This guide includes a list of all the firewall ports used in Configuration Manager. To make it easier to understand, I have grouped the SCCM firewall ports according to the components, roles, and the direction in which they must be opened.

When you plan to install Configuration Manager, you need to be aware of the network ports that every component and role requires or uses. The roles such as management point, software update points, distribution points require certain pre-defined ports to be allowed on the firewall.

For example, SCCM client push firewall ports are different from the ones required by the Configuration Manager console. Therefore you should only permit specific ports and programs required by these roles on a firewall. Turning off the firewall or disabling it on clients or site servers is not recommended, as opening all ports creates potential entry points for attackers.

Install and Update Third Party Applications with Patch My PC
Install and Update Third Party Applications with Patch My PC

Over the years, Microsoft has removed and deprecated features for Configuration Manager. Some of them include site system roles for on-premises MDM and macOS clients, enrollment proxy and enrollment point, asset intelligence, and so on. You don’t have to open the ports for these roles as they are not used anymore.

Configurable vs Non-Configurable ports

Configuration Manager clients and site systems make use of a number of network ports, some of which are configurable while some of them are not configurable. Some connections allow you to specify custom ports but there are very few.

Microsoft advises you to check if these ports can be configured if your organization uses any port filtering technology. Some examples of these port filtering technologies include firewalls, routers, proxy servers, or IPsec.

Ports that you can configurePorts that cannot be configured
Client-to-site systems that run IISSite to site
Client to internet (as proxy server settings)Site server to site system
Software update points to internet and WSUSConfiguration Manager console to SMS Provider
Site server to site database server & WSUS database serverConfiguration Manager console to the internet
Reporting services pointsConnections to cloud services, such as Microsoft Azure

Firewall Ports used by SCCM Clients

The table below lists all the ports used by clients for communicating with other ConfigMgr components, along with the port number, protocol and the direction of the communication.

The direction of communication is represented using an arrow icon:

unidirectional Indicates one-way communication, which means the communication starts from source and the destination computer responds.

bidirectional Indicates that communication can start from either source or destination.

SourceDestinationProtocol and Port NumberDescriptionDirection of Communication
ClientClientUDP 25536Wake-up-proxyClient unidirectional Client
ClientClientUDP 9Wake on LANClient unidirectional Client
ClientClientUDP 8004Windows PE Peer cache broadcastClient unidirectional Client
ClientClientTCP 8003Windows PE Peer cache downloadClient unidirectional Client
ClientCloud Distribution PointTCP 443HTTPSClient unidirectional Cloud DP
ClientNetwork Device Enrollment ServiceTCP 80
TCP 443
HTTP
HTTPS
Client unidirectional NDES
ClientCloud Management GatewayTCP 443HTTPSClient unidirectional CMG
ClientDistribution Point and Pull DPTCP 80
TCP 443
TCP 8005
HTTP
HTTPS
Express Updates
Client unidirectional DP, Pull DP
ClientDistribution Point with Multicast and Pull DPTCP 445
UDP 63000 – 64000
SMB
Multicast Protocol
Client unidirectional DP, Pull DP
ClientDistribution Point with PXEUDP 67, 68
UDP 69
UDP 4011
UDP 547
DHCP
TFTP
BINL
DHCPv6
Client unidirectional DP, Pull DP
ClientFallback Status PointTCP 80HTTPSClient unidirectional FSP
ClientGlobal Domain ControllerTCP 3268Global catalog LDAPClient unidirectional DC
ClientManagement PointTCP 10123
TCP 80
TCP 443
Client Notification
HTTP
HTTPS
Client unidirectional MP
ClientSoftware Update PointTCP 80 or 8530
TCP 443 or 8531
HTTP
HTTPS
Client unidirectional SUP
ClientState Migration PointTCP 80
TCP 443
TCP 445
HTTP
HTTPS
SMB
Client unidirectional SMP

SCCM Client Push Firewall Ports

The below table lists all the ports that are used with client push installation.

SourceDestinationProtocol and Port NumberDescriptionDirection of Communication
SCCM ServerClientTCP 445SMBSCCM Server unidirectional Client
SCCM ServerClientTCP 135
UDP 135
RPC Endpoint MapperSCCM Server unidirectional Client
SCCM ServerClientTCP DynamicRPC Dynamic PortsSCCM Server unidirectional Client
ClientManagement PointTCP 80
TCP 443
HTTP
HTTPS
Client unidirectional Management Point

Firewall Ports used by Site Server

The table below lists all the SCCM firewall ports used by site servers for communicating with other ConfigMgr components, along with the port number, protocol and the direction of the communication.

