SCCM Firewall Ports and communications between Current Branch Site servers, Site Systems, Domain Controllers, and Clients are important when performing SCCM CB architecture and design.
In this post, I’ll share the spreadsheet that contains the details of the SCCM Firewall Ports requirement. The latest SCCM communication port details are available in “Ports used in System Center Configuration Manager.”
Do you know RPC Dynamic Ports? TCP 49152-65535
In general, we can segregate the Firewall ports into two categories 1. Configurable ports (custom ports) and 2. Non Configurable ports.
I cover only the default recommended ports documented. Also, the additional custom communication ports mentioned are not covered in the list below and spreadsheet.
When you have an SCCM CB hierarchy with CAS and primary servers, you need to be more conscious of the SCCM Firewall ports requirement.
I have a post related to this topic that talks about SCCM Firewall port Requirements here (there is not much change between SCCM Firewall ports).
Update: Internet access requirement or proxy exception list for SCCM CB is also very important when you deploy SCCM current branch within organizations.
Download the List of SCCM Firewall Ports here
From | TO | UDP | TCP | Description | Direction |
---|---|---|---|---|---|
Asset Intelligence Synchronization Point | Microsoft | 443 | HTTP | Unidirectional | |
Asset Intelligence Synchronization Point | SQL Server | 1433 | SQL Over TCP | Unidirectional | |
App Catalog Web Service Point | SQL Server | 1433 | SQL Over TCP | Unidirectional | |
App Catalog Website Point | App Catalog Web Service Point | 80/443 | HTTP/HTTPS | Unidirectional | |
Client | App Catalog Website Point | 80/443 | HTTP/HTTPS | Unidirectional | |
Client | Client (wol) | 9/25536 | WOL/WUP | Unidirection | |
Client | NDES | 80/443 | http/https | Unidirection | |
Client | Cloud DP | 443 | https | Unidirection | |
Client | DP | 80/443 | http/https | Unidirection | |
Client | DP with Multi Cast | 63000-64000 | 445 | Multi Cast/SMB | Unidirection |
Client | DP with PXE | 67/68/69/4011 | DHCP/TFTP/BINL | Unidirection | |
Client | FSP | 80 | http | Unidirection | |
Client | Domain | 3268/3269 | LDAP/LDAP SSL | Unidirection | |
Client | MP | 10123/80/443 | Client Notification/http/https | Unidirection | |
Client | SUP | 80/8530/443/8531 | http/https | Unidirection | |
Client | SMP | 80/443/445 | http/https/SMB | Unidirection | |
Console | Client | 2701/3389 | RC/RDP/RTC | Unidirection | |
Console | Internet | 80 | http | Unidirection | |
Console | Reporting Service Point | 80/443 | http/https | Unidirection | |
Console | Site Server | 135 | RPC Endpoint Mapper | Unidirection | |
Console | SMS Provider | 135 | RPC Dy/135 | RPC endpoint Mapper/RPC Dynamics | Unidirection |
NDES Policy Module | Certificate Registration Point | 443 | https | Unidirection | |
DP | MP | 80/443 | http/https | Unidirection | |
Endpoint Protection | Internet | 80 | http | Unidirection | |
Endpoint Protection | SQL Server | 1433 | SQL Over TCP | Unidirection | |
Enrollment Proxy Point | Enrollment Point | 443 | https | Unidirection | |
Enrollment Point | SQL Server | 1433 | SQL Over TCP | Unidirection | |
Exchange Server Connector | Exchange Online | 5986 | WRM with https | Unidirection | |
Exchange Server Connector | On Prem Exchange Server | 5985 | WRM with http | Unidirection | |
Mac Computer | Enrollment Proxy Point | 443 | https | Unidirection | |
MP | DOMAIN | 135/636 | 389/636/3268/3269/135/RPC Dy | LDAP/GC LDAP/RPC EPM/RPC Dynamic | Unidirection |
MP | Site Server | 135/RPC Dyn/445 | RPC EPM/RPC Dynamic/SMB | Bidirection | |
MP | SQL Server | 1433 | SQL Over TCP | Unidirection | |
Mobile Device | Enrollment Proxy Point | 443 | https | Unidirection | |
Mobile Device | Intune | 443 | https | Unidirection | |
Reporting point | SQL Server | 1433 | SQL Over TCP | Unidirection | |
Site Server | App Catalog Web Service point | 135 | 445/135/RPC Dyn | RPC EPM/RPC Dynamic/SMB | Bidirection |
Site Server | App Catalog Website Point | 135 | 445/135/RPC Dyn | RPC EPM/RPC Dynamic/SMB | Bidirection |
Site Server | Asset Intelligence Synchronization Point | 135 | 445/135/RPC Dyn | RPC EPM/RPC Dynamic/SMB | Bidirection |
