Client computers that run Windows Firewall might require exceptions to be defined to allow communications with Configuration Manager 2012 site systems. These exceptions vary depending on the features of Configuration Manager 2012 you intend to use.
The following sections list the features of Configuration Manager 2012 which require exceptions to be made on the Windows Firewall and provide a procedure for configuring these exceptions.
Modifying the Ports and Programs Permitted by Windows Firewall
To modify the ports and programs permitted by Windows Firewall:
-
On the computer running Windows Firewall, open Control Panel.
-
Right-click Windows Firewall and then click Open.
-
Configure any require exceptions and any custom programs and ports you need.
Programs and Ports Required by Configuration Manager 2012
The following Configuration Manager 2012 features require exceptions to be made on the Windows Firewall:
Queries
If you are running the Configuration Manager console on a computer running Windows Firewall, queries will fail the first time they are run.
After failing to run the first time, the operating system displays a dialog box asking if you want to unblock statview.exe. If you unblock statview.exe, future queries will run without errors. You can also manually add statview.exe to the list of programs and services on the Exceptions tab of the Windows Firewall prior to running a query.
Client Push Installation
In order to successfully use client push to install the Configuration Manager 2012 client, you must add the following as exceptions to the Windows Firewall:
- File and Printer Sharing
- Windows Management Instrumentation (WMI)
Client Installation by using Group Policy
In order to successfully use Group Policy to install the Configuration Manager 2012 client, you must add File and Printer Sharing as an exception to the Windows Firewall.
Client Requests
In order for client computers to communicate with Configuration Manager 2012 site systems, you must add the following as exceptions to the Windows Firewall:
TCP Port 80 (for HTTP communication)
TCP Port 443 (for HTTPS communication)
.gif) Important |
|---|
| These are default port numbers which can be changed in Configuration Manager 2012. For more information, see How to Configure Request Ports for the Client. If these ports have been changed, you must also configure matching exceptions on the Windows Firewall. |
Network Access Protection
In order for client computers to successfully communicate with the system health validator point, you need to allow the following ports:
- UDP 67 and UDP 68 for DHCP
- TCP 80/443 for IPsec
Remote Control
In order to use the remote tools features of Configuration Manager 2012, you need to allow the following ports:
- TCP port 2701
- TCP port 2702
- TCP port 135
Remote Assistance and Remote Desktop
To enable Remote Assistance to be initiated from the SMS Administrator console, add both the custom program helpsvc.exe and the custom port TCP 135 to the list of permitted programs and services in Windows Firewall on the client computer. Also, Windows Firewall must be configured to permit Remote Assistance and Remote Desktop. If a user initiates a request for Remote Assistance from that computer, Windows Firewall will automatically be configured to permit Remote Assistance and Remote Desktop.
Windows Event Viewer, Windows Performance Monitor and Windows Diagnostics
To enable Windows event viewer, Windows performance monitor and Windows diagnostics to be accessed from the Configuration Manager console, you must enable File and Printer Sharing as an exception on the Windows Firewall.
Ports Used During Configuration Manager Client Deployment
The following tables list the ports that are used during the client installation process.
| Important |
|---|
| If there is a firewall between the site system servers and the client computer, confirm whether the firewall permits traffic for the ports that are required for the client installation method that you choose. For example, firewalls often prevent client push installation from succeeding because they block Server Message Block (SMB) and Remote Procedure Calls (RPC). In this scenario, use a different client installation method, such as manual installation (running CCMSetup.exe) or Group Policy-based client installation. These alternative client installation methods do not require SMB or RPC. |
For information about how to configure Windows Firewall on the client computer, see Windows Firewall Settings for Configuration Manager Clients.
