SCCM Workgroup Client in DMZ
We are looking at upgrading from SMS 2003 to SCCM SP1. We will NOT be able to use Native mode. We are currently supporting about a dozen servers in our DMZ. We're using LMHOST files to point to MPs, SLPs, etc, and everything has been working fine.
We've been reviewing the SCCM documentation, and one thing hasn't been made very clear. What ports do we need to open between the SCCM server and the DMZ servers? Do we only need port 80, or do we need to open 8530(WSUS) 445(SMB), or various other ports?
All we care about is hardware/software inventory and software updates on these machines.
Please clarify. A solid answer would be appreciated. A pointer to documentation would NOT be helpful, as we've already examined it and it's been less than clear.
Thanks!
January 24th, 2009 9:15pm
Yes, theres a lot of information to wade through on port requirements in the documentation, because there is a lot of different communication connections possible with Configuration Manager. I know youre looking for a simple answer, but unfortunately this type of question doesnt fall into that category. You could get away with just port 80, but there are complications especially for the software updates piece.
To recap, I think your requirements are the following (correct me if Im wrong):
Your DMZ servers are running the Configuration Manager client (already installed so youre only worrying about operational ports and not installation ports).
All your site system roles are on a single server (the SCCM server).
The only features youre using on these clients are inventory and software updates.
Your site is in mixed mode.
If this is the case, here are the operational ports that are required by Configuration Manager:
Policy going down to the client and inventory information back uses HTTP port 80 (client to MP).
Location services to find the default MP and complete site assignment also uses HTTP port 80 (client to the server locator point).
Downloading software update packages uses HTTP port 80 (client to DP).
Scanning for software updates (client to the software update point) is a little trickier because it depends on your WSUS configuration and note that SSL is possible even in mixed mode:
If youre using the default Web site for WSUS without SSL, this uses port 80
If youre using the custom Web site for WSUS without SSL, this uses 6530
If youre using the default Web site for WSUS with SSL, this uses port 443
If youre using the custom Web site for WSUS with SSL, this uses 6531
These are the default port numbers, and many can be changed:
The HTTP port number for the client-to-MP and client-to-DP can be changed in Configuration Manager (How to Configure Request Ports for the Configuration Manager Client).
The port number for the server locator point cannot be changed.
The port numbers for the software update point can be changed as follows (if WSUS is already installed,see How to Determine the Port Settings Used by WSUS):
WSUS can be installed either on the default Web site (port 80) or a custom Web site (port 8530). After installation, the port can be changed.
If the HTTP port is 80, the HTTPS port must be 443.
If the HTTP port is anything else, the HTTPS port must be 1 higherfor example 8530 and 8531.
Hope this helps!
- Carol
This posting is provided AS IS with no warranties and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
January 25th, 2009 9:43pm
Thanks Carol!
That was exactly the answer I was looking for. We are planning on using port 80 for SCCM and 8530 for WSUS
One more question: We're doing manual installs, with the SCCM source placed on the DMZ server, and using the command line install (also LMHOST) to point to SLP and MPs. Are there any additional installation ports required for the manual install?
Thanks!
January 26th, 2009 1:31am
The /source option uses SMB (port 445) but if you've got all the client installation filesalready copied onto the DMZ servers,then the installation will run locally without copyingany files over the network. You will need to copy onto the DMZ servers all the files from the <InstallationPath>\Client folder, and all subfolders. Alternatively, specify /mp with your SCCM server and the client installation files will download over HTTP port 80.
No other ports required with manual CCMSetup installation.
- Carol
This posting is provided AS IS with no warranties and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
January 26th, 2009 4:53am
No idea if this will get any attention since the original post is so old, but here it goes....
We have a similar situation and what I'm wondering is what are the security implications here? If someone gets into a DMZ host, they'll have access to port 80 and/or 443 on our internal SCCM server. Is that considered high-risk? I think
the plan of the last guy that was here was to have (and I'm sure I get the terminology wrong) an SCCM distribution server in the DMZ. So our internal host would push updates to the DMZ SCCM server and the DMZ clients would get their updates from the
DMZ SCCM server. Is this a plausible option?
thanks
May 3rd, 2011 4:45pm