Jay Paloma's Tech and Music Blog

Sometimes, this writer can no longer distinguish between the two.

Summary of Ports Used in Configuration Manager

leave a comment »


If you’re implementing Configuration Manager in an enterprise network environment, you probably would have had the need to take a look at the Technical Reference for Ports Used in Configuration Manager. That is a very concise source of all the ports that you need. However, in my personal experience one still tends to miss out on the details of the ports needed. Also there are things that one may overlook. Allow me to summarize the more important ports needed.

Active Directory

Remember that all your CM servers, whether they are site servers, database servers, etc., are domain members. Therefore you need to ensure their connectivity with your Active Directory services. These include DNS, Kerberos, LDAP, Global Catalog, etc. Details in this post Active Directory and Active Directory Domain Services Port Requirements.

CAS to External WSUS

  • CAS > WSUS TCP 8530, TCP 8530 (TCP 80, TCP 443 if this option is selected)

If you are using a WSUS server which is not installed with Configuration Manager, your CAS should have TCP8530, TCP8531 connectivity. Needless to say your WSUS should be connected to the Internet.

Databases

  • Site Servers > Database Servers: TCP 1433
  • Database Servers < > Database Servers: TCP 1433, TCP 4022

Your Site Servers and your Management Points should connect to your SQL Server database servers using TCP 1433. If you’re using CAS, all your Site Servers should be able to connect to the CAS database.

All your database servers need to replicate with each other,

Between Site Servers

  • SIte Servers < > Site Servers: TCP 445, TCP and UDP 135, UDP137-138, Dynamic Ports

I emphasize that these are bi-directional.

Between Site Servers and Site Systems

  • SIte Servers > Site Systems: TCP 445, TCP and UDP 135, UDP137-138, Dynamic Ports

Note that all your server roles are Site Systems (database, MP, DP, FSP, etc.) During the Site System role installation, there is an option to Require the site server to initiate connections to this site server, which is enabled by default. If you prefer this option, then  the traffic is one way from Site Server to Site System. My take is that your site servers/site systems within your datacenter should be bi-directional. If you do have DPs that are not within your central datacenter (i.e., remote DP), make this uni-directional to avoid the Configuration Management Console from working from an external source.

Client to Site Server

  • Client > Site Server: TCP 80, TCP 443, TCP 10123, TCP 8530, TCP 8531

Do note that all your Configuration Manager servers may have been installed with CM client, maybe for patching.

Configuration Management Console

  • CM Console > SMS Provider: TCP and UDP 135, Dynamic Ports
  • CM Console > Application File Share: TCP 445

To my personal experience, these FW ports are overlooked a lot of times because admins usually administer from the CM console while connected to a Site Server either physically or via RDP. However if you implemented a CM Console on another machine which is not running any other CM role, then these ports are required.

The second bullet point is one gotcha! that I discovered  because it is not included in the Microsoft list of ports. It is always assumed that the console is running on a site server, and that the file share source is on one of the Site Servers, probably the CAS.  If in case the CM Console being used or the file share is not on a SIte Server, and if TCP 445 is not available from the Console to the file share where the application bits are stored, then our software library will be empty because we won’t be able to create anything (applications, packages, OS, software updates), since they require to be saved to a file share.

Advertisements

Written by jpaloma

January 1, 2015 at 10:16 AM

Posted in Microsoft

Tagged with ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: