This guide includes a list of all the firewall ports used in Configuration Manager. To make it easier to understand, I have grouped the SCCM firewall ports according to the components, roles, and the direction in which they must be opened.
When you plan to install Configuration Manager, you need to be aware of the network ports that every component and role requires or uses. The roles such as management point, software update points, distribution points require certain pre-defined ports to be allowed on the firewall.
For example, SCCM client push firewall ports are different from the ones required by the Configuration Manager console. Therefore you should only permit specific ports and programs required by these roles on a firewall. Turning off the firewall or disabling it on clients or site servers is not recommended, as opening all ports creates potential entry points for attackers.

Over the years, Microsoft has removed and deprecated features for Configuration Manager. Some of them include site system roles for on-premises MDM and macOS clients, enrollment proxy and enrollment point, asset intelligence, and so on. You don’t have to open the ports for these roles as they are not used anymore.
Configurable vs Non-Configurable ports
Configuration Manager clients and site systems make use of a number of network ports, some of which are configurable while some of them are not configurable. Some connections allow you to specify custom ports but there are very few.
Microsoft advises you to check if these ports can be configured if your organization uses any port filtering technology. Some examples of these port filtering technologies include firewalls, routers, proxy servers, or IPsec.
Ports that you can configure | Ports that cannot be configured |
---|---|
Client-to-site systems that run IIS | Site to site |
Client to internet (as proxy server settings) | Site server to site system |
Software update points to internet and WSUS | Configuration Manager console to SMS Provider |
Site server to site database server & WSUS database server | Configuration Manager console to the internet |
Reporting services points | Connections to cloud services, such as Microsoft Azure |
Firewall Ports used by SCCM Clients
The table below lists all the ports used by clients for communicating with other ConfigMgr components, along with the port number, protocol and the direction of the communication.
The direction of communication is represented using an arrow icon:
Indicates one-way communication, which means the communication starts from source and the destination computer responds.
Indicates that communication can start from either source or destination.
Source | Destination | Protocol and Port Number | Description | Direction of Communication |
---|---|---|---|---|
Client | Client | UDP 25536 | Wake-up-proxy | Client ![]() |
Client | Client | UDP 9 | Wake on LAN | Client ![]() |
Client | Client | UDP 8004 | Windows PE Peer cache broadcast | Client ![]() |
Client | Client | TCP 8003 | Windows PE Peer cache download | Client ![]() |
Client | Cloud Distribution Point | TCP 443 | HTTPS | Client ![]() |
Client | Network Device Enrollment Service | TCP 80 TCP 443 | HTTP HTTPS | Client ![]() |
Client | Cloud Management Gateway | TCP 443 | HTTPS | Client ![]() |
Client | Distribution Point and Pull DP | TCP 80 TCP 443 TCP 8005 | HTTP HTTPS Express Updates | Client ![]() |
Client | Distribution Point with Multicast and Pull DP | TCP 445 UDP 63000 – 64000 | SMB Multicast Protocol | Client ![]() |
Client | Distribution Point with PXE | UDP 67, 68 UDP 69 UDP 4011 UDP 547 | DHCP TFTP BINL DHCPv6 | Client ![]() |
Client | Fallback Status Point | TCP 80 | HTTPS | Client ![]() |
Client | Global Domain Controller | TCP 3268 | Global catalog LDAP | Client ![]() |
Client | Management Point | TCP 10123 TCP 80 TCP 443 | Client Notification HTTP HTTPS | Client ![]() |
Client | Software Update Point | TCP 80 or 8530 TCP 443 or 8531 | HTTP HTTPS | Client ![]() |
Client | State Migration Point | TCP 80 TCP 443 TCP 445 | HTTP HTTPS SMB | Client ![]() |
SCCM Client Push Firewall Ports
The below table lists all the ports that are used with client push installation.
