本文根据个人理解整理而成,原文地址: http://technet.microsoft.com/en-us/library/bb632618.aspx。整理人:许乃明,MSN:xnming21◎hotmail.com,E-mail: simpleman.xu◎gmail.com
SCCM 2007 是一个分布式的 Client/Server 系统,也就是说Site Server、Site System 和 Client 之间可以建立连接,其中一些连接的的端口是可以配置的,一些端口是固定不可配置的。
注:
如果需要配置成支持 Internet-based clients,参考 Supported Scenarios for Internet-Based Client Management 配置防火墙策略。对于 Internet-based clients 出了需要考虑端口方面的设置,同时需要考虑允许一些 HTTP verbs 和 headers 通过防火墙,具体参考 Prerequisites for Internet-Based Client Management。
可以配置的端口:
- Configuration Manager 2007 allows you to configure the ports for the following types of communication:
- Client to site system
- Client to internet (as proxy server settings)
- Software update point to internet (as proxy server settings)
- Software update point to WSUS server
- Client to reporting point
默认情况下,client-to-site system 之间的连接如果通过 HTTP 使用 80 端口,通过 HTTPS 则使用 443 端口,client-to-site system 使用的端口是可以在初始安装 Configuration Manager site 的时候配置的。
不可配置的端口:
- Configuration Manager does not allow you to configure ports for the following types of communication:
- Site to site (primary-to-primary or primary-to-secondary)
- Site server to site system
- Site server to site database server
- Site system to site database server
- Configuration Manager 2007 console to SMS Provider
- Configuration Manager 2007 console to the Internet
About RPC connections and Configuration Manager
Configuration Manager 2007 uses RPC extensively in its communications. RPC initially connects using port 135, then negotiates a port above 1024 for subsequent communication. This port number is dynamic, and cannot be changed within Configuration Manager 2007. To limit the available “random” ports used by RPC to a pre-defined range of ports, Microsoft offers a free RPC configuration tool. You can use the RPC configuration tool to establish a limited range of ports for use by RPC, then configure your IPsec filter to include the port range. For more information about the RPC configuration tool, see http://go.microsoft.com/fwlink/?linkid=93102
-LinkId=93102.
详细的端口使用情况
– > indicates one computer initiates and the other computer always responds
< -- > indicates that either computer can initiate
1. Site Server < -- > Site Server
| Description | UDP | TCP |
| Server Message Block (SMB) | – | 445 |
| Point to Point Tunneling Protocol (PPTP) | – | 1723 (See note 3) |
2. Primary Site Server — > Domain Controller
| Description | UDP | TCP |
| Lightweight Directory Access Protocol (LDAP) | – | 389 |
| LDAP (Secure Sockets Layer [SSL] connection) | 636 | 636 |
| Global Catalog LDAP | – | 3268 |
| Global Catalog LDAP SSL | – | 3269 |
| RPC Endpoint Mapper | 135 | 135 |
| RPC | – | DYNAMIC |
| Kerberos | 88 | – |
3. Site Server < -- > Software Update Point(see note 6)
| Description | UDP | TCP |
| Server Message Block (SMB) | – | 445 |
| Hypertext Transfer Protocol (HTTP) | – | 80 or 8530 (See note 4) |
| Secure Hypertext Transfer Protocol (HTTPS) | – | 443 or 8531 (See note 4) |
4. Software Update Point — > Internet
| Description | UDP | TCP |
| Hypertext Transfer Protocol (HTTP) | – | 80 (See note 1) |
5. Site Server < -- > State Migration Point(see note 6)
| Description | UDP | TCP |
| Server Message Block (SMB) | – | 445 |
| RPC Endpoint Mapper | 135 | 135 |
6. Client — > Software Update Point
| Description | UDP | TCP |
| Hypertext Transfer Protocol (HTTP) | – | 80 or 8530 (See note 4) |
| Secure Hypertext Transfer Protocol (HTTPS) | – | 443 or 8531 (See note 4) |
7. Client — > State Migration Point
| Description | UDP | TCP |
| Hypertext Transfer Protocol (HTTP) | – | 80 (See note 2) |
| Secure Hypertext Transfer Protocol (HTTPS) | – | 443 (See note 2) |
| Server Message Block (SMB) | – | 445 |
8. Client — > PXE Service Point
| Description | UDP | TCP |
| Dynamic Host Configuration Protocol (DHCP) | 67 and 68 | – |
| Trivial File Transfer Protocol (TFTP) | 69 (See note 5) | – |
| Boot Information Negotiation Layer (BINL) | 4011 | – |
9. Site Server < -- > PXE Service Point(see note 6)
| Description | UDP | TCP |
| Server Message Block (SMB) | – | 445 |
| RPC Endpoint Mapper | 135 | 135 |
| RPC | – | DYNAMIC |
10. Site Server < -- > System Health Validator(see note 6)
| Description | UDP | TCP |
| Server Message Block (SMB) | – | 446 |
| RPC Endpoint Mapper | 135 | 135 |
| RPC | – | DYNAMIC |
11. Client — > System Health Validator
The client requires the ports established with the Network Access Protection server such as DHCP and IPsec. No port is required for 802.1X.
