แก้ไข

แชร์ผ่าน


Internet access requirements

Some Configuration Manager features rely on internet connectivity for full functionality. If your organization restricts network communication with the internet using a firewall or proxy device, make sure to allow these endpoints.

Configuration Manager uses the following Microsoft URL forwarding services throughout the product:

  • https://aka.ms
  • https://go.microsoft.com

Even if they're not explicitly listed in the sections below, you should always allow these endpoints.

Service connection point

For more information, see About the service connection point.

These configurations apply to the server that hosts the service connection point and any firewalls between that server and the internet. Allow communication through outgoing HTTPS port TCP 443 to the internet locations.

The service connection point supports using a web proxy with or without authentication to use these locations. For more information, see Proxy server support.

If the Configuration Manager site fails to connect to required endpoints for a cloud service, it raises a critical status message ID 11488. When it can't connect to the service, the SMS_SERVICE_CONNECTOR component status changes to critical. View detailed status in the Component Status node of the Configuration Manager console.

Starting in version 2010, the service connection point validates important internet endpoints for tenant attach. These checks help make sure that the cloud-connected services are available. It also helps you troubleshoot issues by quickly determining if network connectivity is a problem. For more information, see Validate internet access.

The specific URLs required by the service connection point vary by Configuration Manager feature:

Tip

The service connection point uses the Microsoft Intune service when it connects to go.microsoft.com or manage.microsoft.com. There's a known issue in which the Intune connector experiences connectivity issues if the Baltimore CyberTrust Root Certificate isn't installed, is expired, or is corrupted on the service connection point. For more information, see Service connection point doesn't download updates.

Updates and servicing

For more information, see Updates and servicing.

Tip

Enable these endpoints for the management insight rule, Connect the site to the Microsoft cloud for Configuration Manager updates.

  • *.akamaiedge.net

  • *.akamaitechnologies.com

  • *.manage.microsoft.com

  • go.microsoft.com

  • download.microsoft.com

  • download.windowsupdate.com

  • download.visualstudio.microsoft.com

  • sccmconnected-a01.cloudapp.net

  • definitionupdates.microsoft.com

  • configmgrbits.azureedge.net

    Important

    This Azure endpoint only supports TLS 1.2 with specific cipher suites. Make sure your environment supports these Azure configurations. For more information, see Azure Front Door: TLS configuration FAQ.

  • cmbitsstore.blob.core.windows.net

  • ceuswatcab01.blob.core.windows.net

  • ceuswatcab02.blob.core.windows.net

  • eaus2watcab01.blob.core.windows.net

  • eaus2watcab02.blob.core.windows.net

  • weus2watcab01.blob.core.windows.net

  • weus2watcab02.blob.core.windows.net

  • cmbitsstore.blob.core.windows.net

  • umwatsonc.events.data.microsoft.com

  • *-umwatsonc.events.data.microsoft.com

Windows servicing

For more information, see Manage Windows as a service.

  • download.microsoft.com

  • https://go.microsoft.com/fwlink/?LinkID=619849

  • dl.delivery.mp.microsoft.com

Azure services

For more information, see Configure Azure services for use with Configuration Manager.

  • management.azure.com (Azure public cloud)
  • management.usgovcloudapi.net (Azure US Government cloud)

Co-management

If you enroll Windows devices to Microsoft Intune for co-management, make sure those devices can access the endpoints required by Intune. For more information, see Network endpoints for Microsoft Intune.

Microsoft Store for Business

If you integrate Configuration Manager with the Microsoft Store for Business, make sure the service connection point and targeted devices can access the cloud service. For more information, see Microsoft Store for Business proxy configuration.

Delivery optimization

If you use delivery optimization, clients need to communicate with its cloud service: *.do.dsp.mp.microsoft.com

Distribution points that support Microsoft Connected Cache also require these endpoints.

For more information, see the following articles:

Cloud services

For more information on the cloud management gateway (CMG), see Plan for CMG.

This section covers the following features:

  • Cloud management gateway (CMG)

  • Microsoft Entra integration

  • Microsoft Entra ID-based discovery

  • Cloud distribution point (CDP)

    Note

    The cloud-based distribution point (CDP) is deprecated. Starting in version 2107, you can't create new CDP instances. To provide content to internet-based devices, enable the CMG to distribute content.

The following sections list the endpoints by role. Some endpoints refer to a service by <prefix>, which is the prefix name of the CMG. For example, if your CMG is GraniteFalls.WestUS.CloudApp.Azure.Com, then the actual storage endpoint is GraniteFalls.blob.core.windows.net.

Tip

To clarify some terminology:

  • CMG service name: The common name (CN) of the CMG server authentication certificate. Clients and the CMG connection point site system role communicate with this service name. For example, GraniteFalls.contoso.com or GraniteFalls.WestUS.CloudApp.Azure.Com.

