Firewall ports and proxy exception requirements are not something you can remove from your checklist while implementing any new infra component.
Co-management is not different over here. SCCM Co-management-related components from your on-prem infra need to communicate with the cloud components.
Hence Firewall ports are proxy exception planning & documentation are essential.
Co-Management Related Posts
Overview Windows 10 Co-Management with Intune and SCCM Custom Report to Identify Machines Connected via SCCM CMG How to Setup Co-Management - Introduction - Prerequisites Part 1 How to Setup Co-Management - Firewall Ports Proxy Requirements Part 2(This Post) Setup Co-Management - AAD Connect UPN Suffix Part 3 Setup Co-Management - CA PKI & Certificates Part 4 Setup Co-Management Cloud DP Azure Blob Storage Part 5 Setup Co-Management Azure Cloud Services CMG Part 6 SCCM Configure Settings for Client PKI certificates Part 7 How to Setup SCCM Co-Management to Offload Workloads to Intune - Part 8 How to Deploy SCCM Client from Intune - Co-Management - Part 9 End User Experience of Windows 10 Co-Management - Part 10
Firewall Ports Required for Co-Management, CMG, and CDP
We do not need to open any inbound ports to your on-premises network. The SCCM service connection point and CMG connection point initiate all communication with Azure and the CMG. These two site system roles must be able to create outbound connections to the Microsoft cloud.
1. The service connection point connects to Azure over HTTPS port 443.
2. The CMG connection point connects to the CMG in Azure over TCP-TLS or HTTPS. It holds the connection open and builds the channel for future two-way communication.
3. The client connects to the CMG over HTTPS port 443.
4. The CMG forwards the client communication over the existing connection to the on-premises CMG connection point. You don’t need to open any inbound firewall ports.
5. The CMG connection point forwards the client communication to the on-premises management point and software update point.
Some Additional Notes with the Real-World scenario
Port 10140-10155 – CMG Connection Point connects to the first VM instance on port 10140 via TCP-TLS1 -The 2nd VM instance uses port 10141, up to the sixteenth(16th) on port 10155.
Port 443 – If the CMG connection point can’t connect to the CMG via TCP-TLS1, it relates to the Azure network Load Balancer over HTTPS 443 only for one VM instance.
10124-10139 – More than 2 CMG VMs with HTTPS connection – CMG_VM#1 = 10124 CMG_VM#2 = 10125 CMG_VM#3 = 10126
CMG VMs connect TCP-TLS connection – CMG_VM#1 = 10140 CMG_VM#2 = 10141 CMG_VM#3 = 10142
ONLY one CMG VM with HTTPS (443) connection – CMG_VM#1 = 443
The following table shall help you to get more understating of firewall ports details for Co-Management, CMG, and CDP.
|Client||Cloud DP (Azure)||443||HTTPS||Unidirection|
|Client||Azure Cloud Management Gateway (CMG)||443||HTTPS Communication||Unidirection|
|Site System – CMG connection point||Software Update Point (SUP)||80 or 443/ 8530 or 8531||HTTPS Communication||Unidirection|
|Site System – CMG connection point||Management Point (MP)||443||HTTPS Communication||Unidirection|
|Site System – CMG connection point #1||Azure Cloud Management Gateway (CMG) VM#1 = 10124||10124||HTTPS Communication||Unidirection|
|Site System – CMG connection point #2||Azure Cloud Management Gateway (CMG) VM#2 = 10125||10125||HTTPS Communication||Unidirection|
|Site System – CMG connection point #1||Azure Cloud Management Gateway (CMG) VM#1 = 10140||10140||TCP-TLS Communication||Unidirectional|
|Site System – CMG connection point #2||Azure Cloud Management Gateway (CMG) VM#2= 10141||10141||TCP-TLS Communication||Unidirectional|
|Site System – CMG connection point||Azure Cloud Management Gateway (CMG) – ONLY one CMG VM with HTTPS 443||443||HTTP||Unidirectional|
|Site Server||Cloud DP||443||HTTP||Unidirectional|
SCCM Intune Custom Port Options?
Most Intune communications are via standard HTTP/HTTPS (80 & 443 ports), and there is no option to customize that communication. However, SCCM allows having custom ports for many contacts. CMG, CDP, and Intune communications are NOT possible via custom ports.
However, some of the subsequent communications are possible only via predefined ports. SCCM does not allow you to configure ports for the following types of communication
- SCCM CAS/Standalone Primary Site to Primary/Secondary site
- SCCM CAS/Primary Site server to site system (MP/SUP/DP..)
- SCCM console to SMS Provider
- SCCM console to the Internet
- Connections to cloud services, such as Microsoft Intune and CDPs
Internet Proxy Exceptions for Co-Management, CDP, and CMG
SCCM service connection point & CMG connection point site system roles require an internet connection. Most organizations may not have direct connectivity to the internet from their servers. All those communications should go through internet proxy servers.
The TCP-TLS connection between the CMG connection point site system and Azure CMG service doesn’t support an internet proxy. But SCCM CMG connection point supports internet proxy via TCP ports, as mentioned in the above table.
Co-managed devices connect either to the corporate network (LAN) or the internet to get the policies and deployments from both Intune/SCCM. When the co-managed devices connect to corporate LAN, you may need to have some proxy exception to connect to the internet.
Co-managed devices require Intune connectivity. Hence those devices have Intune managed devices, and those need configurations that let All Users access services through firewalls/proxy. The following tables list the ports and services that the Intune client accesses.
|Proxy Exception URLs||Description|
|*.akamaiedge.net||SCCM Updates and servicing|
|*.akamaitechnologies.com||SCCM Updates and servicing|
|*.manage.microsoft.com||SCCM Updates and servicing|
|go.microsoft.com||SCCM Updates and servicing|
|blob.core.windows.net||SCCM Updates and servicing|
|download.microsoft.com||SCCM Updates and servicing|
|download.windowsupdate.com||SCCM Updates and servicing|
|sccmconnected.a01.cloudapp.net||SCCM Updates and servicing|
|download.microsoft.com||Windows 10 servicing|
|https://go.microsoft.com/fwlink/?LinkID=619849||Windows 10 servicing|
Download Firewall & Proxy Exception Cheat Excel Spreadsheet
I have uploaded the spreadsheet with co-management. Download the SCCM CB Co-management, CDP, and CMG firewall-proxy excel sheet. This spreadsheet can help you fill your organization’s firewall and proxy exception rule.
- Proxy server support for SCCM
- Intune Proxy Settings and Firewall settings
- Intune & SCCM Internet Access Requirements