SCCM Firewall Ports Download the List of ConfigMgr Firewall Ports

SCCM Firewall Ports and communications between Current Branch Site servers, Site Systems, Domain Controllers, and Clients are important when performing SCCM CB architecture and design

In this post, I’ll share the spreadsheet that contains the details of the SCCM Firewall Ports requirement. The latest SCCM communication port details are available “Ports used in System Center Configuration Manager.”

Do you know RPC Dynamic Ports? TCP 49152-65535

Patch My PC

In general, we can segregate the Firewall ports into two categories 1. Configurable ports (custom ports) and 2. Non Configurable ports.

I cover only the default recommended ports documented. Also, the additional custom communication ports mentioned are not covered in the list below and spreadsheet.

When you have an SCCM CB hierarchy with CAS and primary servers, you need to be more conscious about the SCCM Firewall ports requirement.

1E Nomad

I have a post related to this topic which talks about SCCM Firewall ports Requirements here (there is not much change between SCCM Firewall ports).

Update: Internet access requirement or proxy exception list for SCCM CB is also very important when you deploy SCCM current branch within organizations.

Download List of SCCM Firewall Ports here

SCCM Firewall Ports
FromTOUDPTCPDescriptionDirection
Asset Intelligence Synchronization PointMicrosoft 443HTTPUnidirectional
Asset Intelligence Synchronization PointSQL Server 1433SQL Over TCPUnidirectional
App Catalog Web Service PointSQL Server 1433SQL Over TCPUnidirectional
App Catalog Website PointApp Catalog Web Service Point 80/443HTTP/HTTPSUnidirectional
ClientApp Catalog Website Point 80/443HTTP/HTTPSUnidirectional
ClientClient (wol) 9/25536WOL/WUPUnidirection
ClientNDES 80/443http/httpsUnidirection
ClientCloud DP 443httpsUnidirection
ClientDP 80/443http/httpsUnidirection
ClientDP with Multi Cast63000-64000445Multi Cast/SMBUnidirection
ClientDP with PXE67/68/69/4011 DHCP/TFTP/BINLUnidirection
ClientFSP 80httpUnidirection
ClientDomain 3268/3269LDAP/LDAP SSLUnidirection
ClientMP 10123/80/443Client Notification/http/httpsUnidirection
ClientSUP 80/8530/443/8531http/httpsUnidirection
ClientSMP 80/443/445http/https/SMBUnidirection
ConsoleClient 2701/3389RC/RDP/RTCUnidirection
ConsoleInternet 80httpUnidirection
ConsoleReporting Service Point 80/443http/httpsUnidirection
ConsoleSite Server 135RPC Endpoint MapperUnidirection
ConsoleSMS Provider135RPC Dy/135RPC endpoint Mapper/RPC DynamicsUnidirection
NDES Policy ModuleCertificate Registration Point 443httpsUnidirection
DPMP 80/443http/httpsUnidirection
Endpoint ProtectionInternet 80httpUnidirection
Endpoint ProtectionSQL Server 1433SQL Over TCPUnidirection
Enrollment Proxy PointEnrollment Point 443httpsUnidirection
Enrollment PointSQL Server 1433SQL Over TCPUnidirection
Exchange Server ConnectorExchange Online 5986WRM with httpsUnidirection
Exchange Server ConnectorOn Prem Exchange Server 5985WRM with httpUnidirection
Mac ComputerEnrollment Proxy Point 443httpsUnidirection
MPDOMAIN135/636389/636/3268/3269/135/RPC DyLDAP/GC LDAP/RPC EPM/RPC DynamicUnidirection
MPSite Server 135/RPC Dyn/445RPC EPM/RPC Dynamic/SMBBidirection
MPSQL Server 1433SQL Over TCPUnidirection
Mobile DeviceEnrollment Proxy Point 443httpsUnidirection
Mobile DeviceIntune 443httpsUnidirection
Reporting pointSQL Server 1433SQL Over TCPUnidirection
Site ServerApp Catalog Web Service point135445/135/RPC DynRPC EPM/RPC Dynamic/SMBBidirection
Site ServerApp Catalog Website Point135445/135/RPC DynRPC EPM/RPC Dynamic/SMBBidirection
Site ServerAsset Intelligence Synchronization Point135445/135/RPC DynRPC EPM/RPC Dynamic/SMBBidirection
Site ServerClient (WOL)9 WOLUnidirection
Site ServerCloud DP 443httpsUnidirection
Site ServerDP135445/135/RPC DynRPC EPM/RPC Dynamic/SMBUnidirection
Site ServerDOMAIN135/636389/636/3268/3269/135/RPC DyLDAP/GC LDAP/RPC EPM/RPC DynamicUnidirection
Site ServerCertificate Registration Point135445/135/Dyn RPCRPC EPM/RPC Dynamic/SMBBidirection
Site ServerEnd Point Protection135445/135/Dyn RPCRPC EPM/RPC Dynamic/SMBBidirection
Site ServerEnrollment Point135445/135/Dyn RPCRPC EPM/RPC Dynamic/SMBBidirection
Site ServerEnrollment Proxy Point135445/135/Dyn RPCRPC EPM/RPC Dynamic/SMBBidirection
Site ServerFSP135445/135/RPC DynRPC EPM/RPC Dynamic/SMBBidirection
Site ServerInternet 80httpUnidirection
Site ServerIssuing CA135135/Dyn RPCRPC EPM/RPC DynamicBidirection
Site ServerReporting Service Point135445/135/RPC DynRPC EPM/RPC Dynamic/SMBBidirection
Site ServerSite Server 445SMBBidirection
Site ServerSQL Server 1433SQL Over TCPUnidirection
Site ServerSQL Server135445/135/RPC DynRPC EPM/RPC Dynamic/SMBUnidirection
Site ServerSMS Provider135445/135/RPC DynRPC EPM/RPC Dynamic/SMBUnidirection
Site ServerSUP 445/80/8530/443/8531http/https/SMBBidirection
Site ServerSMP135445/135RPC EPM/SMBBidirection
SMS ProviderSQL Server 1433SQL Over TCPUnidirection
SUPInternet 80httpUnidirection
SUPUpstream WSUS Server 80-8530/443-8531http/httpsUnidirection
SQL ServerSQL Server 4022/1433SQL Over TCP/SQL SSBUnidirection
SMPSQL Server 1433SQL Over TCPUnidirection
Service Connection PointIntune 443httpsUnidirection
Site ServerSite System135135/RPC DynRPC EPM/RPC DynamicUnidirection
Site ServerDomain/DNS53/67/68/137/138139/53DHCP/DNS/NetBIOSUnidirection