  • CMG deployment name: The first part of the service name plus the Azure location for the cloud service deployment. The cloud service manager component of the service connection point uses this name when it deploys the CMG in Azure. The deployment name is always in an Azure domain. The Azure location depends upon the deployment method, for example:

    • Virtual machine scale set: GraniteFalls.WestUS.CloudApp.Azure.Com
    • Classic deployment: GraniteFalls.CloudApp.Net

This article uses examples with a virtual machine scale set as the recommended deployment method in version 2107 and later. If you use a classic deployment, note the difference as you read this article and configure internet access.

Service connection point for cloud services

For Configuration Manager to deploy the CMG service in Azure, the service connection point needs access to:

  • Specific Azure endpoints, which are different per environment depending upon the configuration. Configuration Manager stores these endpoints in the site database. Query the AzureEnvironments table in SQL Server for the list of Azure endpoints.

  • Azure services:

    • management.azure.com (Azure public cloud)
    • management.usgovcloudapi.net (Azure US Government cloud)
  • For Microsoft Entra user discovery: Microsoft Graph endpoint https://graph.microsoft.com/

CMG connection point for cloud services

The CMG connection point needs access to the following endpoints:

Type Azure public cloud Azure US Government cloud
Service name <prefix>.<region>.cloudapp.azure.com <prefix>.usgovcloudapp.net
Storage endpoint 1 <prefix>.blob.core.windows.net <prefix>.blob.core.usgovcloudapi.net
Storage endpoint 2 <prefix>.table.core.windows.net <prefix>.table.core.usgovcloudapi.net
Key vault <prefix>.vault.azure.net <prefix>.vault.usgovcloudapi.net

The CMG connection point site system supports using a web proxy. For more information on configuring this role for a proxy, see Proxy server support.

The CMG connection point only needs to connect to the CMG service endpoints. It doesn't need access to other Azure endpoints.

Configuration Manager client for cloud services

Any Configuration Manager client that needs to communicate with a CMG needs access to the following endpoints:

Type Azure public cloud Azure US Government cloud
Deployment name <prefix>.<region>.cloudapp.azure.com <prefix>.usgovcloudapp.net
Storage endpoint <prefix>.blob.core.windows.net <prefix>.blob.core.usgovcloudapi.net
Microsoft Entra endpoint login.microsoftonline.com login.microsoftonline.us

Configuration Manager console for cloud services

Any device with the Configuration Manager console needs access to the following endpoints:

Type Azure public cloud Azure US Government cloud
Microsoft Entra endpoints login.microsoftonline.com
aadcdn.msauth.net
aadcdn.msftauth.net
login.microsoftonline.us

Software updates

Allow the active software update point to access the following endpoints so that WSUS and Automatic Updates can communicate with the Microsoft Update cloud service:

  • http://windowsupdate.microsoft.com

  • http://*.windowsupdate.microsoft.com

  • https://*.windowsupdate.microsoft.com

  • http://*.update.microsoft.com

  • https://*.update.microsoft.com

  • http://*.windowsupdate.com

  • http://download.windowsupdate.com

  • http://download.microsoft.com

  • http://*.download.windowsupdate.com

  • http://ntservicepack.microsoft.com

For more information on software updates, see Plan for software updates.

Intranet firewall

You might need to add endpoints to a firewall that's between two site systems in the following cases:

  • If child sites have a software update point
  • If there's a remote active internet-based software update point at a site

Software update point on the child site

  • http://<FQDN for software update point on child site>

  • https://<FQDN for software update point on child site>

  • http://<FQDN for software update point on parent site>

  • https://<FQDN for software update point on parent site>

Manage Microsoft 365 Apps

Note

Starting on April 21, 2020, Office 365 ProPlus is being renamed to Microsoft 365 Apps for enterprise. For more information, see Name change for Office 365 ProPlus. You may still see references to the old name in the Configuration Manager console and supporting documentation while the console is being updated.

If you use Configuration Manager to deploy and update Microsoft 365 Apps for enterprise, allow the following endpoints:

  • officecdn.microsoft.com to synchronize the software update point for Microsoft 365 Apps for enterprise client updates

  • config.office.com to create custom configurations for Microsoft 365 Apps for enterprise deployments

  • https://clients.config.office.net and https://go.microsoft.com/fwlink/?linkid=2190568 to support deploying updates for Microsoft 365 Apps for enterprise

  • contentstorage.osi.office.net to support the evaluation of Office add-in readiness

Your top-level site server needs access to the following endpoint to download the Microsoft Apps 365 readiness file:

  • Starting March 2, 2021: https://omex.cdn.office.net/mirrored/sccmreadiness/SOT_SCCM_AddinReadiness.CAB
    • Location prior to March 2, 2021: https://contentstorage.osi.office.net/sccmreadinessppe/sot_sccm_addinreadiness.cab

Note

The location of this file is changing March 2, 2021 . For more information, see Download location change for Microsoft 365 Apps readiness file.

