Below is the recommended port to open as suggested by Microsoft:-
a)Client Push Installation:-
-File and Printer Sharing
-Windows Management Instrumentation (WMI) -TCP & UDP 1024 -5000
b)Client request:-
-Port 80 - for http communication
-Port 443 -for https communication
c)NAP:-
-UDP 67 and UDP 68 for DHCP
-TCP 80/443 for IPSEC
d)Remote Control:-
-TCP 2701
-TCP 2702
-TCP 135
e)Remote Assistance and Remote Desktop
-exception program helpsvc.exe and TCP 135
-Remote Assistance and Remote Desktop (TCP 3389)
f)Windows Event Viewer, Windows Performance Monitor and Windows Diagnostics
-Exception File and Printer sharing.
Based on above ports, here is my configuration that i've performed in the Group Policy.
a) Go to Group Policy management snap in.
b) Expand Computer Configuration > Administrative Templates >Network >Network Connections >Windows Firewall >Domain profile
c) Configure Windows Firewall:Allow inbound file and printer sharing exception
-IP: 192.168.10.47 ( SCCM Server IP Address)
d) Configure Windows Firewall: Define inbound port exceptions
-Click Show
-Add below configuration
Format for define inbound port exception:-
Port:Transport(TCP/UDP):Scope:Status(enabled/disabled):Name
135:TCP:192.168.10.47:enabled:TCP135
80:TCP:192.168.10.47:enabled:Port80
443:TCP:192.168.10.47:enabled:Port443
67:UDP:192.168.10.47:enabled:NAPDHCP
68:UDP:192.168.10.47:enabled:NAPDHCP
2701:TCP:192.168.10.47:enabled:RemoteControl
2702:TCP:192.168.10.47:enabled:RemoteControl
Invalid configuration:-
1024-5000:TCP:192.168.10.47:enabled:WMI
1024-5000:UDP:192.168.10.47:enabled:WMI
*.TCP:192.168.10.47:enabled:All
WMI is using Random port from 1024 - 5000.
Note:
You cannot define to open a range of Windows Firewall ports. Each port need to define individually.
If you still insist to open a range of ports, you can write a script to run the following command:-
for /L %i in (1024,1,5000) do netsh firewall add portopening TCP %i "Port-range %i"
The script will execute and create a rule from 1024 until 5000.
For WMI port, let ignore first .
e) Configure Windows Firewall: Allow inbound remote administration exception
-Ip: 192.168.10.47
f) Configure Windows Firewall: Allow inbound Remote Desktop exceptions
-IP:192.168.10.47
g) Configure Windows Firewall: Define inbound program exceptions
-Click Show and add the below settings
Format for define inbound program exceptions:-
Path:Scope:Status:name
%systemroot%\system32\sessmgr.exe:*:enabled:sessmgr.exe
%systemroot%\PCHEALTH\HELPCTR\Binaries\helpsvc.exe:*:enabled:helpsvc.exe
The above configuration is tested on the workstation running on Windows Vista and Windows XP.
As I've mentioned previously, you need to install BITS version 2.5 into Windows XP and Windows Server 2003.
Stay tune for Part 110: Verifying sccm client installation.