SCCM Firewall ports required by clients 1

SCCM Firewall ports required by clients

SCCM Firewall ports and network ports must be defined if you want manage clients across multiple networks. Configuration Manager to properly manage clients if some ports are not been defined and opened to allow for traffic to flow properly. Typical symptoms of failed network connectivity can be clients stuck with old configuration manager client, trouble to patch and deploy software. Here is a copy of my cheat-sheet that I use (or send to the network technicians) to make sure all required traffic is let through.

Required SCCM Firewall Ports

These firewall ports are required for SCCM to properly manage clients. You need to specify these in your network / firewall to allow the traffic pass, and they must be open on sccm servers internal firewall as well.

Firewall Ports Client Network -> Configuration Manager Roles

  • 67 UDP. PXE Distribution Point
  • 68 UDP. PXE Distribution Point
  • 69 UDP. PXE Distribution Point
  • 80 TCP. Distribution Point, Fallback Status Point, Management point,
  • 443 TCP. Distribution Point, Management point (secure)
  • 4011 UDP. PXE Distribution Point
  • 8530 TCP. Software Update Point.
  • 8531 TCP.  Software Update Point (secure).
  • 10123 TCP. Management Point.

Firewall Ports Configuration Manager Roles -> Client Network

  • 9 UDP. Site Server, required by Wake On Lan.

Optional SCCM Firewall Ports, nice to have.

These ports are optional and not required for Configuration Manager to manage clients. I still recommend to open them as they make the daily life of the SCCM administrator much easier.

Firewall Ports Client Network -> Configuration Manager Roles

  • 445 TCP. Windows File Share.  Required if you use ccmsetup /source: to specify client source.

Firewall Ports Configuration Manager Console -> Client Network

  • 135 TCP. Windows Management Instrumentation
  • 445 TCP.  Windows File Share. This together with Right Click Tools makes it very easy for you to connect to client computers local hard drive when you troubleshoot a client.
  • 2701 TCP. Enable remote control from Configuration Manager Console.
  • 3389 TCP. Enable Remote Assistance and Remote Desktop.
  • ICMP Echo Request.

Reference: Microsoft Technet Firewall Ports

Anders Rødland

Anders Rødland started his IT career in 2006. My main focus is MS Configuration Manager and client management, and I have passed 17 Microsoft certifications since then. My main expertise is on client management with Microsoft Endpoint Manager: Intune and Configuration Manager. I also do a lot of work on the security side with Microsoft Defender for Endpoint. In addition to my Microsoft certification, I also have an ITIL v3 Foundation certification. This is my private blog and do not represent my employer. I use this to share information that I find useful. Sharing is caring.

One thought to “SCCM Firewall ports required by clients”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.