Technical Reference for Ports Used in Configuration Manager
Updated: September 19, 2017
Applies To: System Center 2012 Configuration Manager, System Center 2012 Configuration Manager SP1, System Center 2012 Configuration Manager SP2, System Center 2012 R2 Configuration Manager, System Center 2012 R2 Configuration Manager SP1
Note
This topic appears in the Site Administration for System Center 2012 Configuration Manager guide and in the Security and Privacy for System Center 2012 Configuration Manager guide.
System Center 2012 Configuration Manager is a distributed client/server system. The distributed nature of Configuration Manager means that connections can be established between site servers, site systems, and clients. Some connections use ports that are not configurable, and some support custom ports you specify. You must verify that the required ports are available if you use any port filtering technology such as firewalls, routers, proxy servers, and IPsec.
Note
If you support Internet-based clients by using SSL bridging, in addition to port requirements, you might have to also allow some HTTP verbs and headers to traverse your firewall. For more information, see Prerequisites for Internet-Based Client Management in the Planning for Communications in Configuration Manager topic.
The port listings that follow are used by Configuration Manager and do not include information for standard Windows services, such as Group Policy settings for Active Directory Domain Services and Kerberos authentication. For information about Windows Server services and ports, see Service overview and network port requirements for the Windows Server system.
Configurable Ports
Non-Configurable Ports
Ports Used by Configuration Manager Clients and Site Systems
Additional Lists of Ports
AMT Out of Band Management Ports
Client to Server Shares
Connections to Microsoft SQL Server
External Connections made by Configuration Manager
Installation Requirements for Site Systems that Support Internet-Based Clients
Ports Used by Configuration Manager Client Installation
Ports Used by Migration
Ports Used by Windows Server
Configurable Ports
Configuration Manager allows you to configure the ports for the following types of communication:
Application Catalog Website point to Application Catalog web service point
Enrollment proxy point to enrollment point
Client to site systems that run IIS
Client to Internet (as proxy server settings)
Software update point to Internet (as proxy server settings)
Software update point to WSUS server
Site server to site database server
Reporting services points
Note
The ports in use for the reporting services point site system role are configured in SQL Server Reporting Services. These ports are then used by Configuration Manager during communications to the reporting services point. Be sure to review these ports defining the IP filter information for IPsec policies or for configuring firewalls.
By default, the HTTP port used for client to site system communication is port 80, and the default HTTPS port is 443. Ports for client-to-site system communication over HTTP or HTTPS can be changed during Setup or in the Site Properties for your Configuration Manager site.
The ports in use for the reporting services point site system role are configured in SQL Server Reporting Services. These ports are then used by Configuration Manager during communications to the reporting services point. Be sure to review these ports defining the IP filter information for IPsec policies or for configuring firewalls.
Non-Configurable Ports
Configuration Manager does not allow you to configure ports for the following types of communication:
Site to site
Site server to site system
Configuration Manager console to SMS Provider
Configuration Manager console to the Internet
Connections to cloud services, such as Microsoft Intune and cloud-based distribution points
Ports Used by Configuration Manager Clients and Site Systems
The following sections detail the ports used for communication in Configuration Manager. The arrows in the section title, between the computers, represent the direction of the communication:
-- > indicates one computer initiates communication and the other computer always responds
< -- > indicates that either computer can initiate communication
Asset Intelligence Synchronization Point -- > Microsoft
Description |
UDP |
TCP |
|---|---|---|
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 |
Asset Intelligence Synchronization Point -- > SQL Server
Description |
UDP |
TCP |
|---|---|---|
SQL over TCP |
-- |
1433 (See note 2, Alternate Port Available) |
Application Catalog Web Service Point -- > SQL Server
Description |
UDP |
TCP |
|---|---|---|
SQL over TCP |
-- |
1433 (See note 2, Alternate Port Available) |
Application Catalog Website Point -- > Application Catalog Web Service Point
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
-- |
80 (See note 2, Alternate Port Available) |
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 (See note 2, Alternate Port Available) |
Client -- > Application Catalog Website Point
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
-- |
80 (See note 2, Alternate Port Available) |
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 (See note 2, Alternate Port Available) |
Client -- > Client
In addition to the ports listed in the following table, wake-up proxy also uses Internet Control Message Protocol (ICMP) echo request messages from one client to another client when they are configured for wake-up proxy. This communication is used to confirm whether the other client computer is awake on the network. ICMP is sometimes referred to as TCP/IP ping commands. ICMP does not have a UDP or TCP protocol number, and so it is not listed in the following table. However, any host-based firewalls on these client computers or intervening network devices within the subnet must permit ICMP traffic for wake-up proxy communication to succeed.
