ConfigMgr 2007, Client Push Installation and (a) Firewall(s)

One of the most common problems with Client Push Installation is (are) the (Windows) Firewall(s). As I had some questions about this (again) lately, I will post here all the open ports/ firewall exceptions needed for a Client Push Installation.

Exceptions for the Windows Firewall

To be able to do a Client Push Installation you need the following exceptions in the Windows Firewall:

  • File and Printer Sharing
  • Windows Management Instrumentation (WMI)
  • TCP Port 80 (for HTTP from the client computer to a MP (Mixed Mode))
  • TCP Port 443 (for HTTPS from the client computer to a MP (Native Mode))

Specific ports for other Firewalls

To be able to do a Client Push Installation you need to open the following ports in the Firewall:

Description UDP TCP
SMB between the Site Server and client computer. 445
RPC endpoint mapper between the Site Server and the client computer. 135 135
RPC dynamic ports between the Site Server and the client computer. Dynamic*
HTTP from the client computer to a MP (Mixed Mode). 80
HTTPS from the client computer to a MP (Native Mode).   443

*The dynamic RPC ports are until Windows XP and Windows Server 2003 (R2) 1025-5000 and from Vista and Windows Server 2008 (and later) 49152-65535.

More information about the Windows Firewall Settings for ConfigMgr Clients:
http://technet.microsoft.com/en-us/library/bb694088.aspx
More information about the Ports used during ConfigMgr Client Deployment:
http://technet.microsoft.com/en-us/library/ff189805.aspx
More information about the Dynamic Port Ranges:
http://support.microsoft.com/kb/929851/nl


Discover more from All about Microsoft Intune

Subscribe to get the latest posts sent to your email.

3 thoughts on “ConfigMgr 2007, Client Push Installation and (a) Firewall(s)”

  1. Is just about to start using SCCM at work, and stumbled across your website.
    Great Stuff! just keep posting! 🙂

    Learned alot already

    Reply
  2. Thanks for the information, very uselful indeed.

    Quick question…. We intend to push the SCCM client from a Windows 2008 Site server to an XP SP3 client. Which Dynamic RPC port range will I need to open on the check point firewall that runs on our client machines? 1025-5000 or 49152-65535

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.