![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 4%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
82 questions
Do I only need to give site server access to database only?
That depends on which roles are hosted on any additional site systems. The primary site server itself definitely needs access.
Do I need give All SCCM servers (e.g. DP, MP) to database
No. As noted, it's about roles. If you review the port documentation (at https://learn.microsoft.com/en-us/mem/configmgr/core/plan-design/hierarchy/ports), it lists all roles that need access to site's DB:
- Datawarehouse service point
- Endpoint Protection point
- Management point
- Reporting Service point
- SMS Provider
- State migration point
Note that there are two additional roles that require access, but they are for deprecated functionality (AI Sync point and Enrollment point). Also note that your SUP instances require access to the WSUS DB whever that may sit as this may be separate from the site's DB.
Do client also need access to database?
No.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(137.6, 9%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)