Description |
UDP |
TCP |
|---|---|---|
Wake on LAN |
9 (See note 2, Alternate Port Available) |
-- |
Wake-up proxy |
25536 (See note 2, Alternate Port Available) |
-- |
Client -- > Configuration Manager Policy Module (Network Device Enrollment Service)
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
80 |
|
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 |
Client -- > Cloud-Based Distribution Point
Description |
UDP |
TCP |
|---|---|---|
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 |
Client -- > Distribution Point
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
-- |
80 (See note 2, Alternate Port Available) |
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 (See note 2, Alternate Port Available) |
Client -- > Distribution Point Configured for Multicast
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
Multicast Protocol |
63000-64000 |
-- |
Client -- > Distribution Point Configured for PXE
Description |
UDP |
TCP |
|---|---|---|
Dynamic Host Configuration Protocol (DHCP) |
67 and 68 |
-- |
Trivial File Transfer Protocol (TFTP) |
69 (See note 4 Trivial FTP (TFTP) Daemon) |
-- |
Boot Information Negotiation Layer (BINL) |
4011 |
-- |
Client -- > Fallback Status Point
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
-- |
80 (See note 2, Alternate Port Available) |
Client -- > Global Catalog Domain Controller
A Configuration Manager client does not contact a global catalog server when it is a workgroup computer or when it is configured for Internet-only communication.
Description |
UDP |
TCP |
|---|---|---|
Global Catalog LDAP |
-- |
3268 |
Client -- > Management Point
Description |
UDP |
TCP |
|---|---|---|
Client notification (default communication before falling back to HTTP or HTTPS) |
-- |
10123 (See note 2, Alternate Port Available) |
Hypertext Transfer Protocol (HTTP) |
-- |
80 (See note 2, Alternate Port Available) |
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 (See note 2, Alternate Port Available) |
Client -- > Software Update Point
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
-- |
80 or 8530 (See note 3, Windows Server Update Services) |
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 or 8531 (See note 3, Windows Server Update Services) |
Client -- > State Migration Point
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
-- |
80 (See note 2, Alternate Port Available) |
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 (See note 2, Alternate Port Available) |
Server Message Block (SMB) |
-- |
445 |
Client -- > System Health Validator
The client requires the ports established by the Windows Network Access Protection client, which is dependent upon the enforcement client being used. For example, DHCP enforcement will use ports UDP 67 and 68. IPsec enforcement will use ports TCP 80 or 443 to the Health Registration Authority, port UDP 500 for IPsec negotiation and the additional ports needed for the IPsec filters. For more information, see the Windows Network Access Protection documentation. For help with configuring firewalls for IPsec, see How to Enable IPsec Traffic Through a Firewall.
