Secure Routers for Subnet-Directed Broadcasts for Wake On LAN
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
If you are using subnet-directed broadcast as the transmission method of sending wake-up packets, all intervening routers between the primary site server and client computers must allow IP-directed broadcasts. To help mitigate the security risks associated with this configuration, take these additional configuration steps:
Configure Wake On LAN in Configuration Manager 2007 to use a nondefault port number.
Configure routers to only allow IP-directed broadcasts from the site server, using the nondefault port number you configured in Configuration Manager 2007.
|The security risks associated with subnet-directed broadcasts are that an attacker could send continuous streams of Internet Control Message Protocol (ICMP) echo requests from a falsified source address to the directed broadcast address, causing all the hosts to reply to that source address. This type of denial of service attack is commonly called a smurf attack and is typically mitigated by not allowing subnet-directed broadcasts.|
TasksHow to Configure the Ports Used for Wake On LAN
How to Configure Wake On LAN for Unicast or Subnet-Directed Broadcast
ConceptsAbout Subnet-Directed Broadcast Wake-Up Packets for Wake On LAN
Choose Between Unicast and Subnet-Directed Broadcast for Wake On LAN
Other ResourcesWake On LAN in Configuration Manager
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.