SourceDestinationProtocol and Port NumberDescriptionDirection of Communication
Site ServerClientUDP 9Wake on LANSite Server unidirectional Client
Site ServerCloud DPTCP 443HTTPSSite Server unidirectional Cloud DP
Site ServerDistribution PointTCP 445
TCP, UDP 135
RPC Dynamic

SMB
RPC Endpoint Ephemeral port
Site Server unidirectional SCCM DP
Site ServerDomain ControllerTCP, UDP 389
TCP, UDP 636
TCP 3268
RPC 135
RPC Dynamic
LDAP
Secure LDAP
GC LDAP
RPC Endpoint
RPC Ephemeral
Site Server unidirectional DC
Site ServerCMG connection pointTCP 445
TCP, UDP 135
RPC Dynamic
SMB
RPC Endpoint
RPC Ephemeral
Site Server bidirectional CMG
Site ServerEndpoint Protection PointTCP 445
TCP, UDP 135
RPC Dynamic
SMB
RPC Endpoint
RPC Ephemeral
Site Server bidirectional EPP
Site ServerFallback Status PointTCP 445
TCP, UDP 135
RPC Dynamic
SMB
RPC Endpoint
RPC Ephemeral
Site Server bidirectional FSP
Site ServerInternetTCP 80
TCP 443
HTTP
HTTPS
Site Server unidirectional Internet
Site ServerIssuing CATCP, UDP 135
RPC Dynamic
RPC Endpoint
RPC Ephemeral
Site Server bidirectional CA
Site ServerContent Library ShareTCP 445SMBSite Server unidirectional Content Library
Site ServerService Connection PointTCP 445
TCP, UDP 135
RPC Dynamic
SMB
RPC Endpoint
RPC Ephemeral
Site Server bidirectional SCP
Site ServerReporting Services PointTCP 445
TCP, UDP 135
RPC Dynamic
SMB
RPC Endpoint
RPC Ephemeral
Site Server bidirectional RSP
Site ServerSite ServerTCP 445SMBSite Server bidirectional Site Server
Site ServerSQL ServerTCP 1433SQL over TCPSite Server unidirectional SQL Server
Site ServerSQL Server for WSUSTCP 1433SQL over TCPSite Server unidirectional SQL WSUS Server
Site ServerSMS ProviderTCP 445
TCP, UDP 135
RPC Dynamic
SMB
RPC Endpoint
RPC Ephemeral
Site Server unidirectional SMS Provider
Site ServerSoftware Update PointTCP 445
TCP, UDP 135
RPC Dynamic
TCP 80 or 8530
TCP 443 or 8531
SMB
RPC Endpoint
RPC Ephemeral
HTTP
HTTPS
Site Server bidirectional SUP Server
Site ServerState Migration PointTCP 445
TCP, UDP 135
SMB
RPC Endpoint Mapper
Site Server bidirectional State Migration Point Server

Management Point Network Ports

Here is a list of network ports that the Management Point server requires for communication with other components. Make sure your firewall allows these ports.

SourceDestinationProtocol and Port NumberDescriptionDirection of Communication
Management PointDomain ControllerTCP, UDP 389
TCP, UDP 636
TCP 3268
TCP 135
LDAP
Secure LDAP
GC LDAP
RPC Endpoint Mapper
Management Point unidirectional Domain Controller
Management PointSite ServerTCP 135
TCP 445
RPC
RPC Endpoint
SMB
Dynamic
Management Point bidirectional Site Server
Management PointSQL ServerTCP 1433SQL over TCPManagement Point unidirectional SQL Server

Software Update Point Firewall Ports

The table below lists all the SCCM firewall ports used by the software update point role.

SourceDestinationProtocol and Port NumberDescriptionDirection of Communication
Software Update PointInternetTCP 80HTTPSUP unidirectional Internet
Software Update PointWSUS ServerTCP 80 or 8530
TCP 443 or 8531
HTTP
HTTPS
SUP unidirectional WSUS

Ports used by Configuration Manager console

The table below lists all the firewall ports used by the Configuration Manager console for communicating with other components, along with the port number, protocol and the direction of the communication.