Configuration Manager Console -- > Client
Description |
UDP |
TCP |
|---|---|---|
Remote Control (control) |
-- |
2701 |
Remote Assistance (RDP and RTC) |
-- |
3389 |
Configuration Manager Console -- > Internet
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
-- |
80 |
Configuration Manager Console -- > Reporting Services Point
Description |
UDP |
TCP |
Hypertext Transfer Protocol (HTTP) |
-- |
80 (See note 2, Alternate Port Available) |
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 (See note 2, Alternate Port Available) |
Configuration Manager Console -- > Site Server
Description |
UDP |
TCP |
|---|---|---|
RPC (initial connection to WMI to locate provider system) |
-- |
135 |
Configuration Manager Console -- > SMS Provider
Description |
UDP |
TCP |
|---|---|---|
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Configuration Manager Policy Module (Network Device Enrollment Service) -- > Certificate Registration Point
Description |
UDP |
TCP |
|---|---|---|
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 (See note 2, Alternate Port Available) |
Distribution Point -- > Management Point
A distribution point communicates to the management point in the following scenarios:
To report status of prestaged content
To report usage summary data
To report content validation
A pull distribution point reports package download status
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
-- |
80 (See note 2, Alternate Port Available) |
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 (See note 2, Alternate Port Available) |
Endpoint Protection Point -- > Internet
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
-- |
80 |
Endpoint Protection Point -- > SQL Server
Description |
UDP |
TCP |
|---|---|---|
SQL over TCP |
-- |
1433 (See note 2, Alternate Port Available) |
Enrollment Proxy Point -- > Enrollment Point
Description |
UDP |
TCP |
|---|---|---|
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 (See note 2, Alternate Port Available) |
Enrollment Point -- > SQL Server
Description |
UDP |
TCP |
|---|---|---|
SQL over TCP |
-- |
1433 (See note 2, Alternate Port Available) |
Exchange Server Connector -- > Exchange Online
Description |
UDP |
TCP |
|---|---|---|
Windows Remote Management over HTTPS |
-- |
5986 |
Exchange Server Connector -- > On Premises Exchange Server
Description |
UDP |
TCP |
|---|---|---|
Windows Remote Management over HTTP |
-- |
5985 |
Mac Computer -- > Enrollment Proxy Point
Description |
UDP |
TCP |
|---|---|---|
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 |
Management Point -- > Domain Controller
Description |
UDP |
TCP |
|---|---|---|
Lightweight Directory Access Protocol (LDAP) |
-- |
389 |
Global Catalog LDAP |
-- |
3268 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Management Point < -- > Site Server
(See note 5, Communication between the site server and site systems)
Description |
UDP |
TCP |
|---|---|---|
RPC Endpoint mapper |
-- |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Server Message Block (SMB) |
-- |
445 |
Management Point -- > SQL Server
Description |
UDP |
TCP |
|---|---|---|
SQL over TCP |
-- |
1433 (See note 2, Alternate Port Available) |
Mobile Device -- > Enrollment Proxy Point
Description |
UDP |
TCP |
|---|---|---|
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 |
Mobile Device -- > Microsoft Intune
Description |
UDP |
TCP |
|---|---|---|
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 |
Out of Band Service Point --> Enrollment Point
Description |
UDP |
TCP |
|---|---|---|
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 |
Out of Band Service Point --> AMT Management Controller
Description |
UDP |
TCP |
|---|---|---|
Power control, provisioning, and discovery |
-- |
16993 |
Out of Band Management Console --> AMT Management Controller
Description |
UDP |
TCP |
|---|---|---|
General management tasks |
-- |
16993 |
Serial over LAN and IDE redirection |
-- |
16995 |
Reporting Services Point -- > SQL Server
Description |
UDP |
TCP |
|---|---|---|
SQL over TCP |
-- |
1433 (See note 2, Alternate Port Available) |
Site Server < -- > Application Catalog Web Service Point
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server < -- > Application Catalog Website Point
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server < -- > Asset Intelligence Synchronization Point
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server -- > Client
Description |
UDP |
TCP |
|---|---|---|
Wake on LAN |
9 (See note 2, Alternate Port Available) |
-- |
Site Server -- > Cloud-Based Distribution Point
Description |
UDP |
TCP |
|---|---|---|
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 |
Site Server -- > Distribution Point
(See note 5, Communication between the site server and site systems)
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server -- > Domain Controller
Description |
UDP |
TCP |
|---|---|---|
Lightweight Directory Access Protocol (LDAP) |
-- |
389 |
Global Catalog LDAP |
-- |
3268 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server < -- > Certificate Registration Point
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server < -- > Endpoint Protection Point
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server < -- > Enrollment Point
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server < -- > Enrollment Proxy Point
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server < -- > Fallback Status Point
(See note 5, Communication between the site server and site systems)
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server -- > Internet
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
-- |
80 (See note 1, Proxy Server port) |
Site Server < -- > Issuing Certification Authority (CA)
This communication is used when you deploy certificate profiles by using the certificate registration point. The communication is not used for every site server in the hierarchy; it is used only for the site server at the top of the hierarchy.
