i found the configured ports in your post will not help enough to allow the client push installation, more i have copy and past the firewall rule descrition for the two required firewall roles:

Windows Firewall: Allow remote administration exception properties
-----------------------------------------------------------------------------------
Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windows Management Instrumentation (WMI). To do this, Windows Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Component Object Model (DCOM). Additionally, on Windows XP Professional with at least SP2 and Windows Server 2003 with at least SP1, this policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports, typically in the range of 1024 to 1034.  On Windows Vista, this policy setting does not control connections to SVCHOST.EXE and LSASS.EXE.

If you enable this policy setting, Windows Firewall allows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP addresses or subnets from which these incoming messages are allowed.

If you disable or do not configure this policy setting, Windows Firewall does not open TCP port 135 or 445. Also, on Windows XP Professional with at least SP2 and Windows Server 2003 with at least SP1, Windows Firewall prevents SVCHOST.EXE and LSASS.EXE from receiving unsolicited incoming messages, and prevents hosted services from opening additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 445, it does not conflict with the "Windows Firewall: Allow file and printer sharing exception" policy setting.

Note: Malicious users often attempt to attack networks and computers using RPC and DCOM. We recommend that you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST.exe or LSASS.exe or if they require RPC and DCOM communication. If they do not, then do not enable this policy setting.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file and printer sharing exception," "Windows Firewall: Allow inbound remote administration exception," and "Windows Firewall: Define inbound port exceptions."

Windows Firewall: allow file and printer sharing exception
----------------------------------------------------------------------
Allows inbound file and printer sharing. To do this, Windows Firewall opens UDP ports 137 and 138, and TCP ports 139 and 445.

If you enable this policy setting, Windows Firewall opens these ports so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is selected and administrators cannot clear it.

If you disable this policy setting, Windows Firewall blocks these ports, which prevents this computer from sharing files and printers. If an administrator attempts to open any of these ports by adding them to a local port exceptions list, Windows Firewall does not open the port. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is cleared and administrators cannot select it.

If you do not configure this policy setting, Windows Firewall does not open these ports. Therefore, the computer cannot share files or printers unless an administrator uses other policy settings to open the required ports. In the Windows Firewall component of Control Panel, the "File and Printer Sharing" check box is cleared. Administrators can change this check box.

Note: If any policy setting opens TCP port 445, Windows Firewall allows inbound ICMP echo requests (the message sent by the Ping utility), even if the "Windows Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Firewall: Allow inbound file and printer sharing exception," "Windows Firewall: Allow inbound remote administration exception," and "Windows Firewall: Define inbound port exceptions."


SO i still recommend to use this olny two firewall policy in addition to open the ports Remote controle

ports required for Remote Control
============================
In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:
TCP port 2701
TCP port 2702
TCP port 135

 this ports are required to be opend from the SCCM console to client not from site server to the client.
=====================
in addition  we need to open the port 80 , 443 , 67, 68 .

I hope my comment give you the right answer to your question!
Good Luck!
Tarek Ismail
0
 
LVL 13

Expert Comment

by:Abduljalil Abolzahab
Comment Utility
Microsoft TechNet  Publish all information about  Windows Firewall Settings for Configuration Manager Clients
http://technet.microsoft.com/en-us/library/bb694088.aspx

Don't forget to check firewall setting on the server, if it's on and not managed by group policy try to open required ports or turn it off for testing propose only and test
0
 
LVL 6

Expert Comment

by:TarekIsmail
Comment Utility
Hi , any news , I hope everything goes in the right ways.
0
 

Author Comment

by:beck4164
Comment Utility
Sorry it took so long to try what you guys have posted, I have tried adding the exceptions you have recommended and I am unable to install the sccm client, I keep getting the error

---> Unable to connect to WMI on remote machine, error = 0x800706ba.

Any ideas as the only way I don't get this error is when I disable the firewall but that isn't really an option.
0
 
LVL 6

Assisted Solution

by:TarekIsmail
TarekIsmail earned 500 total points
Comment Utility
0
 

Author Closing Comment

by:beck4164
Comment Utility
Followed what you guys said and recreated the policy with your suggestions and then i was able to push out the client.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

##the calculator has been updated to version 1.6 please download the use the updated version## Hi there, After the previous post of the original version of the calculator here : http://www.experts-exchange.com/articles/OS/Microsoft_Operatin…
Every system administrator encounters once in while in a problem where the solution seems to be a needle in haystack.  My needle was an anti-virus version causing problems with my Exchange server. I have an HP DL350 with Windows Server 2008 Stand…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now