SourceDestinationProtocol and Port NumberDescriptionDirection of Communication
ConfigMgr ConsoleClientTCP 2701
TCP 3389
Remote Control
Remote Assistance
Console unidirectional Client
SCCM ConsoleInternetTCP 80 or 8530
TCP 443 or 8531
HTTP
HTTPS
Console unidirectional Internet
SCCM ConsoleReporting Services PointTCP 80
TCP 443
HTTP
HTTPS
Console unidirectional RSP
ConfigMgr ConsoleSite ServerTCP 135RPCConsole unidirectional Site Server
ConfigMgr ConsoleSMS ProviderTCP, UDP 135
RPC Dynamic
TCP 443
RPC EP Mapper
RPC
HTTPS
Console unidirectional SMS Provider

Ports used by Service Connection Point

The table below lists all the firewall ports used by the Service Connection Point for communicating with other components.

SourceDestinationProtocol and Port NumberDescriptionDirection of Communication
Service Connection PointAzure CMGTCP 443HTTPSService Connection Point unidirectional CMG
Service Connection PointAzure Logic AppTCP 443HTTPSService Connection Point unidirectional Azure Logic App
Service Connection PointSQL ServerTCP 1433SQL over TCPService Connection Point unidirectional SQL Server

CMG Connection Point Ports

The table below lists all the firewall ports used by the CMG Connection Point in Configuration Manager.

SourceDestinationProtocol and Port NumberDescriptionDirection of Communication
CMG Connection PointCMG virtual machine scale setTCP 443
TCP 10124-10139
HTTPS (1 VM)
HTTPS (2+ VMs)
CMG Connection Point unidirectional CMG virtual machine scale set
CMG Connection PointCMG classic cloud serviceTCP 10140-10155
TCP 443
TCP 10124-10139
TCP-TLS
HTTPS fallback (1 VM)
HTTPS fallback (more than 1 VM)
CMG Connection Point unidirectional CMG classic cloud service
CMG Connection PointManagement pointTCP 80
TCP 443
HTTP
HTTPS
CMG Connection Point unidirectional Management point
CMG Connection PointSoftware update pointTCP 80/8530
TCP 443/8531
HTTP
HTTPS
CMG Connection Point unidirectional SUP

SCCM Distribution Point Firewall Ports

A distribution point requires the following network ports to be opened in the firewall.

SourceDestinationProtocol and Port NumberDescriptionDirection of Communication
Distribution PointManagement PointTCP 80
TCP 443
HTTP
HTTPS
Distribution Point unidirectional Management Point
Pull DPSource DPTCP 80
TCP 443
HTTP
HTTPS
Pull DP unidirectional Source DP

Endpoint Protection Role Ports

If you have set up the Endpoint Protection role in SCCM, this role uses the following firewall ports.

SourceDestinationProtocol and Port NumberDescriptionDirection of Communication
Endpoint Protection RoleInternetTCP 80HTTPEndpoint Protection Role unidirectional Internet
Endpoint Protection RoleSQL ServerTCP 1433SQL over TCPEndpoint Protection Role unidirectional SQL Server

SQL Server Firewall Ports

The SQL server for Configuration Manager does require a few network ports to operate. For example, the Intersite database replication requires the SQL Server at one site to communicate directly with the SQL Server at its parent or child site.

SourceDestinationProtocol and Port NumberDescriptionDirection of Communication
SQL ServerSQL ServerTCP 1433SQL Server ServiceSQL Server unidirectional SQL Server
SQL ServerSQL ServerTCP 4022SQL Service BrokerSQL Server unidirectional SQL Server
Reporting Services PointSQL ServerTCP 1433SQL over TCPReporting Service Point unidirectional SQL Server
SMS ProviderSQL ServerTCP 1433SQL over TCPSMS Provider unidirectional SQL Server
State Migration PointSQL ServerTCP 1433SQL over TCPState Migration Point unidirectional SQL Server

Ports used by Discovery Methods in SCCM

The following Configuration Manager firewall ports are used for the discovery and publishing of site information:

Protocol NamePort Number
Lightweight Directory Access Protocol (LDAP)389
Global Catalog LDAP3268
Secure LDAP636
RPC Endpoint Mapper135
RPC Dynamic Ports1024:5000 and 49152: 65535

Still Need Help?

If you need further assistance on the above article or want to discuss other technical issues, check out some of these options.

Prajwal Desai

Prajwal Desai is a technology expert and 10 time Dual Microsoft MVP (Most Valuable Professional) with a strong focus on Microsoft Intune, SCCM, Windows 365, Enterprise Mobility, and Windows. He is a renowned author, speaker, & community leader, known for sharing his expertise & knowledge through his blog, YouTube, conferences, webinars etc.