Description |
UDP |
TCP |
|---|---|---|
RPC Endpoint Mapper |
135 |
135 |
RPC (DCOM) |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server < -- > Reporting Services Point
(See note 5, Communication between the site server and site systems)
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server < -- > Site Server
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
Site Server -- > SQL Server
Description |
UDP |
TCP |
|---|---|---|
SQL over TCP |
-- |
1433 (See note 2, Alternate Port Available) |
During the installation of a site that will use a remote SQL Server to host the site database, you must open the following ports between the site server and the SQL Server:
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server -- > SMS Provider
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
Site Server < -- > Software Update Point
(See note 5, Communication between the site server and site systems)
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
Hypertext Transfer Protocol (HTTP) |
-- |
80 or 8530 (See note 3, Windows Server Update Services) |
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 or 8531 (See note 3, Windows Server Update Services) |
Site Server < -- > State Migration Point
(See note 5, Communication between the site server and site systems)
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
Site Server < -- > System Health Validator
(See note 5, Communication between the site server and site systems)
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
RPC Endpoint Mapper |
135 |
135 |
RPC |
-- |
DYNAMIC (See note 6, Dynamic ports) |
SMS Provider -- > SQL Server
Description |
UDP |
TCP |
|---|---|---|
SQL over TCP |
-- |
1433 (See note 2, Alternate Port Available) |
Software Update Point -- > Internet
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
-- |
80 (See note 1, Proxy Server port) |
Software Update Point -- > Upstream WSUS Server
Description |
UDP |
TCP |
|---|---|---|
Hypertext Transfer Protocol (HTTP) |
-- |
80 or 8530 (See note 3, Windows Server Update Services) |
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 or 8531 (See note 3, Windows Server Update Services) |
SQL Server --> SQL Server
Intersite database replication requires the SQL Server at one site to communicate directly with the SQL Server of its parent or child site.
Description |
UDP |
TCP |
|---|---|---|
SQL Server Service |
-- |
1433 (See note 2, Alternate Port Available) |
SQL Server Service Broker |
-- |
4022 (See note 2, Alternate Port Available) |
Tip
Configuration Manager does not require the SQL Server Browser, which uses port UDP 1434.
State Migration Point -- > SQL Server
Description |
UDP |
TCP |
|---|---|---|
SQL over TCP |
-- |
1433 (See note 2, Alternate Port Available) |
Microsoft Intune Connector -- > Microsoft Intune
Description |
UDP |
TCP |
|---|---|---|
Secure Hypertext Transfer Protocol (HTTPS) |
-- |
443 |
Notes for Ports Used by Configuration Manager Clients and Site Systems
Proxy Server port: This port cannot be configured but can be routed through a configured proxy server.
Alternate Port Available: An alternate port can be defined within Configuration Manager for this value. If a custom port has been defined, substitute that custom port when defining the IP filter information for IPsec policies or for configuring firewalls.
Windows Server Update Services: WSUS can be installed either on the default Web site (port 80) or a custom Web site (port 8530).
After installation, the port can be changed. You do not have to use the same port number throughout the site hierarchy.
If the HTTP port is 80, the HTTPS port must be 443.
If the HTTP port is anything else, the HTTPS port must be 1 higher—for example, 8530 and 8531.
Note
When you configure the software update point to use HTTPS, the HTTP port must also be open. Unencrypted data, such as the EULA for specific updates, uses the HTTP port.
Trivial FTP (TFTP) Daemon: The Trivial FTP (TFTP) Daemon system service does not require a user name or password and is an integral part of the Windows Deployment Services (WDS). The Trivial FTP Daemon service implements support for the TFTP protocol defined by the following RFCs:
RFC 350—TFTP
RFC 2347—Option extension
RFC 2348—Block size option
RFC 2349—Time-out interval, and transfer size options
Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on UDP port 69 but respond from a dynamically allocated high port. Therefore, enabling this port will allow the TFTP service to receive incoming TFTP requests but will not allow the selected server to respond to those requests. Allowing the selected server to respond to inbound TFTP requests cannot be accomplished unless the TFTP server is configured to respond from port 69.
Communication between the site server and site systems: By default, communication between the site server and site systems is bi-directional. The site server initiates communication to configure the site system, and then most site systems connect back to the site server to send status information. Reporting service points and distribution points do not send status information. If you select Require the site server to initiate connections to this site system on the site system properties, after the site system is installed, it will not initiate communication to the site server. Instead, the site server initiates the connections and uses the Site System Installation Account for authentication to the site system server.
Dynamic ports: Dynamic ports (also known as ephemeral ports) use a range of port numbers, which is defined by the operating system version. For more information about the default port ranges, see Service overview and network port requirements for Windows.
Additional Lists of Ports
The following sections provide additional information about ports used by Configuration Manager.