Author

About Author -> Anoop is Microsoft’s Most Valuable Professional Award winner from 2015 on the technologies! He is a Solution Architect on enterprise device management solutions with more than 20 years of experience (calculation done in 2021) in IT. He is Blogger, Speaker, and Local User Group Community leader. His main focus is on Device Management technologies like Configuration Manager, Windows 365 Cloud PC, Intune, Azure Virtual Desktop, Windows 10, and Windows 11.

9 thoughts on “SCCM Firewall Ports Download the List of ConfigMgr Firewall Ports”

  1. First , thank you for all your great articles. Now my question is, is there any specific port / firewall rule for running powershell scripts directly from the SCCM console ? it has been bugging me for a while why i still can’t run it given that i have full admin permission and also have that role too.

    Reply
  2. Hi Anoop,

    I want to give the below requirement to network team to open the port.
    Console Client 2701/3389 RC/RDP/RTC

    Here Console means Do I need provide the Primary Site server name?
    Please suggest.

    Thanks and Regards,
    Surendra

    Reply
      • Thanks for your reply.

        Yes. I am taking the remote from primary server console.
        Network team confirmed that, they have configured the ports.
        But I am able to take RDP from server not from console.

        Please suggest.

  3. Hi Anoop! Do you have recommendations for the firewall profile type? Since most of us are home we only used to manage the domain firewall configs. We do not manage private or public. However, we see some communication issues that some can be resolved if we just temp disable the firewall for testing purposes. I am wondering do we have to manage public and private now as well….if so which port configs that you mean are required?

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.