Jump to content


2

Configure windows firewall setting for sccm client


1 reply to this topic

#1 ericlaiys

ericlaiys

    Advanced Member

  • Members
  • PipPipPip
  • 74 posts
  • 47 thanks

Posted 27 July 2009 - 05:52 AM

In order to deploy SCCM Client, you need to open Windows Firewall ports. Rather than configure the port in each of the workstation, i will use Group Policy to configure the windows firewall.

Below is the recommended port to open as suggested by Microsoft:-

a)Client Push Installation:-
-File and Printer Sharing
-Windows Management Instrumentation (WMI) -TCP & UDP 1024 -5000

b)Client request:-
-Port 80 - for http communication
-Port 443 -for https communication

c)NAP:-
-UDP 67 and UDP 68 for DHCP
-TCP 80/443 for IPSEC

d)Remote Control:-
-TCP 2701
-TCP 2702
-TCP 135

e)Remote Assistance and Remote Desktop
-exception program helpsvc.exe and TCP 135
-Remote Assistance and Remote Desktop (TCP 3389)

f)Windows Event Viewer, Windows Performance Monitor and Windows Diagnostics
-Exception File and Printer sharing.

Based on above ports, here is my configuration that i've performed in the Group Policy.

a) Go to Group Policy management snap in.
B) Expand Computer Configuration > Administrative Templates > Network >Network Connections > Windows Firewall >Domain profile

c) Configure Windows Firewall:Allow inbound file and printer sharing exception
-Set Enabled
-IP: 192.168.10.47 ( SCCM Server IP Address)

Attached File  fire1.JPG   34.39K   120 downloads

d) Configure Windows Firewall: Define inbound port exceptions
-Set Enabled
Attached File  fire2.JPG   33.11K   116 downloads

-Click Show
-Add below configuration

Format for define inbound port exception:-
Port:Transport(TCP/UDP):Scope:Status(enabled/disabled):Name

135:TCP:192.168.10.47:enabled:TCP135
80:TCP:192.168.10.47:enabled:Port80
443:TCP:192.168.10.47:enabled:Port443
67:UDP:192.168.10.47:enabled:NAPDHCP
68:UDP:192.168.10.47:enabled:NAPDHCP
2701:TCP:192.168.10.47:enabled:RemoteControl
2702:TCP:192.168.10.47:enabled:RemoteControl

Attached File  fire3.JPG   21.3K   121 downloads

Invalid configuration:-
1024-5000:TCP:192.168.10.47:enabled:WMI
1024-5000:UDP:192.168.10.47:enabled:WMI
*.TCP:192.168.10.47:enabled:All

WMI is using random port from 1024 - 5000.

Note:
You cannot define to open a range of Windows Firewall ports. Each port need to define individually.

If you still insist to open a range of ports, you can write a script to run the following command:-
for /L %i in (1024,1,5000) do netsh firewall add portopening TCP %i "Port-range %i"

The script will execute and create a rule from 1024 until 5000.
For WMI port, let ignore first .

e) Configure Windows Firewall: Allow inbound remote administration exception
-Set Enabled
-Ip: 192.168.10.47

Attached File  fire4.JPG   36.05K   104 downloads

f) Configure Windows Firewall: Allow inbound Remote Desktop exceptions
-Set Enabled
-IP:192.168.10.47

Attached File  fire5.JPG   34.11K   105 downloads

g) Configure Windows Firewall: Define inbound program exceptions
-Set Enabled
-Click Show and add the below settings

Attached File  fire6.JPG   35.96K   104 downloads

Format for define inbound program exceptions:-
Path:Scope:Status:name
%systemroot%system32sessmgr.exe:*:enabled:sessmgr.exe 
%systemroot%PCHEALTHHELPCTRBinarieshelpsvc.exe:*:enabled:helpsvc.exe

Attached File  fire7.JPG   15.25K   109 downloads

The above configuration is tested on the workstation running on Windows Vista and Windows XP.

#2 rahulnigam

rahulnigam

    Junior Member

  • Members
  • PipPip
  • 7 posts
  • 6 thanks

Posted 08 September 2009 - 01:55 AM

Also SMB, RPC,NETBIOS ports are used by SCCM




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Organization

Community

Downloads

Test Providers

Site Info


Go to top