Source | Destination | Protocol and Port Number | Description | Direction of Communication |
---|---|---|---|---|
SCCM Server | Client | TCP 445 | SMB | SCCM Server ![]() |
SCCM Server | Client | TCP 135 UDP 135 | RPC Endpoint Mapper | SCCM Server ![]() |
SCCM Server | Client | TCP Dynamic | RPC Dynamic Ports | SCCM Server ![]() |
Client | Management Point | TCP 80 TCP 443 | HTTP HTTPS | Client ![]() |
Firewall Ports used by Site Server
The table below lists all the SCCM firewall ports used by site servers for communicating with other ConfigMgr components, along with the port number, protocol and the direction of the communication.
Source | Destination | Protocol and Port Number | Description | Direction of Communication |
---|---|---|---|---|
Site Server | Client | UDP 9 | Wake on LAN | Site Server ![]() |
Site Server | Cloud DP | TCP 443 | HTTPS | Site Server ![]() |
Site Server | Distribution Point | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint Ephemeral port | Site Server ![]() |
Site Server | Domain Controller | TCP, UDP 389 TCP, UDP 636 TCP 3268 RPC 135 RPC Dynamic | LDAP Secure LDAP GC LDAP RPC Endpoint RPC Ephemeral | Site Server ![]() |
Site Server | CMG connection point | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint RPC Ephemeral | Site Server ![]() |
Site Server | Endpoint Protection Point | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint RPC Ephemeral | Site Server ![]() |
Site Server | Fallback Status Point | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint RPC Ephemeral | Site Server ![]() |
Site Server | Internet | TCP 80 TCP 443 | HTTP HTTPS | Site Server ![]() |
Site Server | Issuing CA | TCP, UDP 135 RPC Dynamic | RPC Endpoint RPC Ephemeral | Site Server ![]() |
Site Server | Content Library Share | TCP 445 | SMB | Site Server ![]() |
Site Server | Service Connection Point | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint RPC Ephemeral | Site Server ![]() |
Site Server | Reporting Services Point | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint RPC Ephemeral | Site Server ![]() |
Site Server | Site Server | TCP 445 | SMB | Site Server ![]() |
Site Server | SQL Server | TCP 1433 | SQL over TCP | Site Server ![]() |
Site Server | SQL Server for WSUS | TCP 1433 | SQL over TCP | Site Server ![]() |
Site Server | SMS Provider | TCP 445 TCP, UDP 135 RPC Dynamic | SMB RPC Endpoint RPC Ephemeral | Site Server ![]() |
Site Server | Software Update Point | TCP 445 TCP, UDP 135 RPC Dynamic TCP 80 or 8530 TCP 443 or 8531 | SMB RPC Endpoint RPC Ephemeral HTTP HTTPS | Site Server ![]() |
Site Server | State Migration Point | TCP 445 TCP, UDP 135 | SMB RPC Endpoint Mapper | Site Server ![]() |
Management Point Network Ports
Here is a list of network ports that the Management Point server requires for communication with other components. Make sure your firewall allows these ports.
Source | Destination | Protocol and Port Number | Description | Direction of Communication |
---|---|---|---|---|
Management Point | Domain Controller | TCP, UDP 389 TCP, UDP 636 TCP 3268 TCP 135 | LDAP Secure LDAP GC LDAP RPC Endpoint Mapper | Management Point ![]() |
Management Point | Site Server | TCP 135 TCP 445 RPC | RPC Endpoint SMB Dynamic | Management Point ![]() |
Management Point | SQL Server | TCP 1433 | SQL over TCP | Management Point ![]() |
Software Update Point Firewall Ports
The table below lists all the SCCM firewall ports used by the software update point role.
Source | Destination | Protocol and Port Number | Description | Direction of Communication |
---|---|---|---|---|
Software Update Point | Internet | TCP 80 | HTTP | SUP ![]() |
Software Update Point | WSUS Server | TCP 80 or 8530 TCP 443 or 8531 | HTTP HTTPS | SUP ![]() |
Ports used by Configuration Manager console
The table below lists all the firewall ports used by the Configuration Manager console for communicating with other components, along with the port number, protocol and the direction of the communication.
