This guide includes a list of all the firewall ports used in Configuration Manager. To make it easier to understand, I have grouped the SCCM firewall ports according to the components, roles, and the direction in which they must be opened.
When you plan to install Configuration Manager, you need to be aware of the network ports that every component and role requires or uses. The roles such as management point, software update points, distribution points require certain pre-defined ports to be allowed on the firewall.
For example, SCCM client push firewall ports are different from the ones required by the Configuration Manager console. Therefore you should only permit specific ports and programs required by these roles on a firewall. Turning off the firewall or disabling it on clients or site servers is not recommended, as opening all ports creates potential entry points for attackers.
Over the years, Microsoft has removed and deprecated features for Configuration Manager. Some of them include site system roles for on-premises MDM and macOS clients, enrollment proxy and enrollment point, asset intelligence, and so on. You don’t have to open the ports for these roles as they are not used anymore.
Configurable vs Non-Configurable ports
Configuration Manager clients and site systems make use of a number of network ports, some of which are configurable while some of them are not configurable. Some connections allow you to specify custom ports but there are very few.
Microsoft advises you to check if these ports can be configured if your organization uses any port filtering technology. Some examples of these port filtering technologies include firewalls, routers, proxy servers, or IPsec.
| Ports that you can configure | Ports that cannot be configured |
|---|---|
| Client-to-site systems that run IIS | Site to site |
| Client to internet (as proxy server settings) | Site server to site system |
| Software update points to internet and WSUS | Configuration Manager console to SMS Provider |
| Site server to site database server & WSUS database server | Configuration Manager console to the internet |
| Reporting services points | Connections to cloud services, such as Microsoft Azure |
Firewall Ports used by SCCM Clients
The table below lists all the ports used by clients for communicating with other ConfigMgr components, along with the port number, protocol and the direction of the communication.
The direction of communication is represented using an arrow icon:
Indicates one-way communication, which means the communication starts from source and the destination computer responds.
Indicates that communication can start from either source or destination.
| Source | Destination | Protocol and Port Number | Description | Direction of Communication |
|---|---|---|---|---|
| Client | Client | UDP 25536 | Wake-up-proxy | Client Client |
| Client | Client | UDP 9 | Wake on LAN | Client Client |
| Client | Client | UDP 8004 | Windows PE Peer cache broadcast | Client Client |
| Client | Client | TCP 8003 | Windows PE Peer cache download | Client Client |
| Client | Cloud Distribution Point | TCP 443 | HTTPS | Client Cloud DP |
| Client | Network Device Enrollment Service | TCP 80 TCP 443 | HTTP HTTPS | Client NDES |
| Client | Cloud Management Gateway | TCP 443 | HTTPS | Client CMG |
| Client | Distribution Point and Pull DP | TCP 80 TCP 443 TCP 8005 | HTTP HTTPS Express Updates | Client DP, Pull DP |
| Client | Distribution Point with Multicast and Pull DP | TCP 445 UDP 63000 – 64000 | SMB Multicast Protocol | Client DP, Pull DP |
| Client | Distribution Point with PXE | UDP 67, 68 UDP 69 UDP 4011 UDP 547 | DHCP TFTP BINL DHCPv6 | Client DP, Pull DP |
| Client | Fallback Status Point | TCP 80 | HTTPS | Client FSP |
| Client | Global Domain Controller | TCP 3268 | Global catalog LDAP | Client DC |
| Client | Management Point | TCP 10123 TCP 80 TCP 443 | Client Notification HTTP HTTPS | Client MP |
| Client | Software Update Point | TCP 80 or 8530 TCP 443 or 8531 | HTTP HTTPS | Client SUP |
| Client | State Migration Point | TCP 80 TCP 443 TCP 445 | HTTP HTTPS SMB | Client SMP |
SCCM Client Push Firewall Ports
The below table lists all the ports that are used with client push installation.
