Network Ports Used

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Protocols

Windows Deployment Services uses the following protocols for installing images:

  • Dynamic Host Configuration Protocol (DHCP)

  • Pre-Boot Execution Environment (PXE)

  • Trivial File Transfer Protocol (TFTP)

  • Remote procedure call (RPC)

  • Server Message Block (SMB)

  • Multicasting

Ports

The following table outlines the User Data Protocol (UDP) and Transmission Control Protocol (TCP) network ports that are used during image deployment. You can modify the values that have an asterisk (*) by using the instructions in How to Manage Your Server.

UDP TCP
  • 67

  • 68 if DHCP authorization is required on the server

  • 69

  • 4011

  • Random ports from 64001 through 65000*, to establish a session with the server for TFTP and multicasting
  • 135 for RPC

  • 5040* for RPC

  • 137–139 for SMB

The following steps explain the UDP and TCP ports that are used during image deployment:

  1. The client performs a network boot.

  2. PXE uses DHCP ports and TFTP to download the binary files. For TFTP and DHCP, you need to enable ports 67, 69, and 4011. The TFTP and multicast servers use ports in the range 64001 through 65000 by default. You can also use the Network Address Translation (NAT) with the Routing and Remote Access network service to control these ports.

  3. In accordance with RFC 1783 (https://go.microsoft.com/fwlink/?LinkId=81027), the client chooses random UDP ports to establish the session with the server. If you are using a non-Microsoft firewall, you may need to use an application exception for TFTP on the Windows Deployment Services server.

  4. The client downloads Windows PE and boots to the Windows Deployment Services client. This download also uses the same TFTP ports as mentioned previously.

  5. The Windows Deployment Services client communicates with the Windows Deployment Services server to authenticate and obtain the list of available images. This conversation occurs over RPC because RPC has built-in authentication (it is one of the few completely available protocols in Windows PE). You need to allow the port for the Endpoint Mapper (TCP 135) and the port for the RPC listener for the Windows Deployment Services server (which is TCP 5040 by default).

  6. The Windows Deployment Services client installs the selected image and the image transfer occurs through SMB. You need all the file-sharing and printer-sharing ports — for example, TCP 137 through 139 — for installing the image.

Note

In addition, if DHCP authorization is required on the server, you need DHCP client port 68 to be open on the server. Note that DHCP authorization is not required by default; but you can turn it on manually.