AMT Out of Band Management Ports
The following information lists the ports used by out of band management:
Out of Band Service Point --> Enrollment Point
Out of Band Service Point --> AMT Management Controller
Out of Band Management Console --> AMT Management Controller
Client to Server Shares
Clients use Server Message Block (SMB) whenever they connect to UNC shares. For example:
Manual client installation that specifies the CCMSetup.exe /source: command line property.
Endpoint Protection clients that download definition files from a UNC path.
Description |
UDP |
TCP |
|---|---|---|
Server Message Block (SMB) |
-- |
445 |
Connections to Microsoft SQL Server
For communication to the SQL Server database engine and for intersite replication, you can use the default SQL Server port or specify custom ports:
Intersite communications use:
SQL Server Service Broker, which defaults to port TCP 4022.
SQL Server Service, which defaults to port TCP 1433
Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles default to port TCP 1433.
Warning
Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for connections to the database engine, when you use a named instance, you must manually configure the static port that you want to use for intrasite communication.
The following site system roles communicate directly with the SQL Server database:
Application Catalog web service point
Certificate registration point role
Enrollment point role
Management point
Site server
Reporting services point
SMS Provider
SQL Server --> SQL Server
When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured with a unique set of ports.
If you have a firewall enabled on the SQL Server computer, ensure that it is configured to allow the ports in use by your deployment, and at any locations on the network between computers that communicate with the SQL Server.
For an example of how to configure SQL Server to use a specific port, see How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager) in the SQL Server TechNet library.
External Connections made by Configuration Manager
Configuration Manager clients or site systems can make the following external connections:
Asset Intelligence Synchronization Point -- > Microsoft
Endpoint Protection Point -- > Internet
Client -- > Global Catalog Domain Controller
Configuration Manager Console -- > Internet
Management Point -- > Domain Controller
Site Server -- > Domain Controller
Site Server < -- > Issuing Certification Authority (CA)
Software Update Point -- > Internet
Software Update Point -- > Upstream WSUS Server
Microsoft Intune Connector -- > Microsoft Intune
Installation Requirements for Site Systems that Support Internet-Based Clients
Management points and distribution points that support internet-based clients, the software update point, and the fallback status point use the following ports for installation and repair:
Site server --> site system: RPC endpoint mapper using UDP and TCP port 135.
Site server --> site system: RPC dynamic TCP ports.
Site server < --> site system: Server message blocks (SMB) using TCP port 445.
Application and package installations on distribution points require the following RPC ports:
Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135.
Site server --> distribution point: RPC dynamic TCP ports
Use IPsec to help secure the traffic between the site server and site systems. If you must restrict the dynamic ports that are used with RPC, you can use the Microsoft RPC configuration tool (rpccfg.exe) to configure a limited range of ports for these RPC packets. For more information about the RPC configuration tool, see How to configure RPC to use certain ports and how to help secure those ports by using IPsec.
Important
Before you install these site systems, ensure that the remote registry service is running on the site system server and that you have specified a Site System Installation Account if the site system is in a different Active Directory forest without a trust relationship.
Ports Used by Configuration Manager Client Installation
The ports that are using during client installation depend on the client deployment method. See Ports Used During Configuration Manager Client Deployment in the Windows Firewall and Port Settings for Client Computers in Configuration Manager topic for a list of ports for each client deployment method. For information about how to configure Windows Firewall on the client for client installation and post-installation communication, see Windows Firewall and Port Settings for Client Computers in Configuration Manager.
Ports Used by Migration
The site server that runs Migration uses several ports to connect to applicable sites in the source hierarchy to gather data from the source sites SQL Server database, and to share distribution points.
For information these ports, see the Required Configurations for Migration section in the Prerequisites for Prerequisites for Migration in System Center 2012 Configuration Manager topic.
Ports Used by Windows Server
The following table lists some of the key ports that Windows Server uses and their respective functions. For a more complete list of Windows Server services and network ports requirements, see Service overview and network port requirements for the Windows Server system.
Description |
UDP |
TCP |
|---|---|---|
Domain Name System (DNS) |
53 |
53 |
Dynamic Host Configuration Protocol (DHCP) |
67 and 68 |
-- |
NetBIOS Name Resolution |
137 |
-- |
NetBIOS Datagram Service |
138 |
-- |
NetBIOS Session Service |
-- |
139 |