| Source | Destination | Protocol and Port Number | Description | Direction of Communication |
|---|---|---|---|---|
| SCCM Server | Client | TCP 445 | SMB | SCCM Server Client |
| SCCM Server | Client | TCP 135 UDP 135 | RPC Endpoint Mapper | SCCM Server Client |
| SCCM Server | Client | TCP Dynamic | RPC Dynamic Ports | SCCM Server Client |
| Client | Management Point | TCP 80 TCP 443 | HTTP HTTPS | Client Management Point |
Firewall Ports used by Site Server
The table below lists all the SCCM firewall ports used by site servers for communicating with other ConfigMgr components, along with the port number, protocol and the direction of the communication.
| Source | Destination | Protocol and Port Number | Description | Direction of Communication |
|---|---|---|---|---|
| Site Server | Client | UDP 9 | Wake on LAN | Site Server Client |
| Site Server | Cloud DP | TCP 443 | HTTPS | Site Server Cloud DP |
| Site Server | Distribution Point | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint Ephemeral port | Site Server SCCM DP |
| Site Server | Domain Controller | TCP, UDP 389 TCP, UDP 636 TCP 3268 RPC 135 RPC Dynamic | LDAP Secure LDAP GC LDAP RPC Endpoint RPC Ephemeral | Site Server DC |
| Site Server | CMG connection point | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint RPC Ephemeral | Site Server CMG |
| Site Server | Endpoint Protection Point | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint RPC Ephemeral | Site Server EPP |
| Site Server | Fallback Status Point | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint RPC Ephemeral | Site Server FSP |
| Site Server | Internet | TCP 80 TCP 443 | HTTP HTTPS | Site Server Internet |
| Site Server | Issuing CA | TCP, UDP 135 RPC Dynamic | RPC Endpoint RPC Ephemeral | Site Server CA |
| Site Server | Content Library Share | TCP 445 | SMB | Site Server Content Library |
| Site Server | Service Connection Point | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint RPC Ephemeral | Site Server SCP |
| Site Server | Reporting Services Point | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint RPC Ephemeral | Site Server RSP |
| Site Server | Site Server | TCP 445 | SMB | Site Server Site Server |
| Site Server | SQL Server | TCP 1433 | SQL over TCP | Site Server SQL Server |
| Site Server | SQL Server for WSUS | TCP 1433 | SQL over TCP | Site Server SQL WSUS Server |
| Site Server | SMS Provider | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint RPC Ephemeral | Site Server SMS Provider |
| Site Server | Software Update Point | TCP 445 TCP, UDP 135 RPC Dynamic TCP 80 or 8530 TCP 443 or 8531 | SMB RPC Endpoint RPC Ephemeral HTTP HTTPS | Site Server SUP Server |
| Site Server | State Migration Point | TCP 445 TCP, UDP 135 | SMB RPC Endpoint Mapper | Site Server State Migration Point Server |
Management Point Network Ports
Here is a list of network ports that the Management Point server requires for communication with other components. Make sure your firewall allows these ports.
| Source | Destination | Protocol and Port Number | Description | Direction of Communication |
|---|---|---|---|---|
| Management Point | Domain Controller | TCP, UDP 389 TCP, UDP 636 TCP 3268 TCP 135 | LDAP Secure LDAP GC LDAP RPC Endpoint Mapper | Management Point Domain Controller |
| Management Point | Site Server | TCP 135 TCP 445 RPC | RPC Endpoint SMB Dynamic | Management Point Site Server |
| Management Point | SQL Server | TCP 1433 | SQL over TCP | Management Point SQL Server |
Software Update Point Firewall Ports
The table below lists all the SCCM firewall ports used by the software update point role.
| Source | Destination | Protocol and Port Number | Description | Direction of Communication |
|---|---|---|---|---|
| Software Update Point | Internet | TCP 80 | HTTP | SUP Internet |
| Software Update Point | WSUS Server | TCP 80 or 8530 TCP 443 or 8531 | HTTP HTTPS | SUP WSUS |
Ports used by Configuration Manager console
The table below lists all the firewall ports used by the Configuration Manager console for communicating with other components, along with the port number, protocol and the direction of the communication.
