We intend to push the SCCM client from a Windows 2008 Site server to an XP SP3 client. Which Dynamic RPC port range will I need to open on the check point firewall that runs on our client machines? 1025-5000 or 49152-65535 I performed a packet capture and one of the events reads as follows Transmission Control Protocol, SRC Port: 54164 (54175), Dst Port : nfa (1155), Seq: 1698, Ack: 312, Len: 0 The above seems to reference both Dynamic port ranges. I just need to clarify which range we need to open on client firewall. Cheers, Bootch

It uses RPC which will be a random high port. However we use checkpoint firewall and we didn't have to make any exceptions for client push. John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

Hi, For XP it is 1024 - 65535 which are used by RPC. I normally like to use a Client Startup script instead of using Client Push, for instance this great one by Jason Sandys : http://blogs.catapultsystems.com/jsandys/archive/2010/12/30/updated-configmgr-startup-script.aspx Then you don't have to open the RPC ports for client push. Regards, Jörgen -- My System Center blog ccmexec.com -- Twitter @ccmexec

Thanks for the prompt replies guys...... Jorgen - so you're implying that both of the dynamic RPC port ranges would need opening in this scenario? Thanks for the link to the startup script that could be very useful indeed. The only issue I see here is that our clients in question will all be connecting over VPN and will therefore not be connected to the network when machine policies are processed on the client.

I use client push and checkpoint is being used for our firewall and I am not aware that we had to open specific ports on it. We may just have an exception for WMI, I'm really not sure. Also I think the ports mentioned above are incorrect. It seems to me that it was 50000 - 65000 but this article says Start port: 49152 End port: 65535 http://support.microsoft.com/kb/832017 John Marcum | http://myitforum.com/cs2/blogs/jmarcum/|

OK i've just ran a capture on the NIC on a test machine, so I'll check through the report to see what ports were used for the client push

Hi, You will be pushing the client to Windows XP computer right.,. "This article contains several references to the default dynamic port range. In Windows Server 2008 and in Windows Vista, the default dynamic port range is changed to the following range: Start port: 49152 End port: 65535" Windows XP, Server 2003 e.t.c is 1024 - 65535 That's how I read the same article but I could be wrong. Regards, Jörgen-- My System Center blog ccmexec.com -- Twitter @ccmexec

Hi Bootch_1980, You don't need to open any port in your Firewall if you don't want to use any remote tools. The only two things you have to allow through the firewall is the File and Printer Sharing and the WMI. This is a Microsoft recommendation. Brgds. Tamas

In my mixed environment with windows XPSP3 and 7, I had to apply the following firewall changes for remote install / push of the SCCM Client and the SC2012EP program. Changes Made Through Group Policy. XP: to install SCCM Client remotely 1. Policies --> Windows Settings --> Security Settings --> Windows Firewall and Advanced Security --> Global Settings --> Firewall State On 2. Policies --> Administrative Templates --> network/Network COnnections/Windows Firewall/(Domain Profile) --> Windows Firewall: Allow inbound file and printer Sharing exception - enabled 7: to install SCCM Client xp/7: to install SC2010EP (FEP2010) 1. Policies --> Administrative Templates --> network/Network COnnections/Windows Firewall/(Domain Profile) --> Windows Firewall: Allow inbound remote administration exception 2. Windows Firewall: Protect All network connections Only after I made these changes to both the XP and 7 machines did the remote installation (push) of SCCM Client and SC2010EP work. It took at least 12 hours for the profiles to get pushed out as well. I never did figure out how to do it on demand.