Export (0) Print
Expand All
8 out of 18 rated this helpful - Rate this topic

Technical Reference for Ports Used in Configuration Manager

Updated: December 1, 2013

Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 R2 Configuration Manager

System Center 2012 Configuration Manager is a distributed client/server system. The distributed nature of Configuration Manager means that connections can be established between site servers, site systems, and clients. Some connections use ports that are not configurable, and some support custom ports you specify. You must verify that the required ports are available if you use any port filtering technology such as firewalls, routers, proxy servers, and IPsec.

noteNote
If you support Internet-based clients by using SSL bridging, in addition to port requirements, you might have to also allow some HTTP verbs and headers to traverse your firewall. For more information, see Prerequisites for Internet-Based Client Management in the Planning for Communications in Configuration Manager topic.

The port listings that follow are used by Configuration Manager and do not include information for standard Windows services, such as Group Policy settings for Active Directory Domain Services and Kerberos authentication. For information about Windows Server services and ports, see Service overview and network port requirements for the Windows Server system.

Configuration Manager allows you to configure the ports for the following types of communication:

  • Application Catalog Website point to Application Catalog web service point

  • Enrollment proxy point to enrollment point

  • Client to site systems that run IIS

  • Client to Internet (as proxy server settings)

  • Software update point to Internet (as proxy server settings)

  • Software update point to WSUS server

  • Site server to site database server

  • Reporting services points

    noteNote
    The ports in use for the reporting services point site system role are configured in SQL Server Reporting Services. These ports are then used by Configuration Manager during communications to the reporting services point. Be sure to review these ports defining the IP filter information for IPsec policies or for configuring firewalls.

By default, the HTTP port used for client to site system communication is port 80, and the default HTTPS port is 443. Ports for client-to-site system communication over HTTP or HTTPS can be changed during Setup or in the Site Properties for your Configuration Manager site.

The ports in use for the reporting services point site system role are configured in SQL Server Reporting Services. These ports are then used by Configuration Manager during communications to the reporting services point. Be sure to review these ports defining the IP filter information for IPsec policies or for configuring firewalls.

Configuration Manager does not allow you to configure ports for the following types of communication:

  • Site to site

  • Site server to site system

  • Configuration Manager console to SMS Provider

  • Configuration Manager console to the Internet

  • Connections to cloud services, such as Windows Intune and cloud-based distribution points

The following sections detail the ports used for communication in Configuration Manager. The arrows in the section title, between the computers, represent the direction of the communication:

  • -- > indicates one computer initiates communication and the other computer always responds

  • < -- > indicates that either computer can initiate communication

 

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

 

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

 

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

 

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

 

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80

 

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

 

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

 

Description UDP TCP

Windows Remote Management over HTTPS

--

5986

 

Description UDP TCP

Windows Remote Management over HTTP

--

5985

 

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

In addition to the ports listed in the following table, wake-up proxy also uses Internet Control Message Protocol (ICMP) echo request messages from one client to another client when they are configured for wake-up proxy. This communication is used to confirm whether the other client computer is awake on the network. ICMP is sometimes referred to as TCP/IP ping commands. ICMP does not have a UDP or TCP protocol number, and so it is not listed in the following table. However, any host-based firewalls on these client computers or intervening network devices within the subnet must permit ICMP traffic for wake-up proxy communication to succeed.

 

Description UDP TCP

Wake on LAN

9 (See note 2, Alternate Port Available)

--

Wake-up proxy

25536 (See note 2, Alternate Port Available)

--

 

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

80

Secure Hypertext Transfer Protocol (HTTPS)

--

443

 

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

 

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

 

Description UDP TCP

Server Message Block (SMB)

--

445

Multicast Protocol

63000-64000

--

 

Description UDP TCP

Dynamic Host Configuration Protocol (DHCP)

67 and 68

--

Trivial File Transfer Protocol (TFTP)

69 (See note 4 Trivial FTP (TFTP) Daemon)

--

Boot Information Negotiation Layer (BINL)

4011

--

 

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

A Configuration Manager client does not contact a global catalog server when it is a workgroup computer or when it is configured for Internet-only communication.

