Ports Used by Configuration Manager

Updated: July 1, 2009

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2,
System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Microsoft System Center Configuration Manager 2007 is a distributed client/server system. The
distributed nature of Configuration Manager 2007 means that connections can be established between
site servers, site systems, and clients. Some connections use ports that are not configurable, and some
use ports that can be customized. You must verify that the required ports are available if you use any
port filtering technology such as firewalls, routers, proxy servers, and IPsec.
Note
To plan your firewall configuration, if you are supporting Internet-based clients, use the following port
information together with the information in Supported Scenarios for Internet-Based Client Management.
In addition to port requirements, if you have Internet-based clients, you must also allow certain HTTP
verbs and headers to traverse your firewall. For more information, seePrerequisites for Internet-Based
Client Management.

Configurable Ports
Configuration Manager 2007 allows you to configure the ports for the following types of communication:
Client to site system

Client to Internet (as proxy server settings)

Software update point to Internet (as proxy server settings)

Software update point to WSUS server

Client to reporting point

By default, the HTTP port used for client to site system communication is port 80 and the default HTTPS
port is 443. Ports for client-to-site system communication over HTTP or HTTPS can be changed during
Setup or in the Site Properties for your Configuration Manager site.
Reporting point site system roles have configurable port settings for HTTP and HTTPS communication
defined on the reporting point site system role property page. By default, users connect to the reporting
point using the HTTP port 80 and HTTPS port 443. These ports are defined during installation only. To
redefine the reporting point communication port, the reporting point site system must be deleted and
then reinstalled.

Non-Configurable Ports
Configuration Manager does not allow you to configure ports for the following types of communication:
Site to site (primary-to-primary or primary-to-secondary)

Site server to site system

Site server to site database server

Site system to site database server

Configuration Manager 2007 console to SMS Provider

Configuration Manager 2007 console to the Internet

Port Details
The port listings that follow are used by Configuration Manager 2007 and do not include information for
standard Windows services, such as Group Policy settings for Active Directory and Kerberos
authentication. For information about Windows Server services and ports,
see http://go.microsoft.com/fwlink/?LinkID=123652.
The following diagram indicates connections between Configuration Manager 2007 computers. The
number for the link corresponds to the table that lists the ports for that link. The arrows between the
computers represent the direction of the communication.
-- > indicates one computer initiates and the other computer always responds

< -- > indicates that either computer can initiate

1. Site Server < -- > Site Server

Description

UDP

TCP

Server Message Block (SMB)

--

445

Point to Point Tunneling Protocol (PPTP)

--

1723 (See note 3, RAS Sender)

2. Primary Site Server -- > Domain Controller

Description

UDP

TCP

Lightweight Directory Access Protocol (LDAP)

--

389

LDAP (Secure Sockets Layer [SSL] connection)

636

636

Global Catalog LDAP

--

3268

Global Catalog LDAP SSL

--

3269

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

3. Site Server < -- > Software Update Point

(See note 6, Communication between the site server and site systems)
Description

UDP

TCP

Server Message Block (SMB)

--

445

Hypertext Transfer Protocol (HTTP)

--

80 or 8530 (See note 4, Windows Server Update

Services)

Secure Hypertext Transfer Protocol

(HTTPS)

--

443 or 8531 (See note 4, Windows Server Update

Services)

4. Software Update Point -- > Internet

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 1, Proxy Server port)

5. Site Server < -- > State Migration Point

(See note 6, Communication between the site server and site systems)
Description

UDP

TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

6. Client -- > Software Update Point

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 or 8530 (See note 4, Windows Server Update

Services)

Secure Hypertext Transfer Protocol

(HTTPS)

--

443 or 8531 (See note 4, Windows Server Update

Services)

7. Client -- > State Migration Point

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

Server Message Block (SMB)

--

445

8. Client -- > PXE Service Point

Description

UDP

TCP

Dynamic Host Configuration Protocol

(DHCP)

67 and 68

--

Trivial File Transfer Protocol (TFTP)

69 (See note 5, Trivial FTP (TFTP)