Site Server | Client (WOL) | 9 | WOL | Unidirection | |
Site Server | Cloud DP | 443 | https | Unidirection | |
Site Server | DP | 135 | 445/135/RPC Dyn | RPC EPM/RPC Dynamic/SMB | Unidirection |
Site Server | DOMAIN | 135/636 | 389/636/3268/3269/135/RPC Dy | LDAP/GC LDAP/RPC EPM/RPC Dynamic | Unidirection |
Site Server | Certificate Registration Point | 135 | 445/135/Dyn RPC | RPC EPM/RPC Dynamic/SMB | Bidirection |
Site Server | End Point Protection | 135 | 445/135/Dyn RPC | RPC EPM/RPC Dynamic/SMB | Bidirection |
Site Server | Enrollment Point | 135 | 445/135/Dyn RPC | RPC EPM/RPC Dynamic/SMB | Bidirection |
Site Server | Enrollment Proxy Point | 135 | 445/135/Dyn RPC | RPC EPM/RPC Dynamic/SMB | Bidirection |
Site Server | FSP | 135 | 445/135/RPC Dyn | RPC EPM/RPC Dynamic/SMB | Bidirection |
Site Server | Internet | 80 | http | Unidirection | |
Site Server | Issuing CA | 135 | 135/Dyn RPC | RPC EPM/RPC Dynamic | Bidirection |
Site Server | Reporting Service Point | 135 | 445/135/RPC Dyn | RPC EPM/RPC Dynamic/SMB | Bidirection |
Site Server | Site Server | 445 | SMB | Bidirection | |
Site Server | SQL Server | 1433 | SQL Over TCP | Unidirection | |
Site Server | SQL Server | 135 | 445/135/RPC Dyn | RPC EPM/RPC Dynamic/SMB | Unidirection |
Site Server | SMS Provider | 135 | 445/135/RPC Dyn | RPC EPM/RPC Dynamic/SMB | Unidirection |
Site Server | SUP | 445/80/8530/443/8531 | http/https/SMB | Bidirection | |
Site Server | SMP | 135 | 445/135 | RPC EPM/SMB | Bidirection |
SMS Provider | SQL Server | 1433 | SQL Over TCP | Unidirection | |
SUP | Internet | 80 | http | Unidirection | |
SUP | Upstream WSUS Server | 80-8530/443-8531 | http/https | Unidirection | |
SQL Server | SQL Server | 4022/1433 | SQL Over TCP/SQL SSB | Unidirection | |
SMP | SQL Server | 1433 | SQL Over TCP | Unidirection | |
Service Connection Point | Intune | 443 | https | Unidirection | |
Site Server | Site System | 135 | 135/RPC Dyn | RPC EPM/RPC Dynamic | Unidirection |
Site Server | Domain/DNS | 53/67/68/137/138 | 139/53 | DHCP/DNS/NetBIOS | Unidirection |
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with over 17 years of experience (calculation done in 2018). He is Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…..…
Hi, Asset Intelligence Synchronization Point, you mean port 443, right?
Yes, thank you … Corrected it 🙂
Great Excel file.
Thanks!!
First , thank you for all your great articles. Now my question is, is there any specific port / firewall rule for running powershell scripts directly from the SCCM console ? it has been bugging me for a while why i still can’t run it given that i have full admin permission and also have that role too.
Hi Anoop,
I want to give the below requirement to network team to open the port.
Console Client 2701/3389 RC/RDP/RTC
Here Console means Do I need provide the Primary Site server name?
Please suggest.
Thanks and Regards,
Surendra
Are you using the Primary server console to take remote of the client machine? If so, the answer is YES
Thanks for your reply.
Yes. I am taking the remote from primary server console.
Network team confirmed that, they have configured the ports.
But I am able to take RDP from server not from console.
Please suggest.
Hi Anoop! Do you have recommendations for the firewall profile type? Since most of us are home we only used to manage the domain firewall configs. We do not manage private or public. However, we see some communication issues that some can be resolved if we just temp disable the firewall for testing purposes. I am wondering do we have to manage public and private now as well….if so which port configs that you mean are required?
Hello Julie – Is this a related firewall client on Windows 10 device or Symantec firewall rules? If so, these are the exception you need to put in … https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/windows-firewall-and-port-settings-for-clients#programs-and-ports-that-configuration-manager-requires
Any specific ports required between SCCM Client machines and PKI/CRL server.
It’s all via HTTPS – 443 in normal scenarios.
Hi Anoop,
I have downloaded all the Patch on Patch Repository (Dedicated file Server) File Server .. Kindly let me know the Port Requirements (Port and Traffic Flow) DP to Patch Repository Vice Versa