 

Description UDP TCP

Global Catalog LDAP

--

3268

Global Catalog LDAP SSL

--

3269

 

Description UDP TCP

Client notification (default communication before falling back to HTTP or HTTPS)

--

10123 (See note 2, Alternate Port Available)

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

 

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 or 8530 (See note 3, Windows Server Update Services)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 or 8531 (See note 3, Windows Server Update Services)

 

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

Server Message Block (SMB)

--

445

The client requires the ports established by the Windows Network Access Protection client, which is dependent upon the enforcement client being used. For example, DHCP enforcement will use ports UDP 67 and 68. IPsec enforcement will use ports TCP 80 or 443 to the Health Registration Authority, port UDP 500 for IPsec negotiation and the additional ports needed for the IPsec filters. For more information, see the Windows Network Access Protection documentation. For help with configuring firewalls for IPsec, see How to Enable IPsec Traffic Through a Firewall.

 

Description UDP TCP

Remote Control (control)

--

2701

Remote Assistance (RDP and RTC)

--

3389

 

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80

 

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

 

Description UDP TCP

RPC (initial connection to WMI to locate provider system)

--

135

 

Description UDP TCP

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

 

Description UDP TCP

Lightweight Directory Access Protocol (LDAP)

--

389

LDAP (Secure Sockets Layer [SSL] connection)

636

636

Global Catalog LDAP

--

3268

Global Catalog LDAP SSL

--

3269

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

(See note 5, Communication between the site server and site systems)

 

Description UDP TCP

RPC Endpoint mapper

--

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

Server Message Block (SMB)

--

445

 

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

 

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

 

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

 

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

 

Description UDP TCP

Power control, provisioning, and discovery

--

16993

 

Description UDP TCP

General management tasks

--

16993

Serial over LAN and IDE redirection

--

16995

 

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

Wake on LAN

9 (See note 2, Alternate Port Available)

--

 

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

(See note 5, Communication between the site server and site systems)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

Lightweight Directory Access Protocol (LDAP)

--

389

LDAP (Secure Sockets Layer [SSL] connection)

636

636

Global Catalog LDAP

--

3268

Global Catalog LDAP SSL

--

3269

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

(See note 5, Communication between the site server and site systems)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 1, Proxy Server port)

This communication is used when you deploy certificate profiles by using the certificate registration point. The communication is not used for every site server in the hierarchy; it is used only for the site server at the top of the hierarchy.

 

Description UDP TCP

RPC Endpoint Mapper

135

135

RPC (DCOM)

--

DYNAMIC (See note 6, Dynamic ports)

(See note 5, Communication between the site server and site systems)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

Server Message Block (SMB)

--

445

 

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)


During the installation of a site that will use a remote SQL Server to host the site database, you must open the following ports between the site server and the SQL Server:

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

(See note 5, Communication between the site server and site systems)

 

Description UDP TCP

Server Message Block (SMB)

--

445

Hypertext Transfer Protocol (HTTP)

--

80 or 8530 (See note 3, Windows Server Update Services)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 or 8531 (See note 3, Windows Server Update Services)

(See note 5, Communication between the site server and site systems)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

(See note 5, Communication between the site server and site systems)

 

Description UDP TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC (See note 6, Dynamic ports)

 

Description UDP TCP

SQL over TCP

--

1433 (See note 2, Alternate Port Available)

 

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 1, Proxy Server port)

 

Description UDP TCP

Hypertext Transfer Protocol (HTTP)

--

80 or 8530 (See note 3, Windows Server Update Services)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 or 8531 (See note 3, Windows Server Update Services)

Intersite database replication requires the SQL Server at one site to communicate directly with the SQL Server of its parent or child site.

 

Description UDP TCP

SQL Server Service

--

1433 (See note 2, Alternate Port Available)

SQL Server Service Broker

--

4022 (See note 2, Alternate Port Available)

TipTip
Configuration Manager does not require the SQL Server Browser, which uses port UDP 1434.

 

Description UDP TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

  1. Proxy Server port: This port cannot be configured but can be routed through a configured proxy server.

  2. Alternate Port Available: An alternate port can be defined within Configuration Manager for this value. If a custom port has been defined, substitute that custom port when defining the IP filter information for IPsec policies or for configuring firewalls.

  3. Windows Server Update Services: WSUS can be installed either on the default Web site (port 80) or a custom Web site (port 8530).

    After installation, the port can be changed. You do not have to use the same port number throughout the site hierarchy.

    • If the HTTP port is 80, the HTTPS port must be 443.

    • If the HTTP port is anything else, the HTTPS port must be 1 higher—for example, 8530 and 8531.

