SCCM Firewall ports required by clients

SCCM Firewall ports and network ports must be defined if you want manage clients across multiple networks. Configuration Manager to properly manage clients if some ports are not been defined and opened to allow for traffic to flow properly. Typical symptoms of failed network connectivity can be clients stuck with old configuration manager client, trouble to patch and deploy software. Here is a copy of my cheat-sheet that I use (or send to the network technicians) to make sure all required traffic is let through.

Required SCCM Firewall Ports

These firewall ports are required for SCCM to properly manage clients. You need to specify these in your network / firewall to allow the traffic pass, and they must be open on sccm servers internal firewall as well.

Firewall Ports Client Network -> Configuration Manager Roles

  • 67 UDP. PXE Distribution Point
  • 68 UDP. PXE Distribution Point
  • 69 UDP. PXE Distribution Point
  • 80 TCP. Distribution Point, Fallback Status Point, Management point,
  • 443 TCP. Distribution Point, Management point (secure)
  • 4011 UDP. PXE Distribution Point
  • 8530 TCP. Software Update Point.
  • 8531 TCP.  Software Update Point (secure).
  • 10123 TCP. Management Point.

Firewall Ports Configuration Manager Roles -> Client Network

  • 9 UDP. Site Server, required by Wake On Lan.

Optional SCCM Firewall Ports, nice to have.

These ports are optional and not required for Configuration Manager to manage clients. I still recommend to open them as they make the daily life of the SCCM administrator much easier.

Firewall Ports Client Network -> Configuration Manager Roles

  • 445 TCP. Windows File Share.  Required if you use ccmsetup /source: to specify client source.

Firewall Ports Configuration Manager Console -> Client Network

  • 135 TCP. Windows Management Instrumentation
  • 445 TCP.  Windows File Share. This together with Right Click Tools makes it very easy for you to connect to client computers local hard drive when you troubleshoot a client.
  • 2701 TCP. Enable remote control from Configuration Manager Console.
  • 3389 TCP. Enable Remote Assistance and Remote Desktop.
  • ICMP Echo Request.

Reference: Microsoft Technet Firewall Ports

About the Author

Anders Rodland
Anders Rødland started his carrer as an IT consultant in 2006 and now works as a Senior IT-Specialist and Service Owner for Atea, one of the major IT companies in Scandinavia. My main focus is on Microsoft System Center, and I currently have more than 13 Microsoft certifications. Certified on Windows Server, Windows Client, SQL, Exchange and System Center Configuration Manager. Anders Rodland also holds an ITIL Foundation certification. This is my private blog and do not represent my employer. I use this to share information that I find useful. Sharing is caring.