[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

SCCM 2012 Firewall Ports

Posted on 2013-01-28
8
Medium Priority
?
8,795 Views
Last Modified: 2013-02-21
Hello All

I need to manage some SCCM clients (Windows XP SP3) that reside in DMZ locations behind a firewall, these clients are not part of a Windows domain they exist in a Windows Workgroup, SCCM will provide OS fixes and patches and AV.  Is there a list of ports available that are required to be open?

Cheers
V.
0
Comment
Question by:vision_on
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 24

Accepted Solution

by:
Nagendra Pratap Singh earned 750 total points
ID: 38826237
The first two links are for 2007 version but still quite valid.


http://technet.microsoft.com/en-us/library/bb632618.aspx


http://technet.microsoft.com/en-us/library/bb694088.aspx


This list is for 2012 and you need to open only the ports for the features you are using.

http://www.windows-noob.com/forums/index.php?/topic/4356-ports-need-opening-for-firewall/
0
 
LVL 1

Author Comment

by:vision_on
ID: 38838817
Hello npsingh123

From reading the second article I have deduced that the ports that need to be open are as follows:

Manual SCCM Client Installation
TCP 445 to network share where ccmsetup.exe is.

SCCM Client Request and WSUS
Outbound 443 or 80

Client Notification (SCCM SP1)
Outbound 10123

Queries
Requires statview.exe  not sure what port this uses....?

If you could confirm my thoughts and or help me with statview.exe I would much appreciate it.

Cheers
V.
0
 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 38838829
The above MS links and this

http://www.networksteve.com/enterprise/topic.php/SCCM_R3_Clients_not_installing./?TopicId=53644&Posts=8 

hint that statview has to be unblocked as an application and no list of ports is given.

I  will check more.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 24

Expert Comment

by:Nagendra Pratap Singh
ID: 38839719
That seems to be all I could find.
0
 
LVL 1

Author Comment

by:vision_on
ID: 38839773
Thanks for those links, however, it would be nice to have a definitive list from Microsoft, doesn't seem available though, more's the pity.  I have a feeling that this is going to be a process of trial and error.

Cheers
V.
0
 
LVL 31

Expert Comment

by:merowinger
ID: 38842828
The list npsingh123 posted is the definitive list from Microsoft.
I've configured a enviroment with more than 1000 Servers within a DMZ infrastructure based on it...
0
 
LVL 1

Author Comment

by:vision_on
ID: 38850298
Hello merowinger

So can you confirm that the following is the required list of ports for clients in a DMZ to be able to communicate with SCCM 2012 servers on the internal network:

80 / 443 (TCP)
8530 (TCP)
2701-2704 (UDP-TCP)
3389 (TCP)
9 (UDP)
139 (UPD - TCP)
135 (UDP-TCP)
445 (TCP)
137 (UDP)

Cheers
V.
0
 
LVL 31

Assisted Solution

by:merowinger
merowinger earned 750 total points
ID: 38850625
It's based on which features you use in SCCM
135 is the RPC Endpoint Mapper. This means that the dynamic Port Range (High Ports) are also used. You can configure the High Ports on Windows Systems. Read here:
http://support.microsoft.com/kb/929851/en-us

In most cases it's a try and error method. In my case the Firewall Guys had problems with the RPC Scanner above their Firewall...So just define you ports based on the MS document, configure your Firewall and give it a try
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
How does someone stay on the right and legal side of the hacking world?
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question