One of the most common problems with Client Push Installation is (are) the (Windows) Firewall(s). As I had some questions about this (again) lately, I will post here all the open ports/ firewall exceptions needed for a Client Push Installation.
Exceptions for the Windows Firewall
To be able to do a Client Push Installation you need the following exceptions in the Windows Firewall:
- File and Printer Sharing
- Windows Management Instrumentation (WMI)
- TCP Port 80 (for HTTP from the client computer to a MP (Mixed Mode))
- TCP Port 443 (for HTTPS from the client computer to a MP (Native Mode))
Specific ports for other Firewalls
To be able to do a Client Push Installation you need to open the following ports in the Firewall:
Description | UDP | TCP |
SMB between the Site Server and client computer. | – | 445 |
RPC endpoint mapper between the Site Server and the client computer. | 135 | 135 |
RPC dynamic ports between the Site Server and the client computer. | – | Dynamic* |
HTTP from the client computer to a MP (Mixed Mode). | – | 80 |
HTTPS from the client computer to a MP (Native Mode). | 443 |
*The dynamic RPC ports are until Windows XP and Windows Server 2003 (R2) 1025-5000 and from Vista and Windows Server 2008 (and later) 49152-65535.
More information about the Windows Firewall Settings for ConfigMgr Clients:
http://technet.microsoft.com/en-us/library/bb694088.aspx
More information about the Ports used during ConfigMgr Client Deployment:
http://technet.microsoft.com/en-us/library/ff189805.aspx
More information about the Dynamic Port Ranges:
http://support.microsoft.com/kb/929851/nl
Discover more from All about Microsoft Intune
Subscribe to get the latest posts sent to your email.
Is just about to start using SCCM at work, and stumbled across your website.
Great Stuff! just keep posting! 🙂
Learned alot already
Thanks for the information, very uselful indeed.
Quick question…. We intend to push the SCCM client from a Windows 2008 Site server to an XP SP3 client. Which Dynamic RPC port range will I need to open on the check point firewall that runs on our client machines? 1025-5000 or 49152-65535
Hi Bootch,
As it’s about the XP Clients you would need the lower range opened on those clients.
Peter