beck4164
asked on
SCCM unable to connect to clients
Hello All, we are currently in the process of deploying SCCM 2007 R2 in our environment. However we our running into a problem were we are unable to access the computer using remote tools or deploy the SCCM client to the computer. It works fine when we disable the firewall but when we turn it back on it blocks anything coming from SCCM. Below is the exceptions i have added to the clients firewalls but still it wont work with the exceptions. Any ideas?
67:TCP:10.1.121.150:enable d:SMSPXEDH CP
68:TCP:10.1.121.150:enable d:SMSPXEDH CP
69:TCP:10.1.121.150:enable d:SMSPXETF TP
4011:TCP:10.1.121.150:enab led:SMSPXE BINL
445:TCP:10.1.121.150:enabl ed:SMSSMB
80:TCP:10.1.121.150:enable d:SMSHTTP
443:TCP:10.1.121.150:enabl ed:SMSHTTP S
2701:TCP:10.1.121.150:enab led:SMSRem oteControl
2701:UPD:10.1.121.150:enab led:SMSRem oteControl
2702:TCP:10.1.121.150:enab led:SMSRem oteData
2702:UPD:10.1.121.150:enab led:SMSRem oteData
135:TCP:10.1.121.150:enabl ed:SMSRemo teEndpoint
3389:TCP:10.1.121.150:enab led:SMSRDP
9:UPD:10.1.121.150:enabled :SMSWAKEON LAN
139:TCP:10.1.121.150:enabl ed:SMSSess ion
1433:TCP:10.1.121.150:enab led:SMSSQL
67:TCP:10.1.121.150:enable
68:TCP:10.1.121.150:enable
69:TCP:10.1.121.150:enable
4011:TCP:10.1.121.150:enab
445:TCP:10.1.121.150:enabl
80:TCP:10.1.121.150:enable
443:TCP:10.1.121.150:enabl
2701:TCP:10.1.121.150:enab
2701:UPD:10.1.121.150:enab
2702:TCP:10.1.121.150:enab
2702:UPD:10.1.121.150:enab
135:TCP:10.1.121.150:enabl
3389:TCP:10.1.121.150:enab
9:UPD:10.1.121.150:enabled
139:TCP:10.1.121.150:enabl
1433:TCP:10.1.121.150:enab
ASKER
I have added the exception to the firewall through group policy and it is applying to the computer however when i try to telnet 10.1.121.150:2701 or any of the other ports it fails.
if telnet is fail, it's mean ports are still closed, try to run gpupdate on client computer and make sure that group policy is applied
can you try to telnet other ports such as 1433 or 4011?
For testing also pleas try
2701:TCP:*:enabled:RemoteT ool
2702:TCP:*:enabled:RemoteT ool
135:TCP:*:enabled:RemoteTo ol
This example is named RemoteTool and enables TCP port 2701, 2702 and 135 for all connections.
Please make sure that remote Tool agent is enable in ConfigMgr
which OS is installed for ConfigMge, check the firewall setting also on Server
can you try to telnet other ports such as 1433 or 4011?
For testing also pleas try
2701:TCP:*:enabled:RemoteT
2702:TCP:*:enabled:RemoteT
135:TCP:*:enabled:RemoteTo
This example is named RemoteTool and enables TCP port 2701, 2702 and 135 for all connections.
Please make sure that remote Tool agent is enable in ConfigMgr
which OS is installed for ConfigMge, check the firewall setting also on Server
I believe WUSER32.EXE is the actualy process that kicks off the remote control session (according to C:\windows\system32\ccm\lo gs\remctrl .log). You might need a rule to allow that process access inbound/outbound, along with smsrc.exe, rcserver.exe and rclaunch.exe in C:\Windows\System32\CCM\cl icomp\RemC trl
Can you please send Remctrl.log
HI all ,
we need to divide the question into to points
ports required to allow client push installation
========================== ========== =
In order to successfully use client push to install the Configuration Manager 2007 client, you must add the following as exceptions to the Windows Firewall:
File and Printer Sharing
Windows Management Instrumentation (WMI)
you can configure this two rules using GPO :
Windows Firewall: Allow remote administration exception properties
Windows Firewall: allow file and printer sharing exception
ports required for Remote Control
========================== ==
In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:
TCP port 2701
TCP port 2702
TCP port 135
this ports are required to be opend from the SCCM console to client not from site server to the client.
=====================
also we need to open the port 80 , 443 , 67, 68 .
all other ports you mention here is not required
http://technet.microsoft.com/en-us/library/bb694088.aspx
we need to divide the question into to points
ports required to allow client push installation
==========================
In order to successfully use client push to install the Configuration Manager 2007 client, you must add the following as exceptions to the Windows Firewall:
File and Printer Sharing
Windows Management Instrumentation (WMI)
you can configure this two rules using GPO :
Windows Firewall: Allow remote administration exception properties
Windows Firewall: allow file and printer sharing exception
ports required for Remote Control
==========================
In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:
TCP port 2701
TCP port 2702
TCP port 135
this ports are required to be opend from the SCCM console to client not from site server to the client.
=====================
also we need to open the port 80 , 443 , 67, 68 .
all other ports you mention here is not required
http://technet.microsoft.com/en-us/library/bb694088.aspx
as I understand from beck4164 he had problem only with remote tool?? please confirm if you have any issue with client push installation
ASKER
@a-Jaleel: Yes i am having problems with both client push install as well as remote control.
Attached is the results from the telnet and the remote control log.
@TarekIsmail all of those ports have been opened as outlined in my original post I listed all of the ports we have opened through GPO
telnet.JPG
RemoteControl.log
Attached is the results from the telnet and the remote control log.
@TarekIsmail all of those ports have been opened as outlined in my original post I listed all of the ports we have opened through GPO
telnet.JPG
RemoteControl.log
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Microsoft TechNet Publish all information about Windows Firewall Settings for Configuration Manager Clients
http://technet.microsoft.com/en-us/library/bb694088.aspx
Don't forget to check firewall setting on the server, if it's on and not managed by group policy try to open required ports or turn it off for testing propose only and test
http://technet.microsoft.com/en-us/library/bb694088.aspx
Don't forget to check firewall setting on the server, if it's on and not managed by group policy try to open required ports or turn it off for testing propose only and test
Hi , any news , I hope everything goes in the right ways.
ASKER
Sorry it took so long to try what you guys have posted, I have tried adding the exceptions you have recommended and I am unable to install the sccm client, I keep getting the error
---> Unable to connect to WMI on remote machine, error = 0x800706ba.
Any ideas as the only way I don't get this error is when I disable the firewall but that isn't really an option.
---> Unable to connect to WMI on remote machine, error = 0x800706ba.
Any ideas as the only way I don't get this error is when I disable the firewall but that isn't really an option.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Followed what you guys said and recreated the policy with your suggestions and then i was able to push out the client.
Windows Firewall Settings for Configuration Manager Clients
http://technet.microsoft.com/en-us/library/bb694088.aspx
In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:
* TCP port 2701
* TCP port 2702
* TCP port 135
Please make sure that policy is applied on the client machine, for testing
go to client machine and open CMD and run
telnet 10.1.121.150 2701
telnet 10.1.121.150 2702
telnet 10.1.121.150 135
To configure this policy, add the following string to the Show Contents dialog box for the policy:
Windows Firewall: Define port exceptions
2701:TCP:10.1.121.150:enab
2702:TCP:10.1.121.150:enab
135:TCP:10.1.121.150:enabl
image0051097235810133.jpg