Configuring Configuration Manager 2007 for Internet-based client management often requires some network configuration to support the additional traffic from the Internet. Typically, this requires reconfiguration of firewalls between the Internet and your perimeter network (also known as DMZ, demilitarized zone, and screened subnet), and also between the perimeter network and your intranet. It might also include configuration of Web proxy servers between security boundaries.
|Firewalls placed between the Internet and perimeter networks are often referred to as "front-end firewalls," and firewalls placed between the perimeter network and the intranet are often referred to as "back-end firewalls."|
Use the network diagrams that correspond to your chosen supported scenario for Internet-based client management to identify the protocols that cross security boundaries and will therefore need to be configured on firewalls. For a list of the supported scenarios, see Supported Scenarios for Internet-Based Client Management.
Additionally, make sure that any intervening firewalls support HTTP 1.1 and that they do not block traffic required by Configuration Manager 2007 Internet-based client management. For information about the external dependency for intervening firewalls or proxy servers, see Prerequisites for Internet-Based Client Management.
The list of possible protocols used in Internet-based client management scenarios is as follows:
- Microsoft SQL Server
Remote procedure calls (RPCs) are needed for site system installation and for installing packages onto distribution points. These connections typically use ports UDP and TCP 135 and a dynamic TCP port range.
Server message blocks (SMB) is needed for site system installation and repair, and for sending site system status. These connections typically use ports TCP 445.
By default, SQL Server connections use port TCP 1433, and Configuration Manager 2007 does not support changing this port number.
Clients on the Internet use HTTP to connect to their Internet-based fallback status point. Clients on the Internet use HTTPS to connect to their Internet-based management point, Internet-based distribution points, and Internet-based software update point.
The Internet-based software update point communicates with the active software update point by using HTTPS, and it can also use HTTP. To configure the Windows Server Update Services (WSUS) settings, the active software update point connects to the Internet-based software update point by using HTTPS. When Configuration Manager synchronizes the software updates metadata, the Internet-based software update point connects to the active software update point. Most connections will use HTTPS. However, when the software updates metadata has associated license terms (for example, if the software update is a service pack), the connection uses HTTP. To avoid these in-bound connections from the perimeter network to the intranet, use the export and import method of synchronizing the software updates as described in How to Synchronize Updates Using Export and Import.
If your firewalls require the port numbers for HTTP and HTTPS protocols, by default, they are TCP 80 and TCP 443, respectively. However, you can change these port numbers for HTTP and HTTPS traffic in Configuration Manager 2007 to add some additional security if you are using Internet-based client management.
Use the following procedure to identify the port numbers configured for HTTP and HTTPS connections, so that you can configure this port information on firewalls that protect your networks from the Internet.
|Do not change the port numbers in Configuration Manager 2007 without understanding the consequences. For example, changing the port numbers for the client request services without following the correct procedure might result in all the clients in the site being unable to connect to their management point and, as such, unmanaged.|
To view the port numbers for client requests that use HTTP and HTTPS connections
In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management.
Right-click <site code> – <site name>, and then click Properties.
On the Ports tab in the site properties dialog box, view the Active ports section.
Locate the two services named Client Requests-HTTP (TCP). Identify the configured port number if the service is selected to be used by the site. If both services are selected, you might need to configure firewalls for both port numbers if some clients are still using the default port number.
Locate the two services named Client Requests-HTTPS (TCP). Identify the configured port number if the service is selected to be used by the site. If both services are selected, you might need to configure firewalls for both port numbers if some clients are still using the default port number.
To view the port numbers for software update points that use HTTP and HTTPS connections (client requests and synchronization to another software update point)
In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site code> – <site name> / Site Settings / Component Configuration.
Right-click Software Update Point Component, and then click Properties.
On the Internet-Based tab, locate the section Specify the port settings used by this WSUS server and then identify the configured port numbers for Port number (for the HTTP port), and SSL Port number (for the HTTPS port).