SCCM2012 Firewall issues

Today we share 2 things about communication between site systems in a 2012 site.

  1. SCCM Client push

In order to perform a succesfull client push there are a number of ports that need to be opened. See SCCM help file.

Now there are alternative methods like group policy or script installation that do not need RPC and SMB, but the ability to deploy and redeploy from the sccm console is very usefull.

Now I had some doubt about the RPC and SMB communication needed to be bi-directional or not. So I tested using the local Windows firewall.
No firewall restriction on server OSE, goal was to find out if traffic was bidirectional so all outbound communication from the client was blocked.

Performed Client Push. First part ok service started but error while trying to download Client sources.

So I added only HTTP communication to the firewall from client to Site Server.

And sucess Client deployment works.

So communication is one way from site server to Client. Only http ( TCP 80 ) is required from client to Site server for client push.

Update : in a production environment this has proven to be wrong rpc communication is bi-directional between site server and client.

  1. Rpc communication between site server and site components

By default communication between site server and site components ( SUP, SMP, DP ) uses RPC over dynamic ports. Now we have the option for setting the communication one way from site server to site component by using the option “Require the site server to initiate connections to this site system” but it might be usefull to limit the number of RPC ports being used.
Here’s how :
First in order to find out how may dynamic ports are in use now you can use rpcdump.exe ( part of 2003 resource kit tools ). On my system this was 152 ports.

Now let’s check the default range on our system using netsh.

Now the plan was to create a port range of 255 ( minimum allowed ) from 5001 to 5256.
Use the following command : netsh int ipv4 set dynamicport tcp start=5001 num= 255

Restart the server.
Verify result


update : in a production environment this has lead to not enough rpc ports available on the site server. Numerous issues occurred like loosing ad connectivity. After setting the rpc to default the issues no longer occurred.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s