?
Solved

SCCM 2012 Firewall Ports

Posted on 2013-01-28
8
Medium Priority
?
9,098 Views
Last Modified: 2013-02-21
Hello All

I need to manage some SCCM clients (Windows XP SP3) that reside in DMZ locations behind a firewall, these clients are not part of a Windows domain they exist in a Windows Workgroup, SCCM will provide OS fixes and patches and AV.  Is there a list of ports available that are required to be open?

Cheers
V.
0
Comment
Question by:vision_on
  • 3
  • 3
  • 2
8 Comments
 
LVL 25

Accepted Solution

by:
Nagendra Pratap Singh earned 750 total points
ID: 38826237
The first two links are for 2007 version but still quite valid.


http://technet.microsoft.com/en-us/library/bb632618.aspx


http://technet.microsoft.com/en-us/library/bb694088.aspx


This list is for 2012 and you need to open only the ports for the features you are using.

http://www.windows-noob.com/forums/index.php?/topic/4356-ports-need-opening-for-firewall/
0
 
LVL 1

Author Comment

by:vision_on
ID: 38838817
Hello npsingh123

From reading the second article I have deduced that the ports that need to be open are as follows:

Manual SCCM Client Installation
TCP 445 to network share where ccmsetup.exe is.

SCCM Client Request and WSUS
Outbound 443 or 80

Client Notification (SCCM SP1)
Outbound 10123

Queries
Requires statview.exe  not sure what port this uses....?

If you could confirm my thoughts and or help me with statview.exe I would much appreciate it.

Cheers
V.
0
 
LVL 25

Expert Comment

by:Nagendra Pratap Singh
ID: 38838829
The above MS links and this

http://www.networksteve.com/enterprise/topic.php/SCCM_R3_Clients_not_installing./?TopicId=53644&Posts=8 

hint that statview has to be unblocked as an application and no list of ports is given.

I  will check more.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
LVL 25

Expert Comment

by:Nagendra Pratap Singh
ID: 38839719
That seems to be all I could find.
0
 
LVL 1

Author Comment

by:vision_on
ID: 38839773
Thanks for those links, however, it would be nice to have a definitive list from Microsoft, doesn't seem available though, more's the pity.  I have a feeling that this is going to be a process of trial and error.

Cheers
V.
0
 
LVL 31

Expert Comment

by:merowinger
ID: 38842828
The list npsingh123 posted is the definitive list from Microsoft.
I've configured a enviroment with more than 1000 Servers within a DMZ infrastructure based on it...
0
 
LVL 1

Author Comment

by:vision_on
ID: 38850298
Hello merowinger

So can you confirm that the following is the required list of ports for clients in a DMZ to be able to communicate with SCCM 2012 servers on the internal network:

80 / 443 (TCP)
8530 (TCP)
2701-2704 (UDP-TCP)
3389 (TCP)
9 (UDP)
139 (UPD - TCP)
135 (UDP-TCP)
445 (TCP)
137 (UDP)

Cheers
V.
0
 
LVL 31

Assisted Solution

by:merowinger
merowinger earned 750 total points
ID: 38850625
It's based on which features you use in SCCM
135 is the RPC Endpoint Mapper. This means that the dynamic Port Range (High Ports) are also used. You can configure the High Ports on Windows Systems. Read here:
http://support.microsoft.com/kb/929851/en-us

In most cases it's a try and error method. In my case the Firewall Guys had problems with the RPC Scanner above their Firewall...So just define you ports based on the MS document, configure your Firewall and give it a try
0

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Are you looking to start a business? Do you own and operate a small company? If so, here are some courses you need to take before you hire a full-time IT staff.
Data security in the cloud is very much like a security in an on-premises data center - only without costs for maintaining facilities and computer hardware.
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question