  4. Trivial FTP (TFTP) Daemon: The Trivial FTP (TFTP) Daemon system service does not require a user name or password and is an integral part of the Windows Deployment Services (WDS). The Trivial FTP Daemon service implements support for the TFTP protocol defined by the following RFCs:

    • RFC 350—TFTP

    • RFC 2347—Option extension

    • RFC 2348—Block size option

    • RFC 2349—Time-out interval, and transfer size options

    Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on UDP port 69 but respond from a dynamically allocated high port. Therefore, enabling this port will allow the TFTP service to receive incoming TFTP requests but will not allow the selected server to respond to those requests. Allowing the selected server to respond to inbound TFTP requests cannot be accomplished unless the TFTP server is configured to respond from port 69.

  5. Communication between the site server and site systems: By default, communication between the site server and site systems is bi-directional. The site server initiates communication to configure the site system, and then most site systems connect back to the site server to send status information. Reporting service points and distribution points do not send status information. If you select Require the site server to initiate connections to this site system on the site system properties, after the site system is installed, it will not initiate communication to the site server. Instead, the site server initiates the connections and uses the Site System Installation Account for authentication to the site system server.

  6. Dynamic ports: Dynamic ports (also known as ephemeral ports) use a range of port numbers, which is defined by the operating system version. For more information about the default port ranges, see Service overview and network port requirements for Windows.

The following sections provide additional information about ports used by Configuration Manager.

Clients use Server Message Block (SMB) whenever they connect to UNC shares. For example:

  • Manual client installation that specifies the CCMSetup.exe /source: command line property.

  • Endpoint Protection clients that download definition files from a UNC path.

 

Description UDP TCP

Server Message Block (SMB)

--

445

For communication to the SQL Server database engine and for intersite replication, you can use the default SQL Server port or specify custom ports:

  • Intersite communications use:

    • SQL Server Service Broker, which defaults to port TCP 4022.

    • SQL Server Service, which defaults to port TCP 1433

  • Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles default to port TCP 1433.

WarningWarning
Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for connections to the database engine, when you use a named instance, you must manually configure the static port that you want to use for intrasite communication.

The following site system roles communicate directly with the SQL Server database:

  • Application Catalog web service point

  • Certificate registration point role

  • Enrollment point role

  • Management point

  • Site server

  • Reporting services point

  • SMS Provider

  • SQL Server --> SQL Server

When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured with a unique set of ports.

If you have a firewall enabled on the SQL Server computer, ensure that it is configured to allow the ports in use by your deployment, and at any locations on the network between computers that communicate with the SQL Server.

For an example of how to configure SQL Server to use a specific port, see How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager) in the SQL Server TechNet library.

Management points and distribution points that support internet-based clients, the software update point, and the fallback status point use the following ports for installation and repair:

  • Site server --> site system: RPC endpoint mapper using UDP and TCP port 135.

  • Site server --> site system: RPC dynamic TCP ports.

  • Site server < --> site system: Server message blocks (SMB) using TCP port 445.

Application and package installations on distribution points require the following RPC ports:

  • Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135.

  • Site server --> distribution point: RPC dynamic TCP ports

Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the dynamic ports that are used with RPC, you can use the Microsoft RPC configuration tool (rpccfg.exe) to configure a limited range of ports for these RPC packets. For more information about the RPC configuration tool, see How to configure RPC to use certain ports and how to help secure those ports by using IPsec.

ImportantImportant
Before you install these site systems, ensure that the remote registry service is running on the site system server and that you have specified a Site System Installation Account if the site system is in a different Active Directory forest without a trust relationship.

The ports that are using during client installation depend on the client deployment method. See Ports Used During Configuration Manager Client Deployment in the Windows Firewall and Port Settings for Client Computers in Configuration Manager topic for a list of ports for each client deployment method. For information about how to configure Windows Firewall on the client for client installation and post-installation communication, see Windows Firewall and Port Settings for Client Computers in Configuration Manager.

The site server that runs Migration uses several ports to connect to applicable sites in the source hierarchy to gather data from the source sites SQL Server database, and to share distribution points.

For information these ports, see the Required Configurations for Migration section in the Prerequisites for Prerequisites for Migration in System Center 2012 Configuration Manager topic.

The following table lists some of the key ports that Windows Server uses and their respective functions. For a more complete list of Windows Server services and network ports requirements, see Service overview and network port requirements for the Windows Server system.

 

Description UDP TCP

Domain Name System (DNS)

53

53

Dynamic Host Configuration Protocol (DHCP)

67 and 68

--

NetBIOS Name Resolution

137

--

NetBIOS Datagram Service

138

--

NetBIOS Session Service

--

139

-----
For additional resources, see Information and Support for Configuration Manager.

Tip: Use this query to find online documentation in the TechNet Library for System Center 2012 Configuration Manager. For instructions and examples, see Search the Configuration Manager Documentation Library.
-----
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.