Ports that Are Used for all Installation Methods
| Description | UDP | TCP |
|---|---|---|
|
Hypertext Transfer Protocol (HTTP) from the client to a server locator point. A server locator point is required in the following scenarios:
For more information about whether a server locator is required for client installation, see Determine If You Need a Server Locator Point for Configuration Manager Clients. |
-- |
80 (See note 1, Alternate Port Available) |
|
Hypertext Transfer Protocol (HTTP) from the client computer to a fallback status point, when a fallback status point is assigned to the client. |
-- |
80 (See note 1, Alternate Port Available) |
Ports that are Used with Client Push Installation
In addition to the ports listed in the following table, client push installation also uses Internet Control Message Protocol (ICMP) echo request messages from the site server to the client computer to confirm whether the client computer is available on the network. ICMP is sometimes referred to as TCP/IP ping commands. ICMP does not have a UDP or TCP protocol number, and so it is not listed in the following table. However, any intervening network devices, such as firewalls, must permit ICMP traffic for client push installation to succeed.
| Description | UDP | TCP |
|---|---|---|
|
Server Message Block (SMB) between the site server and client computer. |
-- |
445 |
|
RPC endpoint mapper between the site server and the client computer. |
135 |
135 |
|
RPC dynamic ports between the site server and the client computer. |
-- |
DYNAMIC |
|
Hypertext Transfer Protocol (HTTP) from the client computer to a mixed mode management point. |
-- |
80 (See note 1, Alternate Port Available) |
|
Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a native mode management point. |
-- |
443 (See note 1, Alternate Port Available) |
Ports that are Used with Software Update Point-Based Installation
| Description | UDP | TCP |
|---|---|---|
|
Hypertext Transfer Protocol (HTTP) from the client computer to the software update point. |
-- |
80 or 8530 (See note 2, Windows Server Update Services) |
|
Secure Hypertext Transfer Protocol (HTTPS) from the client computer to the software update point. |
-- |
443 or 8531 (See note 2, Windows Server Update Services) |
|
Server Message Block (SMB) between the source server and the client computer when you specify the CCMSetup command-line property /source:<Path>. |
-- |
445 |
Ports that are Used with Group Policy-Based Installation
| Description | UDP | TCP |
|---|---|---|
|
Secure Hypertext Transfer Protocol (HTTP) from the client computer to a native mode management point. |
-- |
80 (See note 1, Alternate Port Available) |
|
Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a native mode management point. |
-- |
443 (See note 1, Alternate Port Available) |
|
Server Message Block (SMB) between the source server and the client computer when you specify the CCMSetup command-line property /source:<Path>. |
-- |
445 |
Ports that are Used with Manual Installation and Logon Script-Based Installation
| Description | UDP | TCP | ||
|---|---|---|---|---|
|
Server Message Block (SMB) between the client computer and a network share from which you run CCMSetup.exe.
|
-- |
445 |
||
|
Hypertext Transfer Protocol (HTTP) from the client computer to a mixed mode management point, and you do not specify the CCMSetup command-line property /source:<Path>. |
-- |
80 (See note 1, Alternate Port Available) |
||
|
Secure Hypertext Transfer Protocol (HTTPS) from the client computer to a native mode management point, and you do not specify the CCMSetup command-line property /source:<Path>. |
-- |
443 (See note 1, Alternate Port Available) |
||
|
Server Message Block (SMB) between the source server and the client computer when you specify the CCMSetup command-line property /source:<Path>. |
-- |
445 |
.gif)
NotePorts that are Used with Software Distribution-Based Installation
| Description | UDP | TCP | ||
|---|---|---|---|---|
|
Server Message Block (SMB) between the distribution point and the client computer.
|
-- |
445 |
||
|
Hypertext Transfer Protocol (HTTP) from the client to a mixed mode distribution point. |
-- |
80 (See note 1, Alternate Port Available) |
||
|
Secure Hypertext Transfer Protocol (HTTPS) from the client to a native mode distribution point. |
-- |
443 (See note 1, Alternate Port Available) |
Notes
1 Alternate Port Available In Configuration Manager, you can define an alternate port for this value. If a custom port has been defined, substitute that custom port when you define the IP filter information for IPsec policies or for configuring firewalls.
2 Windows Server Update Services You can install WSUS either on the default Web site (port 80) or a custom Web site (port 8530).
After installation, you can change the port. You do not have to use the same port number throughout the site hierarchy.
If the HTTP port is 80, the HTTPS port must be 443.
If the HTTP port is anything else, the HTTPS port must be 1 higher—for example, 8530 and 8531.