Daemon)

--

Boot Information Negotiation Layer (BINL)

4011

--

9. Site Server < -- > PXE Service Point

(See note 6, Communication between the site server and site systems)
Description

UDP

TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

10. Site Server < -- > System Health Validator

(See note 6, Communication between the site server and site systems)
Description

UDP

TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

11. Client -- > System Health Validator

The client requires the ports established by the Windows Network Access Protection client, which is
dependent upon the enforcement client being used. For example, DHCP enforcement will use ports UDP
67 and 68. IPSec enforcement will use ports TCP 80 or 443 to the Health Registration Authority, port
UDP 500 for IPsec negotiation and the additional ports needed for the IPsec filters. For more
information, see the Windows Network Access Protection documentation. For help with configuring
firewalls for IPsec, seehttp://go.microsoft.com/fwlink/?LinkId=109499.
12. Site Server < -- > Fallback Status Point
(See note 6, Communication between the site server and site systems)
Description

UDP

TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

13. Client -- > Fallback Status Point

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

14. Site Server -- > Distribution Point

Description

UDP

TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

15. Client -- > Distribution Point

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol

(HTTPS)

--

443 (See note 2, Alternate Port

Available)

Server Message Block (SMB)

--

445

Multicast Protocol

63000-64000

--

16. Client -- > Branch Distribution Point

Description

UDP

TCP

Server Message Block (SMB)

--

445

17. Client -- > Management Point

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

18. Client -- > Server Locator Point

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

19. Branch Distribution Point -- > Distribution Point

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

20. Site Server -- > Provider

Description

UDP

TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

21. Server Locator Point -- > Microsoft SQL Server

Description

UDP

TCP

SQL over TCP

--

1433

22. Management Point -- > SQL Server

Description

UDP

TCP

SQL over TCP

--

1433

23. Provider -- > SQL Server

Description

UDP

TCP

SQL over TCP

--

1433

24. Reporting Point -- > SQL Server / Reporting Services Point -- > SQL Server
The reporting point and the Reporting Services point use the same ports. The Reporting Services point is
applicable to Configuration Manager 2007 R2 only.

Description

UDP

TCP

SQL over TCP

--

1433

25. Configuration Manager Console -- > Reporting Point

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

26. Configuration Manager Console -- > Provider

Description

UDP

TCP

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

27. Configuration Manager Console -- > Internet

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80

28. Primary Site Server -- > SQL Server

Description

UDP

TCP

SQL over TCP

--

1433

29. Management Point -- > Domain Controller

Description

UDP

TCP

Lightweight Directory Access Protocol (LDAP)

--

389

LDAP (Secure Sockets Layer [SSL] connection)

636

636

Global Catalog LDAP

--

3268

Global Catalog LDAP SSL

--

3269

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

30. Site Server -- > Reporting Point / Site Server -- > Reporting Services Point
The reporting point and the Reporting Services point use the same ports. The Reporting Services point is
in Configuration Manager 2007 R2 only.
Description

UDP

TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

31. Site Server -- > Server Locator Point

(See note 6, Communication between the site server and site systems)
Description

UDP

TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

32. Configuration Manager Console -- > Site Server

Description

UDP

RPC (initial connection to WMI to locate provider system) --

TCP
135

33. Software Update Point -- > WSUS Synchronization Server

Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 or 8530 (See note 4, Windows Server Update

Services)

Secure Hypertext Transfer Protocol

(HTTPS)

--

443 or 8531 (See note 4, Windows Server Update

Services)

34. Configuration Manager Console -- > Client

Description

UDP

TCP

Remote Control (control)

2701

2701

Remote Control (data)

2702

2702

Remote Control (RPC Endpoint Mapper)

--

135

Remote Assistance (RDP and RTC)

--

3389

35. Management Point < -- > Site Server

(See note 6, Communication between the site server and site systems)
Description

UDP

TCP

RPC Endpoint mapper

--

135

RPC

--

DYNAMIC

Server Message Block (SMB)

--

445

36. Site Server -- > Client

Description

UDP

TCP

Wake on LAN

9 (See note 2, Alternate Port Available)

--

37. Configuration Manager Client -- > Global Catalog Domain Controller

A Configuration Manager client does not contact a global catalog server when it is a workgroup computer
or when it is configured for Internet-only communication.
Description

UDP

TCP

Global Catalog LDAP

--

3268

Global Catalog LDAP SSL

--

3269

38. PXE Service Point -- > SQL Server

Description

UDP

TCP

SQL over TCP

--

1433

39. Site Server < -- > Asset Intelligence Synchronization Point (Configuration Manager
2007 SP1)
Description

UDP

TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

40. Asset Intelligence Synchronization Point < -- > System Center Online (Configuration
Manager 2007 SP1)
Description

UDP

TCP

Secure Hypertext Transfer Protocol (HTTPS)

--

443

41. Multicast Distribution Point -- > SQL Server (Configuration Manager 2007 R2)
Description

UDP

TCP

SQL over TCP

--

1433

42. Client status reporting host --> Client (Configuration Manager 2007 R2)
Description

UDP

TCP

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

ICMPv4 Type 8 (Echo) or

ICMPv6 Type 128 (Echo Request)

n/a

n/a

43. Client status reporting host --> Management Point (Configuration Manager 2007 R2)
Description

UDP

TCP

Server Message Block (SMB)

--

445

NetBIOS Session Service

--

139

44. Client status reporting host --> SQL Server (Configuration Manager 2007 R2)
Description

UDP

TCP

SQL over TCP

--

1433

45. Site Server < -- > Reporting Services Point (Configuration Manager 2007 R2)
(See note 6, Communication between the site server and site systems)
Description

UDP

TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

46. Configuration Manager Console -- > Reporting Services Point (Configuration Manager
2007 R2)
Description

UDP

TCP

Hypertext Transfer Protocol (HTTP)

--

80 (See note 2, Alternate Port Available)

Secure Hypertext Transfer Protocol (HTTPS)

--

443 (See note 2, Alternate Port Available)

47. Reporting Services Point -- > SQL Server (Configuration Manager 2007 R2)
Description

UDP

TCP

SQL over TCP

--

1433

Notes
1 Proxy Server port
server.

This port cannot be configured but can be routed through a configured proxy

2 Alternate Port Available An alternate port can be defined within Configuration Manager for this
value. If a custom port has been defined, substitute that custom port when defining the IP filter
information for the IPsec policies.
3 RAS Sender Configuration Manager 2007 can also use the RAS Sender with Point to Point Tunneling
Protocol (PPTP) to send and receive Configuration Manager 2007 site, client, and administrative
information through a firewall. Under these circumstances, the PPTP TCP 1723 port is used.
4 Windows Server Update Services WSUS can be installed either on the default Web site (port 80)
or a custom Web site (port 8530).
After installation, the port can be changed.
If the HTTP port is 80, the HTTPS port must be 443.
If the HTTP port is anything else, the HTTPS port must be 1 higherfor example 8530 and 8531.
5 Trivial FTP (TFTP) Daemon The Trivial FTP (TFTP) Daemon system service does not require a user
name or password and is an integral part of the Windows Deployment Services (WDS). The Trivial FTP
Daemon service implements support for the TFTP protocol defined by the following RFCs:
RFC 350TFTP

RFC 2347Option extension

RFC 2348Block size option

RFC 2349Time-out interval, and transfer size options

Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on
UDP port 69 but respond from a dynamically allocated high port. Therefore, enabling this port will allow
the TFTP service to receive incoming TFTP requests but will not allow the selected server to respond to
those requests. Allowing the selected server to respond to inbound TFTP requests cannot be
accomplished unless the TFTP server is configured to respond from port 69.
6 Communication between the site server and site systems By default, communication between
the site server and site systems is bi-directional. The site server initiates communication to configure the
site system, and then most site systems connect back to the site server to send back status information.
Reporting points and distribution points do not send back status information. If you select Allow only
site server initiated data transfers from this site system on the site system properties, the site
system will never initiate communication back to the site server.
7 Ports used by distribution points for application virtualization streaming A distribution point
enabled to support application virtualization can be configured to use either HTTP or HTTPS. This feature
is available in Configuration Manager 2007 R2 only.
Configuration Manager Remote Control Ports
When you use NetBIOS over TCP/IP for Configuration Manager 2007 Remote Control, the ports
described in the following table are used.
Description

UDP

TCP

RPC Endpoint Mapping

--

135

Name resolution

137

--

Messaging

138

--

Client Sessions

--

139

AMT Out of Band Management Ports (Configuration Manager 2007 SP1)

When you use the out of band management feature in Configuration Manager 2007 SP1, the following
ports are used.
A. Site Server <--> Out of Band Service Point
Description

UDP

TCP

Server Message Block (SMB)

--

445

RPC Endpoint Mapper

135

135

RPC

--

DYNAMIC

B. AMT Management Controller --> Out of Band Service Point

Description

UDP

TCP

Provisioning out of band (not applicable to in-band

provisioning)

--

9971 (configurable)

C. Out of Band Service Point --> AMT Management Controller

Description

UDP

TCP

Discovery

--

16992

Power control, provisioning, and discovery

--

16993

D. Out of Band Management Console --> AMT Management Controller

Description

UDP

TCP

General management tasks

--

16993

Serial over LAN and IDE redirection

--

16995

Ports Used by Windows Server

The following table lists some of the key ports that Windows Server uses and their respective functions.
For a more complete list of Windows Server services and network ports requirements,
see http://go.microsoft.com/fwlink/?LinkID=123652.
Description

UDP

TCP

Domain Name System (DNS)

53

--

Dynamic Host Configuration Protocol (DHCP)

67 and 68

--

NetBIOS Name Resolution

137

--

NetBIOS Datagram Service

138

--

NetBIOS Session Service

--

139

Connecting with Microsoft SQL Server

If you use the TCP/IP Net-Library, enable port 1433 on the firewall. Use the Hosts file or an advanced
connection string for host name resolution.
If you use named pipes over TCP/IP, enable port 139 for NetBIOS functions. NetBIOS should be used
only for troubleshooting Kerberos issues.
Note
TCP/IP is required for network communications to allow Kerberos authentication. Named pipes
communication is not required for Configuration Manager 2007 site database operations and should be
used only to troubleshoot Kerberos authentication issues.
By default, SQL Server uses TCP (not UDP) port 1433 to listen on TCP/IP. To change the port, run SQL
Server Setup on the server, and then click Change Network Support. If SQL Server uses port 1433,
the client Net-Library works. If SQL Server uses a custom port number, the client must specify that port
in the Data Source Name (DSN).
Microsoft does not recommend that you enable UDP ports 137 and 138 for NetBIOS name resolution by
using B-node broadcasts. Instead, you can use a WINS server or an LMHOSTS file for name resolution.
Installation Requirements for Internet-Based Site Systems
The Internet-based management point, software update point, and fallback status point use the
following ports for installation and repair:
Site server --> site system: RPC endpoint mapper using UDP and TCP port 135.

Site server --> site system: RPC dynamic TCP ports.

Site server < --> site system: Server message blocks (SMB) using TCP port 445.

Distribution points do not install until the first package is targeted to them. Package installations on
distribution points require the following RPC ports:
Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135.

Site server --> distribution point: RPC dynamic TCP ports.

Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the
dynamic ports that are used with RPC, you can use the Microsoft RPC configuration tool (rpccfg.exe) to
configure a limited range of ports for these RPC packets. For more information about the RPC
configuration tool, see http://go.microsoft.com/fwlink/?LinkId=124096.

Important
Before you install these site systems, ensure that the remote registry service is running on the site
system server and that you have specified a site system installation account if the site system is in a
different Active Directory forest without a trust relationship. For more information, see How to Configure
the Site System Installation Account.

Pasted from <http://technet.microsoft.com/en-us/library/bb632618.aspx>