Solved

SCCM 2012 Firewall Ports

Posted on 2013-01-28
8
8,297 Views
Last Modified: 2013-02-21
Hello All

I need to manage some SCCM clients (Windows XP SP3) that reside in DMZ locations behind a firewall, these clients are not part of a Windows domain they exist in a Windows Workgroup, SCCM will provide OS fixes and patches and AV.  Is there a list of ports available that are required to be open?

Cheers
V.
0
Comment
Question by:vision_on
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 23

Accepted Solution

by:
Nagendra Pratap Singh earned 250 total points
ID: 38826237
The first two links are for 2007 version but still quite valid.


http://technet.microsoft.com/en-us/library/bb632618.aspx


http://technet.microsoft.com/en-us/library/bb694088.aspx


This list is for 2012 and you need to open only the ports for the features you are using.

http://www.windows-noob.com/forums/index.php?/topic/4356-ports-need-opening-for-firewall/
0
 
LVL 1

Author Comment

by:vision_on
ID: 38838817
Hello npsingh123

From reading the second article I have deduced that the ports that need to be open are as follows:

Manual SCCM Client Installation
TCP 445 to network share where ccmsetup.exe is.

SCCM Client Request and WSUS
Outbound 443 or 80

Client Notification (SCCM SP1)
Outbound 10123

Queries
Requires statview.exe  not sure what port this uses....?

If you could confirm my thoughts and or help me with statview.exe I would much appreciate it.

Cheers
V.
0
 
LVL 23

Expert Comment

by:Nagendra Pratap Singh
ID: 38838829
The above MS links and this

http://www.networksteve.com/enterprise/topic.php/SCCM_R3_Clients_not_installing./?TopicId=53644&Posts=8 

hint that statview has to be unblocked as an application and no list of ports is given.

I  will check more.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 
LVL 23

Expert Comment

by:Nagendra Pratap Singh
ID: 38839719
That seems to be all I could find.
0
 
LVL 1

Author Comment

by:vision_on
ID: 38839773
Thanks for those links, however, it would be nice to have a definitive list from Microsoft, doesn't seem available though, more's the pity.  I have a feeling that this is going to be a process of trial and error.

Cheers
V.
0
 
LVL 31

Expert Comment

by:merowinger
ID: 38842828
The list npsingh123 posted is the definitive list from Microsoft.
I've configured a enviroment with more than 1000 Servers within a DMZ infrastructure based on it...
0
 
LVL 1

Author Comment

by:vision_on
ID: 38850298
Hello merowinger

So can you confirm that the following is the required list of ports for clients in a DMZ to be able to communicate with SCCM 2012 servers on the internal network:

80 / 443 (TCP)
8530 (TCP)
2701-2704 (UDP-TCP)
3389 (TCP)
9 (UDP)
139 (UPD - TCP)
135 (UDP-TCP)
445 (TCP)
137 (UDP)

Cheers
V.
0
 
LVL 31

Assisted Solution

by:merowinger
merowinger earned 250 total points
ID: 38850625
It's based on which features you use in SCCM
135 is the RPC Endpoint Mapper. This means that the dynamic Port Range (High Ports) are also used. You can configure the High Ports on Windows Systems. Read here:
http://support.microsoft.com/kb/929851/en-us

In most cases it's a try and error method. In my case the Firewall Guys had problems with the RPC Scanner above their Firewall...So just define you ports based on the MS document, configure your Firewall and give it a try
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Do you know what to look for when considering cloud computing? Should you hire someone or try to do it yourself? I'll be covering these questions and looking at the best options for you and your business.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question