SCCM client registration necessary ports?

Question

Hi Anoop,

another doubt for which I was not yet able to get a clear answer and would like to see if you could help me.

I’m planning to set up the primary site server in one VLAN and install the roles of MP, DP and SUP in a stand-alone server in another VLAN.

From the perspective of the clients, the idea is that those clients on the second VLAN will communicate with their MP on their own VLAN, avoiding in this way that all of them will have to talk with the primary site server. Communication from there will take place one to one, from the MP to the Primary site server.

I thought that in this way I would be able to isolate all communication between the clients on the second VLAN and the MP there, avoiding having to request for an FW rule to allow all clients on that VLAN to reach my Primary Site Server. However, I found documentation and forums on the internet, on which they state that for the right installation of the client it’s necessary an initial connection from the client to the Primary Site Server.

Is this right or not? And if this is the case what would be the port that I would need to open just to allow client registration?

thanks and best regards,

Guillermo Vélez

solved 0
Guillermo Vélez 2020-04-30T13:56:16+05:30 5 Answers 1315 views Beginner
1

Answers ( 5 )

  2. Deepak Rai
    1
    2020-04-30T14:26:00+05:30
    Reply

    Adding to answer there was one old blog written by Anoop explaining all about ports 6 years ago and i am still following that only if i have to set up new infrastructure.

    https://www.anoopcnair.com/domain-controller-firewall-ports-details-direction-communication-sccm-2012-r2-cas-primary-servers/

    Please read and let us know if any questions.

  4. Anoop C Nair
    2
    2020-04-30T14:20:36+05:30
    Reply

    Well, this is a great topic and question

    The Selection of client Installation method is very important here:

    I don’t recommend using CLIENT PUSH method … that might require additional porta opening with Primary server … Following are requirements for client push … but all the other client installation methods can be done without additional porta opening between VLAN 1 and 2 in your scenarios..

    Server Message Block (SMB) between the site server and client computer. — 445
    RPC endpoint mapper between the site server and the client computer. 135 135
    RPC dynamic ports between the site server and the client computer. — DYNAMIC
    client computer to a management point when the connection is over HTTP. — 80 (See note 1, Alternate Port Available)
    client computer to a management point when the connection is over HTTPS. — 443 (See note 1, Alternate Port Available)

    https://docs.microsoft.com/en-us/mem/configmgr/core/clients/deploy/windows-firewall-and-port-settings-for-clients#ports-that-are-used-with-client-push-installation

    Best answer
    • Guillermo Vélez
      1
      2020-04-30T14:25:13+05:30
      Reply

      Ok I think I understand now. So the problem just arises when installing the client using the client push method. Again great answer!!
      Thank you so much for your help!!

  6. Guru Vaidya
    1
    2020-04-30T14:11:59+05:30
    Reply

Leave an answer

Sorry, you do not have permission to answer to this question .