One of the most common problems with Client Push Installation is (are) the (Windows) Firewall(s). As I had some questions about this (again) lately, I will post here all the open ports/ firewall exceptions needed for a Client Push Installation.
Exceptions for the Windows Firewall
To be able to do a Client Push Installation you need the following exceptions in the Windows Firewall:
- File and Printer Sharing
- Windows Management Instrumentation (WMI)
- TCP Port 80 (for HTTP from the client computer to a MP (Mixed Mode))
- TCP Port 443 (for HTTPS from the client computer to a MP (Native Mode))
Specific ports for other Firewalls
To be able to do a Client Push Installation you need to open the following ports in the Firewall:
| Description | UDP | TCP |
| SMB between the Site Server and client computer. | – | 445 |
| RPC endpoint mapper between the Site Server and the client computer. | 135 | 135 |
| RPC dynamic ports between the Site Server and the client computer. | – | Dynamic* |
| HTTP from the client computer to a MP (Mixed Mode). | – | 80 |
| HTTPS from the client computer to a MP (Native Mode). | 443 |
*The dynamic RPC ports are until Windows XP and Windows Server 2003 (R2) 1025-5000 and from Vista and Windows Server 2008 (and later) 49152-65535.
More information about the Windows Firewall Settings for ConfigMgr Clients:
http://technet.microsoft.com/en-us/library/bb694088.aspx
More information about the Ports used during ConfigMgr Client Deployment:
http://technet.microsoft.com/en-us/library/ff189805.aspx
More information about the Dynamic Port Ranges:
http://support.microsoft.com/kb/929851/nl
Is just about to start using SCCM at work, and stumbled across your website.
Great Stuff! just keep posting! 🙂
Learned alot already
Thanks for the information, very uselful indeed.
Quick question…. We intend to push the SCCM client from a Windows 2008 Site server to an XP SP3 client. Which Dynamic RPC port range will I need to open on the check point firewall that runs on our client machines? 1025-5000 or 49152-65535
Hi Bootch,
As it’s about the XP Clients you would need the lower range opened on those clients.
Peter