Source | Destination | Protocol and Port Number | Description | Direction of Communication |
---|---|---|---|---|
ConfigMgr Console | Client | TCP 2701 TCP 3389 | Remote Control Remote Assistance | Console ![]() |
SCCM Console | Internet | TCP 80 or 8530 TCP 443 or 8531 | HTTP HTTPS | Console ![]() |
SCCM Console | Reporting Services Point | TCP 80 TCP 443 | HTTP HTTPS | Console ![]() |
ConfigMgr Console | Site Server | TCP 135 | RPC | Console ![]() |
ConfigMgr Console | SMS Provider | TCP, UDP 135 RPC Dynamic TCP 443 | RPC EP Mapper RPC HTTPS | Console ![]() |
Ports used by Service Connection Point
The table below lists all the firewall ports used by the Service Connection Point for communicating with other components.
Source | Destination | Protocol and Port Number | Description | Direction of Communication |
---|---|---|---|---|
Service Connection Point | Azure CMG | TCP 443 | HTTPS | Service Connection Point ![]() |
Service Connection Point | Azure Logic App | TCP 443 | HTTPS | Service Connection Point ![]() |
Service Connection Point | SQL Server | TCP 1433 | SQL over TCP | Service Connection Point ![]() |
CMG Connection Point Ports
The table below lists all the firewall ports used by the CMG Connection Point in Configuration Manager.
Source | Destination | Protocol and Port Number | Description | Direction of Communication |
---|---|---|---|---|
CMG Connection Point | CMG virtual machine scale set | TCP 443 TCP 10124-10139 | HTTPS (1 VM) HTTPS (2+ VMs) | CMG Connection Point ![]() |
CMG Connection Point | CMG classic cloud service | TCP 10140-10155 TCP 443 TCP 10124-10139 | TCP-TLS HTTPS fallback (1 VM) HTTPS fallback (more than 1 VM) | CMG Connection Point ![]() |
CMG Connection Point | Management point | TCP 80 TCP 443 | HTTP HTTPS | CMG Connection Point ![]() |
CMG Connection Point | Software update point | TCP 80/8530 TCP 443/8531 | HTTP HTTPS | CMG Connection Point ![]() |
SCCM Distribution Point Firewall Ports
A distribution point requires the following network ports to be opened in the firewall.
Source | Destination | Protocol and Port Number | Description | Direction of Communication |
---|---|---|---|---|
Distribution Point | Management Point | TCP 80 TCP 443 | HTTP HTTPS | Distribution Point ![]() |
Pull DP | Source DP | TCP 80 TCP 443 | HTTP HTTPS | Pull DP ![]() |
Endpoint Protection Role Ports
If you have set up the Endpoint Protection role in SCCM, this role uses the following firewall ports.
Source | Destination | Protocol and Port Number | Description | Direction of Communication |
---|---|---|---|---|
Endpoint Protection Role | Internet | TCP 80 | HTTP | Endpoint Protection Role ![]() |
Endpoint Protection Role | SQL Server | TCP 1433 | SQL over TCP | Endpoint Protection Role ![]() |
SQL Server Firewall Ports
The SQL server for Configuration Manager does require a few network ports to operate. For example, the Intersite database replication requires the SQL Server at one site to communicate directly with the SQL Server at its parent or child site.
Source | Destination | Protocol and Port Number | Description | Direction of Communication |
---|---|---|---|---|
SQL Server | SQL Server | TCP 1433 | SQL Server Service | SQL Server ![]() |
SQL Server | SQL Server | TCP 4022 | SQL Service Broker | SQL Server ![]() |
Reporting Services Point | SQL Server | TCP 1433 | SQL over TCP | Reporting Service Point ![]() |
SMS Provider | SQL Server | TCP 1433 | SQL over TCP | SMS Provider ![]() |
State Migration Point | SQL Server | TCP 1433 | SQL over TCP | State Migration Point ![]() |
Ports used by Discovery Methods in SCCM
The following Configuration Manager firewall ports are used for the discovery and publishing of site information:
Protocol Name | Port Number |
---|---|
Lightweight Directory Access Protocol (LDAP) | 389 |
Global Catalog LDAP | 3268 |
Secure LDAP | 636 |
RPC Endpoint Mapper | 135 |
RPC Dynamic Ports | 1024:5000 and 49152: 65535 |
Still Need Help?
If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.