Solved

SCCM 2012 Firewall Ports

Posted on 2013-01-28
8
7,977 Views
Last Modified: 2013-02-21
Hello All

I need to manage some SCCM clients (Windows XP SP3) that reside in DMZ locations behind a firewall, these clients are not part of a Windows domain they exist in a Windows Workgroup, SCCM will provide OS fixes and patches and AV.  Is there a list of ports available that are required to be open?

Cheers
V.
0
Comment
Question by:vision_on
  • 3
  • 3
  • 2
8 Comments
 
LVL 23

Accepted Solution

by:
Nagendra Pratap Singh earned 250 total points
ID: 38826237
The first two links are for 2007 version but still quite valid.


http://technet.microsoft.com/en-us/library/bb632618.aspx


http://technet.microsoft.com/en-us/library/bb694088.aspx


This list is for 2012 and you need to open only the ports for the features you are using.

http://www.windows-noob.com/forums/index.php?/topic/4356-ports-need-opening-for-firewall/
0
 
LVL 1

Author Comment

by:vision_on
ID: 38838817
Hello npsingh123

From reading the second article I have deduced that the ports that need to be open are as follows:

Manual SCCM Client Installation
TCP 445 to network share where ccmsetup.exe is.

SCCM Client Request and WSUS
Outbound 443 or 80

Client Notification (SCCM SP1)
Outbound 10123

Queries
Requires statview.exe  not sure what port this uses....?

If you could confirm my thoughts and or help me with statview.exe I would much appreciate it.

Cheers
V.
0
 
LVL 23

Expert Comment

by:Nagendra Pratap Singh
ID: 38838829
The above MS links and this

http://www.networksteve.com/enterprise/topic.php/SCCM_R3_Clients_not_installing./?TopicId=53644&Posts=8 

hint that statview has to be unblocked as an application and no list of ports is given.

I  will check more.
0
 
LVL 23

Expert Comment

by:Nagendra Pratap Singh
ID: 38839719
That seems to be all I could find.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 1

Author Comment

by:vision_on
ID: 38839773
Thanks for those links, however, it would be nice to have a definitive list from Microsoft, doesn't seem available though, more's the pity.  I have a feeling that this is going to be a process of trial and error.

Cheers
V.
0
 
LVL 31

Expert Comment

by:merowinger
ID: 38842828
The list npsingh123 posted is the definitive list from Microsoft.
I've configured a enviroment with more than 1000 Servers within a DMZ infrastructure based on it...
0
 
LVL 1

Author Comment

by:vision_on
ID: 38850298
Hello merowinger

So can you confirm that the following is the required list of ports for clients in a DMZ to be able to communicate with SCCM 2012 servers on the internal network:

80 / 443 (TCP)
8530 (TCP)
2701-2704 (UDP-TCP)
3389 (TCP)
9 (UDP)
139 (UPD - TCP)
135 (UDP-TCP)
445 (TCP)
137 (UDP)

Cheers
V.
0
 
LVL 31

Assisted Solution

by:merowinger
merowinger earned 250 total points
ID: 38850625
It's based on which features you use in SCCM
135 is the RPC Endpoint Mapper. This means that the dynamic Port Range (High Ports) are also used. You can configure the High Ports on Windows Systems. Read here:
http://support.microsoft.com/kb/929851/en-us

In most cases it's a try and error method. In my case the Firewall Guys had problems with the RPC Scanner above their Firewall...So just define you ports based on the MS document, configure your Firewall and give it a try
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Ways to verify USB ports are blocked on 30,000 PCs/laptops 12 118
Adups vulnerability 5 95
SSH over http/https 8 111
Botnet detection help me please 21 86
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now