ConfigMgr 2007, Client Push Installation and (a) Firewall(s)

Posted on by

One of the most common problems with Client Push Installation is (are) the (Windows) Firewall(s). As I had some questions about this (again) lately, I will post here all the open ports/ firewall exceptions needed for a Client Push Installation.

Exceptions for the Windows Firewall

To be able to do a Client Push Installation you need the following exceptions in the Windows Firewall:

  • File and Printer Sharing
  • Windows Management Instrumentation (WMI)
  • TCP Port 80 (for HTTP from the client computer to a MP (Mixed Mode))
  • TCP Port 443 (for HTTPS from the client computer to a MP (Native Mode))

Specific ports for other Firewalls

To be able to do a Client Push Installation you need to open the following ports in the Firewall:

Description UDP TCP
SMB between the Site Server and client computer. - 445
RPC endpoint mapper between the Site Server and the client computer. 135 135
RPC dynamic ports between the Site Server and the client computer. - Dynamic*
HTTP from the client computer to a MP (Mixed Mode). - 80
HTTPS from the client computer to a MP (Native Mode).   443

*The dynamic RPC ports are until Windows XP and Windows Server 2003 (R2) 1025-5000 and from Vista and Windows Server 2008 (and later) 49152-65535.

More information about the Windows Firewall Settings for ConfigMgr Clients:
http://technet.microsoft.com/en-us/library/bb694088.aspx
More information about the Ports used during ConfigMgr Client Deployment:
http://technet.microsoft.com/en-us/library/ff189805.aspx
More information about the Dynamic Port Ranges:
http://support.microsoft.com/kb/929851/nl

Share

3 thoughts on “ConfigMgr 2007, Client Push Installation and (a) Firewall(s)

  1. Is just about to start using SCCM at work, and stumbled across your website.
    Great Stuff! just keep posting! :)

    Learned alot already

  2. Thanks for the information, very uselful indeed.

    Quick question…. We intend to push the SCCM client from a Windows 2008 Site server to an XP SP3 client. Which Dynamic RPC port range will I need to open on the check point firewall that runs on our client machines? 1025-5000 or 49152-65535

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>