| Description | UDP | TCP |
| DHCP | 67 and 68 | – |
| IPsec | – | 80 or 443 |
12. Site Server < -- > Fallback Status Point(see note 6)
| Description | UDP | TCP |
| Server Message Block (SMB) | – | 445 |
| RPC Endpoint Mapper | 135 | 135 |
| RPC | – | DYNAMIC |
13. Client — > Fallback Status Point
| Description | UDP | TCP |
| Hypertext Transfer Protocol (HTTP) | – | 80 (See note 2) |
14. Site Server — > Distribution Point
| Description | UDP | TCP |
| Server Message Block (SMB) | – | 445 |
| RPC Endpoint Mapper | 135 | 135 |
| RPC | – | DYNAMIC |
15. Client — > Distribution Point
| Description | UDP | TCP |
| Hypertext Transfer Protocol (HTTP) | – | 80 (See note 2) |
| Secure Hypertext Transfer Protocol (HTTPS) | – | 443 (See note 2) |
| Server Message Block (SMB) | – | 445 |
16. Client — > Branch Distribution Point
| Description | UDP | TCP |
| Server Message Block (SMB) | – | 445 |
17. Client — > Management Point
| Description | UDP | TCP |
| Hypertext Transfer Protocol (HTTP) | – | 80 (See note 2) |
| Secure Hypertext Transfer Protocol (HTTPS) | – | 443 (See note 2) |
18. Client — > Server Locator Point
| Description | UDP | TCP |
| Hypertext Transfer Protocol (HTTP) | – | 80 (See note 2) |
19. Branch Distribution Point — > Distribution Point
| Description | UDP | TCP |
| Hypertext Transfer Protocol (HTTP) | – | 80 (See note 2) |
| Secure Hypertext Transfer Protocol (HTTPS) | – | 443 (See note 2) |
20. Site Server to Provider
| Description | UDP | TCP |
| Server Message Block (SMB) | – | 445 |
| RPC Endpoint Mapper | 135 | 135 |
| RPC | – | DYNAMIC |
21. Server Locator Point — > Microsoft SQL Server
| Description | UDP | TCP |
| SQL over TCP | – | 1433 |
22. Management Point — > Microsoft SQL Server
| Description | UDP | TCP |
| SQL over TCP | – | 1433 |
23. Provider — > SQL Server
| Description | UDP | TCP |
| SQL over TCP | – | 1433 |
24. Reporting Point — > SQL Server
| Description | UDP | TCP |
| SQL over TCP | – | 1433 |
25. Configuration Manager Console — > Reporting Point
| Description | UDP | TCP |
| Hypertext Transfer Protocol (HTTP) | – | 80 (See note 2) |
| Secure Hypertext Transfer Protocol (HTTPS) | – | 443 (See note 2) |
26. Configuration Manager Console — > Provider
| Description | UDP | TCP |
| RPC Endpoint Mapper | 135 | 135 |
| RPC | – | DYNAMIC |
27. Configuration Manager Console — > Internet
| Description | UDP | TCP |
| Hypertext Transfer Protocol (HTTP) | – | 80 |
28. Primary Site Server — > Microsoft SQL Server
| Description | UDP | TCP |
| SQL over TCP | – | 1433 |
29. Management Point — > Domain Controller
| Description | UDP | TCP |
| Lightweight Directory Access Protocol (LDAP) | – | 389 |
| LDAP (Secure Sockets Layer [SSL] connection) | 636 | 636 |
| Global Catalog LDAP | – | 3268 |
| Global Catalog LDAP SSL | – | 3269 |
| RPC Endpoint Mapper | 135 | 135 |
| RPC | – | DYNAMIC |
| Kerberos | 88 | – |
30. Site Server — > Reporting Point
| Description | UDP | TCP |
| Server Message Block (SMB) | – | 445 |
| RPC Endpoint Mapper | 135 | 135 |
| RPC | – | DYNAMIC |
31. Site Server < -- > Server Locator Point(see note 6)
| Description | UDP | TCP |
| Server Message Block (SMB) | – | 445 |
| RPC Endpoint Mapper | 135 | 135 |
| RPC | – | DYNAMIC |
32. Configuration Manager Console — > Site Server
| Description | UDP | TCP |
| RPC (initial connection to WMI to locate provider system) | – | 135 |
33. Software Update Point — > WSUS Synchronization Server
| Description | UDP | TCP |
| Hypertext Transfer Protocol (HTTP) | – | 80 or 8530(See note 4) |
| Secure Hypertext Transfer Protocol (HTTPS) | – | 443 or 8531 (See note 4) |
34. Configuration Manager Console — > Client
| Description | UDP | TCP |
| Remote Control (control) | 2701 | 2701 |
| Remote Control (data) | 2702 | 2702 |
| Remote Assistance (RDP and RTC) | – | 3389 |
35. Management Point < -- > Site Server(see note 6)
| Description | UDP | TCP |
| RPC Endpoint mapper | – | 135 |
| RPC | – | DYNAMIC |
36. Site Server — > Client
| Description | UDP | TCP |
| Wake on LAN | 9 (See note 2) | – |
Note:
- 1. Proxy Server port This port cannot be configured, but can be routed through a configured proxy server.
