SCCM 2012 R2 - Ports Required through Firewall

Similar Messages

• SCCM 2012 What Ports Do I need to open so DMZ servers can communicate with my SCCM Server?

  Hi,
  What ports do I need to open in the firewall so my DMZ servers can talk to my SCCM server on the network?
  Here are my steps before to make my DMZ servers talk to my SCCM server:
  1.  On my SCCM 2012 SP1 CU2 I have bounderies installed --> I install SCCM Client on my DMZ server with the appropriate switches --> I go back to my SCCM server to approve the server --> Works
  But now my DMZ servers stops getting definition updates from my SCCM server and I was suggested that it is much easier to open ports in DMZ.
  Now, could you please tell me what ports should we open to ensure two way communication among servers?
  Thanks!

  Yes and no. It's a bit muddy at times.
  For Internet based clients, putting an Internet-enabled MP in the DMZ is perfectly acceptable because Internet clients will only choose MPs enabled for Internet communication.
  For systems in the DMZ, that's where it really gets muddy. There's no perfect way to accomplish this. IMO, DMZ clients should be allowed to go back to the MP/DP in the Intranet with a targeted opening in the DMZ firewall rules that allows them to only go
  to the internal MP. That's a security policy question though for your organization.
  Another option is to treat the clients in the DMZ as Internet only clients. This way, they will only go to the Internet MP in the DMZ. You do lose some functionality though like Remote Control.
  A final way is to actually put an MP/DP in the DMZ and deal with the timeout's that happen when clients try to talk to the MP in the Intranet. Clients will try 5 times to contact that MP before giving up. They try to find a new MP at the following times
  (which are not configurable):
  - Every 25 hours
  - WHen the client detects a network change
  - When the client agent starts
  Jason | http://blog.configmgrftw.com

• Why do some Security Updates get flagged by SCCM 2012 as "Not Required" when the Bulletin ID states they are?

  Hiya
  We've just pushed all updates from the March patch Tuesday Security Bulletin to our test Workstations/Servers (using SCCM 2012 R2)
  One of the patches (MS14-013 - KB2929961) hasn't applied to a selection of 2008 R2 and 2012 Servers, but according to the Bulletin notes for this it is applicable to both. It has applied to my Windows 8 boxes.
  The servers don't already have this applied, its not a superseded update and SCCM has flagged this as "Required" for x64 versions of Windows 7, Windows 8, Windows 8.1 but "Not required" for any servers. 
  Bulletin ID states its applicable to all except Itanium based editions - https://technet.microsoft.com/en-us/security/bulletin/ms14-013
  If I download the update and try to run it manually on the servers I get "The update is not applicable to your computer"
  So it looks as though the WUAgent and SCCM compliance are reporting correctly, but that the Bulletin ID isn't entirely correct??
  Has anyone else found this? We use the Bulletin IDs for monthly meetings on what we're patching and what system it will affect so causes a lot of confusion with system owners when a patch doesn't apply that they're expecting to get applied.
  Thanks!

  Hi,
  Without any indepth investigation if I am not mistaking the update is for Directshow and that component is installed with the Desktop Experience on the server OS's, and therefor the update is not applicable on the servers.. 
  Could that be the case?
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Open port 5223 through firewall

  I was hoping to get a little assistance in opening a port through our ASA 5510. I need to allow a tcp connection for IP 65.74.157.196 on port 5223 through our firewall to the subnet 10.1.12.0/24.
  In the GUI, I created an access rule on our Outside interface with the source of 65.74.157.196 and the destination of 10.1.12.0/24 with the Service set to tcp 5223 and the Action is Permit.
  Is there anything else I need to configure?

  We are running 8.2.
  This is what I have:
  ACL
  access-list Outside-ISP1_access_in extended permit tcp host RemoteServerIP any 5223
  NAT
  static (Inside,Outside-ISP1) tcp interface 5223 10.1.12.55 5223 netmask 255.255.255.255
  10.1.12.55 is the inside address the remote server needs to communicate with on 5223
  I attached an image of the Packet Tracer results.

• Is there Java API available for third-party integrations with SCCM 2012? I went through the "Developer's Survival Guide", and it seems that SCCM 2012 SDKs only support C# and PowerShell

  Hi All,<o:p></o:p>
  My team and I are developing a software using java that works closely with IT management software such as SCCM. Our software will be highly dependent on data stored in SCCM. Basically
  our software will talk to SCCM to get information about a system managed by SCCM. To be able to do that, our software needs to use a java API that talks to SCCM. Is there a java API for SCCM 2012 that we can use? If there is not, what is the work around to
  this issue (integrate a java project with SCCM SDKs)? Any help is appreciated! Thanks!<o:p></o:p>

  Hi,
  As you mentioned, it seems that there is no available Java API for SCCM .
  Just curious, what's information you want to get from SCCM.
  Based on my experience, you could query the SCCM site database to get almost all the information.
  Otherwise, your question seems to be related to SCCM 2012. You may also choose to post there to get more effictive help.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Report or request for SCCM 2012 computers that require a reboot.

