In addition to the ports listed in the following table, wake-up proxy also uses Internet Control Message Protocol (ICMP) echo request messages from one client to another client when they are configured for wake-up proxy. This communication is used to confirm whether the other client computer is awake on the network. ICMP is sometimes referred to as TCP/IP ping commands. ICMP does not have a UDP or TCP protocol number, and so it is not listed in the following table. However, any host-based firewalls on these client computers or intervening network devices within the subnet must permit ICMP traffic for wake-up proxy communication to succeed.

A Configuration Manager client does not contact a global catalog server when it is a workgroup computer or when it is configured for Internet-only communication.

The client requires the ports established by the Windows Network Access Protection client, which is dependent upon the enforcement client being used. For example, DHCP enforcement will use ports UDP 67 and 68. IPsec enforcement will use ports TCP 80 or 443 to the Health Registration Authority, port UDP 500 for IPsec negotiation and the additional ports needed for the IPsec filters. For more information, see the Windows Network Access Protection documentation. For help with configuring firewalls for IPsec, see How to Enable IPsec Traffic Through a Firewall.

(See note 5, Communication between the site server and site systems)

(See note 5, Communication between the site server and site systems)

(See note 5, Communication between the site server and site systems)

(See note 5, Communication between the site server and site systems)

(See note 5, Communication between the site server and site systems)

(See note 5, Communication between the site server and site systems)

(See note 5, Communication between the site server and site systems)

Intersite database replication requires the SQL Server at one site to communicate directly with the SQL Server of its parent or child site.

1. Proxy Server port: This port cannot be configured but can be routed through a configured proxy server.
   
   
2. Alternate Port Available: An alternate port can be defined within Configuration Manager for this value. If a custom port has been defined, substitute that custom port when defining the IP filter information for IPsec policies or for configuring firewalls.
   
   
3. Windows Server Update Services: WSUS can be installed either on the default Web site (port 80) or a custom Web site (port 8530).
   
   After installation, the port can be changed. You do not have to use the same port number throughout the site hierarchy.
   
   
   • If the HTTP port is 80, the HTTPS port must be 443.
     
     
   • If the HTTP port is anything else, the HTTPS port must be 1 higher—for example, 8530 and 8531.
     
     
4. Trivial FTP (TFTP) Daemon: The Trivial FTP (TFTP) Daemon system service does not require a user name or password and is an integral part of the Windows Deployment Services (WDS). The Trivial FTP Daemon service implements support for the TFTP protocol defined by the following RFCs:
   
   
   • RFC 350—TFTP
     
     
   • RFC 2347—Option extension
     
     
   • RFC 2348—Block size option
     
     
   • RFC 2349—Time-out interval, and transfer size options
     
     
   Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on UDP port 69 but respond from a dynamically allocated high port. Therefore, enabling this port will allow the TFTP service to receive incoming TFTP requests but will not allow the selected server to respond to those requests. Allowing the selected server to respond to inbound TFTP requests cannot be accomplished unless the TFTP server is configured to respond from port 69.
   
   
5. Communication between the site server and site systems: By default, communication between the site server and site systems is bi-directional. The site server initiates communication to configure the site system, and then most site systems connect back to the site server to send status information. Reporting service points and distribution points do not send status information. If you select Require the site server to initiate connections to this site system on the site system properties, after the site system is installed, it will not initiate communication to the site server. Instead, the site server initiates the connections and uses the Site System Installation Account for authentication to the site system server.
   
   

The following information lists the ports used by out of band management:

• Out of Band Service Point --> Enrollment Point
  
  
• Out of Band Service Point --> AMT Management Controller
  
  
• Out of Band Management Console --> AMT Management Controller
  
  

Clients use Server Message Block (SMB) whenever they connect to UNC shares. For example:

• Manual client installation that specifies the CCMSetup.exe /source: command line property.
  
  
• Endpoint Protection clients that download definition files from a UNC path.
  
  

For communication to the SQL Server database engine and for intersite replication, you can use the default SQL Server port or specify custom ports:

• Intersite communications use the SQL Server Service Broker, which defaults to port TCP 4022.
  
  
• Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles default to port TCP 1433.
  
  

Warning
Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for connections to the database engine, when you use a named instance, you must manually configure the static port that you want to use for intrasite communication.

The following site system roles communicate directly with the SQL Server database:

• Application Catalog web service point
  
  
• Enrollment point role
  
  
• Management point
  
  
• Site server
  
  
• Reporting services point
  
  
• SMS Provider
  
  
• SQL Server --> SQL Server
  
  

When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured with a unique set of ports.

If you have a firewall enabled on the SQL Server computer, ensure that it is configured to allow the ports in use by your deployment, and at any locations on the network between computers that communicate with the SQL Server.

For an example of how to configure SQL Server to use a specific port, see How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager) in the SQL Server TechNet library.

Configuration Manager clients or site systems can make the following external connections:

• Asset Intelligence Synchronization Point < -- > Microsoft
  
  
• Endpoint Protection Point -- > Internet
  
  
• Client -- > Global Catalog Domain Controller
  
  
• Configuration Manager Console -- > Internet
  
  
• Management Point -- > Domain Controller
  
  
• Site Server -- > Domain Controller
  
  
• Software Update Point -- > Internet
  
  
• Software Update Point -- > Upstream WSUS Server
  
  

Management points and distribution points that support internet-based clients, the software update point, and the fallback status point use the following ports for installation and repair:

• Site server --> site system: RPC endpoint mapper using UDP and TCP port 135.
  
  
• Site server --> site system: RPC dynamic TCP ports.
  
  
• Site server < --> site system: Server message blocks (SMB) using TCP port 445.
  
  

Application and package installations on distribution points require the following RPC ports:

• Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135.
  
  
• Site server --> distribution point: RPC dynamic TCP ports
  
  

Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the dynamic ports that are used with RPC, you can use the Microsoft RPC configuration tool (rpccfg.exe) to configure a limited range of ports for these RPC packets. For more information about the RPC configuration tool, see How to configure RPC to use certain ports and how to help secure those ports by using IPsec.

Important
Before you install these site systems, ensure that the remote registry service is running on the site system server and that you have specified a Site System Installation Account if the site system is in a different Active Directory forest without a trust relationship.

The ports that are using during client installation depend on the client deployment method. See Ports Used During Configuration Manager Client Deployment in the Windows Firewall and Port Settings for Client Computers in Configuration Manager topic for a list of ports for each client deployment method. For information about how to configure Windows Firewall on the client for client installation and post-installation communication, see Windows Firewall and Port Settings for Client Computers in Configuration Manager.

The following table lists some of the key ports that Windows Server uses and their respective functions. For a more complete list of Windows Server services and network ports requirements, see Service overview and network port requirements for the Windows Server system.