In a moment, you will see how the different roles and clients communicate with each other. This information will be useful when setting up or planning firewall rules between servers and clients, and roles that can be load balanced.
Network communication flow is described in the following table:
Description |
Protocol |
Client/Server |
Ports |
---|---|---|---|
Client DHCP to PXE point |
UDP |
Distribution point with PXE |
67, 68 69 (TFTP) |
Client to Distribution point |
TCP |
Distribution point |
80 or 443 |
Client to Fallback Status point |
TCP |
Fallback Status point |
80 |
Client to Management point |
TCP |
Management point |
80 or 443, 10123(Client Notification) |
Client to Software Update Point |
TCP |
Software Update point |
80 & 8530 or 443 & 8531 |
Client to Cloud Distribution point |
TCP |
Azure Distribution point |
443 |
Client to State Migration point |
TCP |
State Migration point |
80 or 443 and 445 |
Client to Application catalog |
TCP |
Application catalog |
80 or 443 |
Client to Global Catalog Domain Controller |
TCP |
Domain Controller I Active Directory |
3268 or 3269 |
Configuration Manager Console to Client (Remote tools) |
TCP |
Clients |
2701 for Remote Control and 3389 for Remote Assistance |
Management point to Site Server |
TCP |
Management point to Site Server |
135, 445 and Dynamic ports in RCP range |
Management point to Global Catalog Domain Controller |
TCP |
Active Directory |
3268 or 3269, 135, 445 and Dynamic ports in RCP range |
Management point to SQL Server |
TCP |
SQL Server |
1433 |
Site Server to SQL Server |
TCP |
SQL Server |
1433 |
SQL Server to SQL Server |
TCP |
SQL Server |
1433 and 4022 SQL Service Broker |
Application Catalog Web Service point to SQL Server |
TCP |
SQL Server |
1433 |
Application Catalog Website point to Application Catalog Service point |
TCP |
Catalog website to Catalog Service point |
80 or 443 |
Site Server to server roles |
TCP/UDP |
Site Server connects to another server role |
445 (TCP) 135 (TCP/UDP) and Dynamic Ports in RPC range |
Software Update point to Internet |
TCP |
Software Update point to connect to Microsoft |
80 |
Software Update point to Upstream WSUS Server |
TCP |
Software Update point to internal WSUS server |
80 and 8530 or 443 and 8531 |
Exchange Server Connector to Exchange Online |
TCP |
Site Server to Exchange Online, for instance, Office365 |
5986 |
Exchange Server Connector to Exchange on premise |
TCP |
Site Server to Exchange server |
5985 |
Some important factors regarding port usage within Configuration Manager are as follows:
Most of the traffic is either based upon HTTP (port 80) or HTTPS (port 443) depending on whether you have deployed a PKI infrastructure or not.
Some roles require the use of port 445 based on SMB traffic (regular file transfer protocol).
Some roles also require the use of a dynamic range of ports from the RPC protocol. The range for RPC is between port 49152 and 65535.
RPC also uses port 135.
Most SQL connections use port 1433, which is the standard SQL port for SQL to SQL connections. SQL also use port 4022, which is used by the SQL function service broker, which is used to replicate between parent and child SQL Server.
Different client installation methods use different ports, where manual installation can use either HTTP/HTTPS 80 or 443 and SMB 445. Client push installation uses a combination of the previous ports and dynamic RPC ones.