  Hello all. Has anyone done any reports (queries) in SCCM 2012 to identify computers that need a reboot? A similar request (http://social.technet.microsoft.com/Forums/en-US/configmgrsum/thread/3aa49005-9437-4a47-ad39-c2ec7b60c60c/)
  for SCCM 2007 to SCCM 2012 does not work.

  Hi , Below is the SQL query for identify the computer name that need a reboot due to patching.  -- SCCM 2012
  select
  top 10 *
  from v_AssignmentState_Combined
  join v_R_System vrs
  on vrs.ResourceID=v_AssignmentState_Combined.ResourceID
  where StateID='5'
  BR// Praveen Sharma B.Tech (E&C), MCSE,MCTS (Exchange)

• Webmin Port Access through firewall

  OSX 10.8.5
  I just finsihed installing the latest version of Webmin.
  Everything is working fine but I can not figure out how to allow access through the firewall GUI.
  I need to open port 10000. Any suggestions?

  Thanks, I posted there a few months ago, without luck. I think I've finally found something when Googling the versions of each. iChat on Leopard doesn't use newer authentication protocols and Psi would need recompiled to be compatible. If anyone is curious in the modification here you go:
  http://forum.psi-im.org/thread/5091
  For now I'm looking for an alternative Jabber server to use.

• Scdpm 2012 r2 port requirement

   
  Dear all,
  We have some servers in DMZ need to backup those servers , can i know what are ports need to open for dpm agent install , backing up , restore ..etc
  I got to know from some forum , below ports need to open. Am I missing anything?
  135/TCP
  Dynamic
  5718/TCP
  5719/TCP
  53/UDP
  88/UDP 88/TCP
  389/TCP
  389/UDP
  137/UDP
  138/UDP
  139/TCP
  445/TCP

  Hello !
  That's right.
  You can refer to this official link : http://technet.microsoft.com/en-us/library/hh757794.aspx
  Hope this helps.
  Note: This posting is provided 'AS IS' with no warranties or guarantees, and confers no rights. Please take a moment to "Vote as Helpful" and/or "Mark as Answer", where applicable. This helps the community, keeps the forums tidy, and
  recognises useful contributions.

• Required Ports to connect remote SQL named Instance for SCCM 2012 R2

  Hi,
    I have allowed the TCP 1433,1434,135 and 80 but still unable to connect the remote SQL named instance DB for the SCCM 2012 R2... and getting below error..can you please suggest if any other port required for the same, i have turned off the windows
  firewall and RPC service is running ob Remote SQL and SCCM 2012 R2 server..
  CCMsetuplog
  Shailendra Dev

  During the installation you need more ports. You would also need the (dynamic) RPC ports. See for a complete list (section Site Server --> SQL Server):
  https://technet.microsoft.com/en-us/library/hh427328.aspx
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• IBCM SCCM 2012 r2 DO WE HAVE TO OPEN PORT 8531 IN EXTERNAL firewall

  Hi All
  IBCM SCCM 2012 r2 DO WE HAVE TO OPEN PORT 8531 IN EXTERNAL firewall for our site syatem in DMZ with role MP,sup &DP

  I agree, for IBCM you need SSL.
  But as far as i know your Update Point isn't forced to run on SSL (8531) unless you tick your Update point with "Require SSL" within your update point configuration - which ofcourse is the idael configuration.
  And if that's the case it's running 8530.
  That's true, but for IBCM, as Peter pointed out HTTPS is required. Thus, if you don't configure your WSUS instance to run using SSL, I doubt that it will work simply because the client agent will be "smart" enough to see that you don't have an SSL
  capable WSUS instance and thus won't configure the WUA to use the non-SSL WSUS instance. I can't say I've tested this though, so it's possible that it works, but I doubt it.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Sccm 2012 R2 - Windows 7 not listening on Port 80