| Source | Destination | Protocol and Port Number | Description | Direction of Communication |
|---|---|---|---|---|
| ConfigMgr Console | Client | TCP 2701 TCP 3389 | Remote Control Remote Assistance | Console Client |
| SCCM Console | Internet | TCP 80 or 8530 TCP 443 or 8531 | HTTP HTTPS | Console Internet |
| SCCM Console | Reporting Services Point | TCP 80 TCP 443 | HTTP HTTPS | Console RSP |
| ConfigMgr Console | Site Server | TCP 135 | RPC | Console Site Server |
| ConfigMgr Console | SMS Provider | TCP, UDP 135 RPC Dynamic TCP 443 | RPC EP Mapper RPC HTTPS | Console SMS Provider |
Ports used by Service Connection Point
The table below lists all the firewall ports used by the Service Connection Point for communicating with other components.
| Source | Destination | Protocol and Port Number | Description | Direction of Communication |
|---|---|---|---|---|
| Service Connection Point | Azure CMG | TCP 443 | HTTPS | Service Connection Point CMG |
| Service Connection Point | Azure Logic App | TCP 443 | HTTPS | Service Connection Point Azure Logic App |
| Service Connection Point | SQL Server | TCP 1433 | SQL over TCP | Service Connection Point SQL Server |
CMG Connection Point Ports
The table below lists all the firewall ports used by the CMG Connection Point in Configuration Manager.
| Source | Destination | Protocol and Port Number | Description | Direction of Communication |
|---|---|---|---|---|
| CMG Connection Point | CMG virtual machine scale set | TCP 443 TCP 10124-10139 | HTTPS (1 VM) HTTPS (2+ VMs) | CMG Connection Point CMG virtual machine scale set |
| CMG Connection Point | CMG classic cloud service | TCP 10140-10155 TCP 443 TCP 10124-10139 | TCP-TLS HTTPS fallback (1 VM) HTTPS fallback (more than 1 VM) | CMG Connection Point CMG classic cloud service |
| CMG Connection Point | Management point | TCP 80 TCP 443 | HTTP HTTPS | CMG Connection Point Management point |
| CMG Connection Point | Software update point | TCP 80/8530 TCP 443/8531 | HTTP HTTPS | CMG Connection Point SUP |
SCCM Distribution Point Firewall Ports
A distribution point requires the following network ports to be opened in the firewall.
| Source | Destination | Protocol and Port Number | Description | Direction of Communication |
|---|---|---|---|---|
| Distribution Point | Management Point | TCP 80 TCP 443 | HTTP HTTPS | Distribution Point Management Point |
| Pull DP | Source DP | TCP 80 TCP 443 | HTTP HTTPS | Pull DP Source DP |
Endpoint Protection Role Ports
If you have set up the Endpoint Protection role in SCCM, this role uses the following firewall ports.
| Source | Destination | Protocol and Port Number | Description | Direction of Communication |
|---|---|---|---|---|
| Endpoint Protection Role | Internet | TCP 80 | HTTP | Endpoint Protection Role Internet |
| Endpoint Protection Role | SQL Server | TCP 1433 | SQL over TCP | Endpoint Protection Role SQL Server |
SQL Server Firewall Ports
The SQL server for Configuration Manager does require a few network ports to operate. For example, the Intersite database replication requires the SQL Server at one site to communicate directly with the SQL Server at its parent or child site.
| Source | Destination | Protocol and Port Number | Description | Direction of Communication |
|---|---|---|---|---|
| SQL Server | SQL Server | TCP 1433 | SQL Server Service | SQL Server SQL Server |
| SQL Server | SQL Server | TCP 4022 | SQL Service Broker | SQL Server SQL Server |
| Reporting Services Point | SQL Server | TCP 1433 | SQL over TCP | Reporting Service Point SQL Server |
| SMS Provider | SQL Server | TCP 1433 | SQL over TCP | SMS Provider SQL Server |
| State Migration Point | SQL Server | TCP 1433 | SQL over TCP | State Migration Point SQL Server |
Ports used by Discovery Methods in SCCM
The following Configuration Manager firewall ports are used for the discovery and publishing of site information:
| Protocol Name | Port Number |
|---|---|
| Lightweight Directory Access Protocol (LDAP) | 389 |
| Global Catalog LDAP | 3268 |
| Secure LDAP | 636 |
| RPC Endpoint Mapper | 135 |
| RPC Dynamic Ports | 1024:5000 and 49152: 65535 |
