Protocols

Windows Deployment Services uses the following protocols for installing images:

  • Dynamic Host Configuration Protocol (DHCP)

  • Pre-Boot Execution Environment (PXE)

  • Trivial File Transfer Protocol (TFTP)

  • Remote procedure call (RPC)

  • Server Message Block (SMB)

  • Multicasting

Ports

The following table outlines the User Data Protocol (UDP) and Transmission Control Protocol (TCP) network ports that are used during image deployment. You can modify the values that have an asterisk (*) by using the instructions in How to Manage Your Server.

UDP TCP
  • 67

  • 68 if DHCP authorization is required on the server

  • 69

  • 4011

  • Random ports from 64001 through 65000*, to establish a session with the server for TFTP and multicasting (in accordance with RFC 1783 at http://go.microsoft.com/fwlink/?LinkId=81027).
  • 135 for RPC

  • 5040* for RPC

  • 137–139*
The following steps explain the UDP and TCP ports that are used during image deployment:

  1. The client performs a PXE boot.

  2. PXE uses DHCP ports and TFTP to download the binary files. For UDP and DHCP, you need to enable ports 67, 69, and 4011. In addition, TFTP endpoints are used; by default, these endpoints range from 64001 through 65000. For instructions on modifying these ranges, see How to Manage Your Server.You can also use the Network Address Translation (NAT) with the Routing and Remote Access network service to control these ports.

  3. In accordance with RFC 1783 (http://go.microsoft.com/fwlink/?LinkId=81027), the client chooses random UDP ports to establish the session with the server. You should use an application exception for TFTP if you have the Windows firewall enabled on the Windows Deployment Services server.

  4. The client downloads Windows PE and boots to the Windows Deployment Services client. This download also uses the same TFTP ports as mentioned previously.

  5. The Windows Deployment Services client communicates with the Windows Deployment Services server to authenticate and obtain the list of available images. This conversation occurs over RPC because RPC has built-in authentication (it is one of the few completely available protocols in Windows PE). You need to allow the port for the Endpoint Mapper (TCP 135) and the port for the RPC listener for the Windows Deployment Services server (which is TCP 5040 by default).

  6. The Windows Deployment Services client installs the selected image. Image transfer occurs through SMB. You need all the file-sharing and printer-sharing ports — for example, TCP 137 through 139 — for installing the image.

    Note

    In addition, if DHCP authorization is required on the server, you need DHCP client port 68 to be open on the server. Note that DHCP authorization is not required by default; but you can turn it on manually.