Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 8886
  • Last Modified:

SCCM 2012 Firewall Ports

Hello All

I need to manage some SCCM clients (Windows XP SP3) that reside in DMZ locations behind a firewall, these clients are not part of a Windows domain they exist in a Windows Workgroup, SCCM will provide OS fixes and patches and AV.  Is there a list of ports available that are required to be open?

Cheers
V.
0
vision_on
Asked:
vision_on
  • 3
  • 3
  • 2
2 Solutions
 
Nagendra Pratap SinghCommented:
The first two links are for 2007 version but still quite valid.


http://technet.microsoft.com/en-us/library/bb632618.aspx


http://technet.microsoft.com/en-us/library/bb694088.aspx


This list is for 2012 and you need to open only the ports for the features you are using.

http://www.windows-noob.com/forums/index.php?/topic/4356-ports-need-opening-for-firewall/
0
 
vision_onAuthor Commented:
Hello npsingh123

From reading the second article I have deduced that the ports that need to be open are as follows:

Manual SCCM Client Installation
TCP 445 to network share where ccmsetup.exe is.

SCCM Client Request and WSUS
Outbound 443 or 80

Client Notification (SCCM SP1)
Outbound 10123

Queries
Requires statview.exe  not sure what port this uses....?

If you could confirm my thoughts and or help me with statview.exe I would much appreciate it.

Cheers
V.
0
 
Nagendra Pratap SinghCommented:
The above MS links and this

http://www.networksteve.com/enterprise/topic.php/SCCM_R3_Clients_not_installing./?TopicId=53644&Posts=8 

hint that statview has to be unblocked as an application and no list of ports is given.

I  will check more.
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
Nagendra Pratap SinghCommented:
That seems to be all I could find.
0
 
vision_onAuthor Commented:
Thanks for those links, however, it would be nice to have a definitive list from Microsoft, doesn't seem available though, more's the pity.  I have a feeling that this is going to be a process of trial and error.

Cheers
V.
0
 
merowingerCommented:
The list npsingh123 posted is the definitive list from Microsoft.
I've configured a enviroment with more than 1000 Servers within a DMZ infrastructure based on it...
0
 
vision_onAuthor Commented:
Hello merowinger

So can you confirm that the following is the required list of ports for clients in a DMZ to be able to communicate with SCCM 2012 servers on the internal network:

80 / 443 (TCP)
8530 (TCP)
2701-2704 (UDP-TCP)
3389 (TCP)
9 (UDP)
139 (UPD - TCP)
135 (UDP-TCP)
445 (TCP)
137 (UDP)

Cheers
V.
0
 
merowingerCommented:
It's based on which features you use in SCCM
135 is the RPC Endpoint Mapper. This means that the dynamic Port Range (High Ports) are also used. You can configure the High Ports on Windows Systems. Read here:
http://support.microsoft.com/kb/929851/en-us

In most cases it's a try and error method. In my case the Firewall Guys had problems with the RPC Scanner above their Firewall...So just define you ports based on the MS document, configure your Firewall and give it a try
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 3
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now