Topic last updated—March 2008

In addition to standard Configuration Manager 2007 traffic, Network Access Protection (NAP) in Configuration Manager 2007 generates the following traffic with associated ports. If you have firewalls or network perimeter devices that block this traffic, they must be reconfigured for Network Access Protection to work with Configuration Manager 2007.

Use the following table to identify the ports used by Network Access Protection in Configuration Manager 2007. For a list of all ports used in Configuration Manager 2007, see Ports used by Configuration Manager.

Additionally, you will need to identify the ports used by the client to the System Health Validator point. These ports are not used directly by Configuration Manager but are established by Windows Network Access Protection and are dependent upon the enforcement client being used. For example, DHCP enforcement will use ports UDP 67 and 68. IPsec enforcement will use ports TCP 80 or 443 to the Health Registration Authority, port UDP 500 for IPsec negotiation and the additional ports needed for the IPsec filters. For more information, see the Windows Network Access Protection documentation, and for help with configuring firewalls for IPsec, see

Function Ports Description

Configuration Manager 2007 site server publishing the Configuration Manager health state reference to Active Directory Domain Services.

TCP 389 (LDAP) or TCP 636 (LDAPS)

Writing to Active Directory Domain Services

System Health Validator point querying Active Directory Domain Services for the Configuration Manager health state reference.

TCP 3268 (Global Catalog lookup) or TCP 3269 (secure global catalog lookup)

Reading from a global catalog server

Installing System Health Validator point and ongoing configuration.

TCP 445

TCP 135

Server message blocks (SMB) to install

Remote procedure calls (RPCs) for configuration

Status messages from the System Health Validator point to the site server.

TCP 445

Server message blocks (SMB)

See Also