  Hello,
  In looking through smsts.log and IIS logs I saw a lot of error communicating on Port 80.  When  tried to telnet from a pc to our sccm 2012 server using port 80, it goes through fine. But when I tried it the other way around, it fails.  When
  I ran netstat -an |find /i  "listening" on my pc and others around me, I discover port 80 isn't listening. The firewall is off on both the pcs and sccm primary server.  Port 80 isn't blocked on the network.
    TCP     0.0.0.0:135            0.0.0.0:0              LISTENING
    TCP     0.0.0.0:445            0.0.0.0:0              LISTENING
    TCP     0.0.0.0:1025           0.0.0.0:0              LISTENING
    TCP     0.0.0.0:1026           0.0.0.0:0              LISTENING
    TCP     0.0.0.0:1027           0.0.0.0:0              LISTENING
    TCP     0.0.0.0:1028           0.0.0.0:0              LISTENING
    TCP     0.0.0.0:1036           0.0.0.0:0              LISTENING
    TCP     0.0.0.0:1041           0.0.0.0:0              LISTENING
    TCP     0.0.0.0:1057           0.0.0.0:0              LISTENING
    TCP     0.0.0.0:3389           0.0.0.0:0              LISTENING
    TCP     0.0.0.0:5357           0.0.0.0:0              LISTENING
    TCP    127.0.0.1:5020          0.0.0.0:0              LISTENING
    TCP     127.0.0.1:5354         0.0.0.0:0              LISTENING
    TCP     127.0.0.1:27015        0.0.0.0:0              LISTENING
    TCP     127.0.0.1:62522        0.0.0.0:0              LISTENING
    TCP     172.24.94.131:139      0.0.0.0:0              LISTENING
    TCP     172.24.102.23:139      0.0.0.0:0              LISTENING
    TCP     [::]:135               [::]:0                
  LISTENING
    TCP     [::]:445               [::]:0                
  LISTENING
    TCP     [::]:1025              [::]:0                
  LISTENING
    TCP     [::]:1026              [::]:0                
  LISTENING
    TCP     [::]:1027              [::]:0                
  LISTENING
    TCP     [::]:1028              [::]:0                
  LISTENING
    TCP     [::]:1036              [::]:0                
  LISTENING
    TCP     [::]:1042              [::]:0                
  LISTENING
    TCP     [::]:1057              [::]:0                
  LISTENING
    TCP     [::]:3389              [::]:0                 LISTENING
    TCP     [::]:5357              [::]:0                
  LISTENING
  I was told something has to initiate port 80 being open on win7.  Is this true? If so, any idea why sccm isn't doing this? I could switch to port 8530 (have to do this for wsus too), but would think networking would have to open this port and then again,
  would the pc listen for it?
  PS, The sccm position before this one,  dealt with Servers, that must have had port 80 listening.

  After installing SCCM client via Task Sequence, and rebooting, the Self-signed certificate never comes down so the other Action items in Cinfiguration Manager Properties never come down.  The only way I can get the Certificate to come down (seen in
  MMC) is to give full permission (No one had rights initially) to rsa keys folder, delete smscfg.ini file and restart the sms host service.  But if you go into configuration manager properties the client certificate is still shown as None. The locationServices.log
  shows :failed to send management point list location request message to Primary Server/MP. If try
  http://PrimaryServer it fails to connect from a pc. But if I try it from the primary server sccm01 it works fine. Port 80 is open on the network. 
  smsts shows:
   Sending with winhttp Failed; 80072ee2  and also socket connect failed; 8007274c
  Is there any other logs I can send you to help resolve this?
  Again, Thanks so much for all of your help!!!
  Mark

• MS Office Pro 2013 Deployment through SCCM 2012 R2

  Hi Friends,
  I have deployed MS Office Pro 2013 through SCCM 2012. But from Windows 7 Client Machines It's not Installing. Noticed following error in Software Center.
  I'm testing two deployments before bring into production.
  Test Machine 1 :  Purpose = Available 
  From Software Center I have found Test Machine 1 is Status failed.
  Test Machine 2 : Purpose = Required
  From Software Center I have found Test Machine 2 is Status post due-will be retried
  The following Error code is same for both Machines.
  ====================================================
  The software change returned error code 0x87D00607(-2016410105).
  ====================================================
  Any idea please .
  Regards,Ali

  Hi,
  Check out this great guide from Ronni on how to deploy Office 2013 using Configuration Manager 2012, a good read.https://gallery.technet.microsoft.com/office/How-to-Deploying-Office-0f954e7f
  Are the content succefully deployed to all DPs?
  Regards,
  Jörgen
  -- My System Center blog ccmexec.com -- Twitter
  @ccmexec

• Windows 8.1 clients are not detecting updates deployed to them through SCCM 2012 R2