Configuration Manager console

Computers with the Configuration Manager console require access to the following internet endpoints for specific features:

Note

For push notifications from Microsoft to show in the console, the service connection point needs access to configmgrbits.azureedge.net. It also needs access to this endpoint for updates and servicing, so you may have already allowed it.

In-console feedback

On the computer where you run the console, allow it to access the following internet endpoints to send diagnostic data to Microsoft:

  • petrol.office.microsoft.com

  • ceuswatcab01.blob.core.windows.net

  • ceuswatcab02.blob.core.windows.net

  • eaus2watcab01.blob.core.windows.net

  • eaus2watcab02.blob.core.windows.net

  • weus2watcab01.blob.core.windows.net

  • weus2watcab02.blob.core.windows.net

  • umwatsonc.events.data.microsoft.com

  • *-umwatsonc.events.data.microsoft.com

For more information on this feature, see Product feedback.

Community workspace

Documentation node

For more information on this console node, see Using the Configuration Manager console.

  • https://aka.ms

  • https://raw.githubusercontent.com

Community hub

For more information on this feature, see Community hub.

  • https://github.com

  • https://communityhub.microsoft.com

Tenant attach

For more information, see Enable tenant attach.

  • https://aka.ms/configmgrgateway

  • https://*.manage.microsoft.com for Azure public cloud customers

  • https://*.manage.microsoft.us for US Government cloud customers on version 2107 or later

  • https://dc.services.visualstudio.com

The service connection point makes a long standing outgoing connection to the notification service hosted on https://*.manage.microsoft.com. Verify the proxy used for the service connection point doesn't time out outgoing connections too quickly. We recommend 3 minutes for outgoing connections to this internet endpoint.

If your environment has proxy rules to allow only specific certificate revocation lists (CRLs) or online certificate status protocol (OCSP) verification locations, also allow the following CRL and OCSP URLs:

  • http://crl3.digicert.com
  • http://crl4.digicert.com
  • http://ocsp.digicert.com
  • http://www.d-trust.net
  • http://root-c3-ca2-2009.ocsp.d-trust.net
  • http://crl.microsoft.com
  • http://oneocsp.microsoft.com
  • http://ocsp.msocsp.com
  • http://www.microsoft.com/pkiops

Endpoint analytics

For more information, see Endpoint analytics proxy configuration.

Endpoints required for Configuration Manager-managed devices

Configuration Manager-managed devices send data to Intune via the connector on the Configuration Manager role and they don't need directly access to the Microsoft public cloud.

Endpoint Function
https://graph.windows.net Used to automatically retrieve settings when attaching your hierarchy to Endpoint analytics on Configuration Manager server role. For more information, see Configure the proxy for a site system server.
https://*.manage.microsoft.com Used to synch device collection and devices with Endpoint analytics on Configuration Manager server role only. For more information, see Configure the proxy for a site system server.

Endpoints required for Intune-managed devices

To enroll devices to Endpoint analytics, they need to send required functional data to Microsoft public cloud. Endpoint Analytics uses the Windows client and Windows Server Connected User Experiences and Telemetry component (DiagTrack) to collect the data from Intune-managed devices. Make sure that the Connected User Experiences and Telemetry service on the device is running.

Endpoint Function
https://*.events.data.microsoft.com Used by Intune-managed devices to send required functional data to the Intune data collection endpoint.

Asset intelligence

If you use asset intelligence, allow the following endpoints for the service to synchronize:

  • https://sc.microsoft.com
  • https://ssu2.manage.microsoft.com

Deploy Microsoft Edge

The device running the Configuration Manager console needs access to the following endpoints for deploying Microsoft Edge:

Location Use
https://aka.ms/cmedgeapi Information about releases of Microsoft Edge
https://edgeupdates.microsoft.com/api/products?view=enterprise Information about releases of Microsoft Edge
http://dl.delivery.mp.microsoft.com Content for Microsoft Edge releases

External notifications

For more information, see External notifications.

The service connection point needs to communicate with the notification service, for example Azure Logic Apps. The access endpoint for the logic app typically has the following format: https://*.<RegionName>.logic.azure.com:443. For example: https://prod1.westus2.logic.azure.com:443

To get the access endpoint for the logic app, as well as the associated IP addresses, use the following process:

  1. In the Azure portal, under Logic Apps, select the logic app for your notification. For more information, see Manage logic apps in the Azure portal.
  2. In the app's menu, in the Settings section, select Properties.
  3. View or copy the values for the Access endpoint and the Access endpoint IP addresses.

Microsoft public IP addresses

For more information on the Microsoft IP address ranges, see Microsoft Public IP Space. These addresses update regularly. There's no granularity by service, any IP address in these ranges could be used.

Next steps