Firewall Settings for Configuration Manager Clients

Client Push Installation

In order to successfully use client push to install the Configuration Manager 2007 client, you must add the following as exceptions to the Windows Firewall:

• File and Printer Sharing
• Windows Management Instrumentation (WMI)

Client Requests

In order for client computers to communicate with Configuration Manager 2007 site systems, you must add the following as exceptions to the Windows Firewall:

TCP Port 80 (for HTTP communication)

TCP Port 443 (for HTTPS communication)

Network Access Protection

In order for client computers to successfully communicate with the system health validator point, you need to allow the following ports:

• UDP 67 and UDP 68 for DHCP
• TCP 80/443 for IPSec

Remote Control

In order to use the remote tools features of Configuration Manager 2007, you need to allow the following ports:

• TCP port 2701
• TCP port 2702

Remote Assistance and Remote Desktop

To enable Remote Assistance to be initiated from the SMS Administrator console, add both the custom program helpsvc.exe and the custom port TCP 135 to the list of permitted programs and services in Windows Firewall on the client computer. Also, Windows Firewall must be configured to permit Remote Assistance and Remote Desktop. If a user initiates a request for Remote Assistance from that computer, Windows Firewall will automatically be configured to permit Remote Assistance and Remote Desktop.

Windows Event Viewer, Windows Performance Monitor and Windows Diagnostics

To enable Windows event viewer, Windows performance monitor and Windows diagnostics to be accessed from the Configuration Manager console, you must enable File and Printer Sharing as an exception on the Windows Firewall.