- 2 Alternate Port Available An alternate port can be defined within Configuration Manager for this value. If a custom port has been defined, substitute that custom port when defining the IP filter information for the IPsec policies.
- 3 RAS Sender Configuration Manager 2007 can also use the RAS Sender with Point to Point Tunneling Protocol (PPTP) to send and receive Configuration Manager 2007 site, client, and administrative information through a firewall. Under these circumstances, the PPTP TCP 1723 port is used.
- 4 Windows Server Update Services WSUS can be installed either on the default web site (port 80) or a custom web site (port 8530).
After installation, the port can be changed.
If the HTTP port is 80, then the HTTPS port must be 443.
If the HTTP port is anything else, then the HTTPS port must be 1 higher, for example 8530 and 8531. - 5 Trivial FTP (TFTP) Daemon The Trivial FTP (TFTP) Daemon system service does not require a user name or password and is an integral part of the Windows Deployment Services (WDS). The Trivial FTP Daemon service implements support for the TFTP protocol defined by the following RFCs:
- RFC 350 — TFTP
- RFC 2347 — Option extension
- RFC 2348 — Block size option
- RFC 2349 — Timeout interval, and transfer size options
Trivial File Transfer Protocol is designed to support diskless boot environments. TFTP Daemons listen on UDP port 69, but respond from a dynamically allocated high port. Therefore, enabling this port will allow the TFTP service to receive incoming TFTP requests, but will not allow the selected server to respond to those requests. Allowing the selected server to respond to inbound TFTP requests cannot be accomplished unless the TFTP server is configured to respond from port 69.
- 6 Communication between the site server and site systems By default, communication between the site server and site systems is bi-directional. The site server initiates communication to configure the site system, and then most site systems connect back to the site server to send back status information. Reporting points and distribution points do not send back status information. If you select Allow only site server initiated data transfers from this site system on the site system properties, then the site system will never initiate communication back to the site server.
Configuration Manager Remote Control Ports
When you use NetBIOS over TCP/IP for Configuration Manager 2007 Remote Control, the following ports are used.
Description UDP TCP Name resolution – 137 Messaging – 138 Client Sessions – 139
Ports Used by Windows Server 2003
The following table list lists the core UDP and TCP ports that Windows Server 2003 uses, and their respective functions.
Description UDP TCP Domain Name System (DNS) 53 – Dynamic Host Configuration Protocol (DHCP) 67 and 68 – Windows Internet Name Service (WINS) 138 – NetBIOS datagrams 138 – NetBIOS datagrams – 139
Connecting with Microsoft SQL Server
If you use the TCP/IP Net-Library, enable port 1433 on the firewall. Use the Hosts file or an advanced connection string for host name resolution.
If you use named pipes over TCP/IP, enable port 139 for NetBIOS functions. NetBIOS should be used only for troubleshooting Kerberos issue.
Note
TCP/IP is required for network communications to allow Kerberos authentication. Named pipes communication is not required for Configuration Manager 2007 site database operations and should only be used to troubleshoot Kerberos authentication issues.
By default, SQL Server uses TCP (not UDP) port 1433 to listen on TCP/IP. To change the port, run SQL Server Setup on the server, and then click Change Network Support. If SQL Server uses port 1433, the client Net-Library works. If SQL Server uses a custom port number, the client must specify that port in the Data Source Name (DSN).
Microsoft does not recommend that you enable UDP ports 137 and 138 for NetBIOS name resolution by using B-node broadcasts. Instead, you can use a WINS server or an LMHOSTS file for name resolution.