Export (0) Print
Expand All

Determine the Ports Required by Firewalls to Support Network Access Protection

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

In addition to standard Configuration Manager 2007 traffic, Network Access Protection (NAP) in Configuration Manager 2007 generates the following traffic with associated ports. If you have firewalls or network perimeter devices that block this traffic, they must be reconfigured for Network Access Protection to work with Configuration Manager 2007.

Use the following table to identify the ports used by Network Access Protection in Configuration Manager 2007. For a list of all ports used in Configuration Manager 2007, see Ports used by Configuration Manager.

Additionally, you will need to identify the ports used by the client to the System Health Validator point. These ports are not used directly by Configuration Manager but are established by Windows Network Access Protection and are dependent upon the enforcement client being used. For example, DHCP enforcement will use ports UDP 67 and 68. IPsec enforcement will use ports TCP 80 or 443 to the Health Registration Authority, port UDP 500 for IPsec negotiation and the additional ports needed for the IPsec filters. For more information, see the Windows Network Access Protection documentation, and for help with configuring firewalls for IPsec, see http://go.microsoft.com/fwlink/?LinkId=109499.

 

Function Ports Description

Configuration Manager 2007 site server publishing the Configuration Manager health state reference to Active Directory Domain Services.

TCP 389 (LDAP) or TCP 636 (LDAPS)

Writing to Active Directory Domain Services

System Health Validator point querying Active Directory Domain Services for the Configuration Manager health state reference.

TCP 3268 (Global Catalog lookup) or TCP 3269 (secure global catalog lookup)

Reading from a global catalog server

Installing System Health Validator point and ongoing configuration.

TCP 445

TCP 135

Server message blocks (SMB) to install

Remote procedure calls (RPCs) for configuration

Status messages from the System Health Validator point to the site server.

TCP 445

Server message blocks (SMB)

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft