Professional Documents
Culture Documents
Configurable Ports
Configuration Manager 2007 allows you to configure the ports for the following types of communication:
Client to site system
By default, the HTTP port used for client to site system communication is port 80 and the default HTTPS
port is 443. Ports for client-to-site system communication over HTTP or HTTPS can be changed during
Setup or in the Site Properties for your Configuration Manager site.
Reporting point site system roles have configurable port settings for HTTP and HTTPS communication
defined on the reporting point site system role property page. By default, users connect to the reporting
point using the HTTP port 80 and HTTPS port 443. These ports are defined during installation only. To
redefine the reporting point communication port, the reporting point site system must be deleted and
then reinstalled.
Non-Configurable Ports
Configuration Manager does not allow you to configure ports for the following types of communication:
Site to site (primary-to-primary or primary-to-secondary)
Port Details
The port listings that follow are used by Configuration Manager 2007 and do not include information for
standard Windows services, such as Group Policy settings for Active Directory and Kerberos
authentication. For information about Windows Server services and ports,
see http://go.microsoft.com/fwlink/?LinkID=123652.
The following diagram indicates connections between Configuration Manager 2007 computers. The
number for the link corresponds to the table that lists the ports for that link. The arrows between the
computers represent the direction of the communication.
-- > indicates one computer initiates and the other computer always responds
UDP
TCP
--
445
--
UDP
TCP
--
389
636
636
--
3268
--
3269
135
135
RPC
--
DYNAMIC
UDP
TCP
--
445
--
--
UDP
TCP
--
UDP
TCP
--
445
135
135
UDP
TCP
--
--
UDP
TCP
--
--
--
445
UDP
TCP
67 and 68
--
--
4011
--
UDP
TCP
--
445
135
135
RPC
--
DYNAMIC
UDP
TCP
--
445
135
135
RPC
--
DYNAMIC
UDP
TCP
--
445
135
135
RPC
--
DYNAMIC
UDP
TCP
--
UDP
TCP
--
445
135
135
RPC
--
DYNAMIC
Description
UDP
TCP
--
--
--
445
Multicast Protocol
63000-64000
--
UDP
TCP
--
445
UDP
TCP
--
--
UDP
TCP
--
UDP
TCP
--
--
UDP
TCP
--
445
135
135
RPC
--
DYNAMIC
UDP
TCP
--
1433
UDP
TCP
--
1433
UDP
TCP
--
1433
24. Reporting Point -- > SQL Server / Reporting Services Point -- > SQL Server
The reporting point and the Reporting Services point use the same ports. The Reporting Services point is
applicable to Configuration Manager 2007 R2 only.
Description
UDP
TCP
--
1433
UDP
TCP
--
--
UDP
TCP
135
135
RPC
--
DYNAMIC
UDP
TCP
--
80
UDP
TCP
--
1433
UDP
TCP
--
389
636
636
--
3268
--
3269
135
135
RPC
--
DYNAMIC
30. Site Server -- > Reporting Point / Site Server -- > Reporting Services Point
The reporting point and the Reporting Services point use the same ports. The Reporting Services point is
in Configuration Manager 2007 R2 only.
Description
UDP
TCP
--
445
135
135
RPC
--
DYNAMIC
UDP
TCP
--
445
135
135
RPC
--
DYNAMIC
UDP
TCP
135
UDP
TCP
--
--
UDP
TCP
2701
2701
2702
2702
--
135
--
3389
UDP
TCP
--
135
RPC
--
DYNAMIC
--
445
UDP
TCP
Wake on LAN
--
UDP
TCP
--
3268
--
3269
UDP
TCP
--
1433
39. Site Server < -- > Asset Intelligence Synchronization Point (Configuration Manager
2007 SP1)
Description
UDP
TCP
--
445
135
135
RPC
--
DYNAMIC
40. Asset Intelligence Synchronization Point < -- > System Center Online (Configuration
Manager 2007 SP1)
Description
UDP
TCP
--
443
41. Multicast Distribution Point -- > SQL Server (Configuration Manager 2007 R2)
Description
UDP
TCP
--
1433
42. Client status reporting host --> Client (Configuration Manager 2007 R2)
Description
UDP
TCP
135
135
RPC
--
DYNAMIC
n/a
n/a
43. Client status reporting host --> Management Point (Configuration Manager 2007 R2)
Description
UDP
TCP
--
445
--
139
44. Client status reporting host --> SQL Server (Configuration Manager 2007 R2)
Description
UDP
TCP
--
1433
45. Site Server < -- > Reporting Services Point (Configuration Manager 2007 R2)
(See note 6, Communication between the site server and site systems)
Description
UDP
TCP
--
445
135
135
RPC
--
DYNAMIC
46. Configuration Manager Console -- > Reporting Services Point (Configuration Manager
2007 R2)
Description
UDP
TCP
--
--
47. Reporting Services Point -- > SQL Server (Configuration Manager 2007 R2)
Description
UDP
TCP
--
1433
Notes
1 Proxy Server port
server.
This port cannot be configured but can be routed through a configured proxy
2 Alternate Port Available An alternate port can be defined within Configuration Manager for this
value. If a custom port has been defined, substitute that custom port when defining the IP filter
information for the IPsec policies.
3 RAS Sender Configuration Manager 2007 can also use the RAS Sender with Point to Point Tunneling
Protocol (PPTP) to send and receive Configuration Manager 2007 site, client, and administrative
information through a firewall. Under these circumstances, the PPTP TCP 1723 port is used.
4 Windows Server Update Services WSUS can be installed either on the default Web site (port 80)
or a custom Web site (port 8530).
After installation, the port can be changed.
If the HTTP port is 80, the HTTPS port must be 443.
If the HTTP port is anything else, the HTTPS port must be 1 higherfor example 8530 and 8531.
5 Trivial FTP (TFTP) Daemon The Trivial FTP (TFTP) Daemon system service does not require a user
name or password and is an integral part of the Windows Deployment Services (WDS). The Trivial FTP
Daemon service implements support for the TFTP protocol defined by the following RFCs:
RFC 350TFTP
Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on
UDP port 69 but respond from a dynamically allocated high port. Therefore, enabling this port will allow
the TFTP service to receive incoming TFTP requests but will not allow the selected server to respond to
those requests. Allowing the selected server to respond to inbound TFTP requests cannot be
accomplished unless the TFTP server is configured to respond from port 69.
6 Communication between the site server and site systems By default, communication between
the site server and site systems is bi-directional. The site server initiates communication to configure the
site system, and then most site systems connect back to the site server to send back status information.
Reporting points and distribution points do not send back status information. If you select Allow only
site server initiated data transfers from this site system on the site system properties, the site
system will never initiate communication back to the site server.
7 Ports used by distribution points for application virtualization streaming A distribution point
enabled to support application virtualization can be configured to use either HTTP or HTTPS. This feature
is available in Configuration Manager 2007 R2 only.
Configuration Manager Remote Control Ports
When you use NetBIOS over TCP/IP for Configuration Manager 2007 Remote Control, the ports
described in the following table are used.
Description
UDP
TCP
--
135
Name resolution
137
--
Messaging
138
--
Client Sessions
--
139
UDP
TCP
--
445
135
135
RPC
--
DYNAMIC
UDP
TCP
--
9971 (configurable)
Description
UDP
TCP
Discovery
--
16992
--
16993
UDP
TCP
--
16993
--
16995
UDP
TCP
53
--
67 and 68
--
137
--
138
--
--
139
Site server < --> site system: Server message blocks (SMB) using TCP port 445.
Distribution points do not install until the first package is targeted to them. Package installations on
distribution points require the following RPC ports:
Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135.
Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the
dynamic ports that are used with RPC, you can use the Microsoft RPC configuration tool (rpccfg.exe) to
configure a limited range of ports for these RPC packets. For more information about the RPC
configuration tool, see http://go.microsoft.com/fwlink/?LinkId=124096.
Important
Before you install these site systems, ensure that the remote registry service is running on the site
system server and that you have specified a site system installation account if the site system is in a
different Active Directory forest without a trust relationship. For more information, see How to Configure
the Site System Installation Account.