  Hello, 
  We are using SCCM 2012 R2 to deploy software updates. 
  On Windows 8.1 SCCM does not show certain updates as being needed and isn't deploying them to the clients even though Windows Update will show them as high importance. These same updates are being detected and deployed to Windows 8 clients successfully.
  I believe that the update catalog that WSUS uses may have some incorrect detection rules for the following updates:  
  2917933
  2913320
  2913270
  2913152
  2909569
  2904440
  2904266
  2903939
  2899189 
  2893984
  2893294
  2892074
  2916626
  2898785
  My automatic deployment rules include Windows 8.1 in the product category. I have even created a standalone rule for Windows 8.1 that builds a new package and the behavior is the same. 
  We only have a handful of Windows 8+ clients so this hasn't been a big issue but others may want to keep an eye out. 

  I am also running into this issue.  After "checking online for updates" on one of my machines in office I found that there were 21 important updates for my 8.1 box.  When I cross reference them in SCCM under All Software Updates, it appears these
  8.1 updates are not listed.  They are however listed for all other OS.  
  10 seconds after typing this, I went in to verify my WSUS ->  Products and Classifications settings and come to find 8.1 and 2012 R2 weren't selected, even though it's an option in SCCM.  Go figure!  This wasn't the end though.  After
  running a Synchronization, my issue still wasn't resolved.  Went back to check my settings and they again were changed back to having these OS unchecked.  Finally, a solution!  I found that in SCCM, under Administration tab, Site Configuration
  > Sites > ABC - Mysitename, right click and scroll down to "Configure Site Components" > Software Update Point.  This setting (although the same as is in WSUS) takes precedence, thus was rolling my settings back to the original configuration
  in WSUS.
  So long story short, even though my automatic deployment rules stated approve all windows 7/8/8.1 criticals/importants, 8.1 was getting skipped for the most part because my WSUS server wasn't syncing with Microsoft for all of the updates I required.  I
  did have a couple of updates that squeezed through because they were categorized as "Security Updates for Windows 8, 8.1".
  Not sure if this is the solution you were looking for, but your thread got me started in the right direction, hopefully this response helps in the same way!
  Thanks!

• Add site system role through automation, SCCM 2012 Sp1

  hi
  Trying to add a reporting point through powershell or the SDK with no luck.
  Does any out there have any idea how to do this? We are trying to automate the process of everything.
  When adding through powershell its a sucess with the role itself, but when accessing the reporting node the console crashes and the links are missing.
  Any ideas or tips?
  Regards
  Lasse
  shaggys

  This was finally fixed in
  CU3 for SCCM 2012 R2 and I can confirm that it does work with CU4 for SCCM 2012 R2.
  One note is that the cmdlet documentation is not 100% accurate.  For example, the example listed in get-help excludes required parameters.  Also, the parameter descriptions are not descriptive enough without knowing additional information
  about the role/point.  Here is what worked for me:
  Add-CMReportingServicePoint-SiteCode$SiteCode-SiteSystemServerName$SCCMpriFQDN-DatabaseServerName$SCCMpriFQDN-DatabaseName"CM_$SiteCode"-ReportServerInstance$SCCMsqlDatabaseInstanceName -FolderName"ConfigMgr_$SiteCode"-UserName$CMAaccountConfiguredAsSSRSexecutionAccount

• CRM2013 Silent deployment through SCCM 2012 R2

  Hello.
  First of all im sorry, if im posting in the wrong Forum - but this seemed as the correct one.
  I want to deploy CRM 2013 Outlook Client, through Software center - but i cant seem to get it working.
  I cant seem to find a way, to disable / accept the License Agreement automatically, so that our Domain Users can enjoy a completely silent CRM deployment.
  I have tried several guides, and i have also tried with SetupClient.exe /A - and the "guide" completes, but theCrmClient_32.msi dosent work.
  I would really appreciate, if some of you guys would help me out :)
  We are using SCCM 2012 R2
  Datatechnician

  Looks like you need the /Q switch for this
  http://msdn.microsoft.com/en-us/library/hh699665.aspx
  /Q              
  Quiet mode installation. This parameter requires a configuration file in XML format. The /i parameter contains the name of the XML configuration file. No dialog boxes or error messages will appear on the display screen. To capture error message information,
  include the log file parameter (/L or /LV).
  Gerry Hampson | Blog:
  www.gerryhampsoncm.blogspot.ie | LinkedIn:
  Gerry Hampson | Twitter:
  @gerryhampson
  Hello.
  Ive found the solution my self :)
  SetupClient.exe /quiet /passive /norestart
  I didnt thought that you could have a /q and /p at the same time
  Datatechnician