共用方式為

Determine the Ports Required for Internet-Based Client Management

  • 發行項

Configuring Configuration Manager 2007 for Internet-based client management often requires some network configuration to support the additional traffic from the Internet. Typically, this requires reconfiguration of firewalls between the Internet and your perimeter network (a perimeter network is also known as a screened subnet or a DMZ), and also between the perimeter network and your intranet. It might also include configuration of Web proxy servers between security boundaries.

注意

Firewalls placed between the Internet and perimeter networks are often referred to as "front-end firewalls," and firewalls placed between the perimeter network and the intranet are often referred to as "back-end firewalls."

Use the network diagrams that correspond to your chosen supported scenario for Internet-based client management to identify the protocols that cross security boundaries and will therefore need to be configured on firewalls. For a list of the supported scenarios, see Supported Scenarios for Internet-Based Client Management.

Additionally, make sure that any intervening firewalls support HTTP 1.1, and that they do not block traffic required by Configuration Manager 2007 Internet-based client management. Reference the external dependency for intervening firewalls or proxy servers in the following topic: Prerequisites for Internet-Based Client Management.

The list of possible protocols used in Internet-based client management scenarios is as follows:

  • RPC

  • SMB

  • Microsoft SQL Server

  • HTTP

  • HTTPS

Remote procedure calls (RPC) is needed for site system installation, and installing packages onto distribution points. These connections typically use ports UDP and TCP 135 and a dynamic TCP port range.

Server message blocks (SMB) is needed for site system installation and repair, and for sending site system status. These connections typically use ports TCP 445.

SQL Server connections typically use port TCP 1433.

Clients on the Internet will use HTTP to connect to their Internet-based fallback status point. Clients on the Internet will use HTTPS to connect to their Internet-based management point, Internet-based distribution points, and Internet-based software update point. Software update points can synchronize to another software update point using HTTPS. If your firewalls require the port numbers for HTTP and HTTPS protocols, by default they are TCP 80 and TCP 443, respectively. However, you can change these port numbers for HTTP and HTTPS traffic in Configuration Manager 2007, and this offers some additional security if you are using Internet-based client management.

Use the following procedure to identify the port numbers configured for HTTP and HTTPS connections, so that you can configure this port information on firewalls that protect your networks from the Internet.

重要

Do not change the port numbers in Configuration Manager 2007 without understanding the consequences. For example, changing the port numbers for the client request services without following the correct procedure might result in all the clients in the site being unable to connect to their management point and, as such, unmanaged.

Procedures

To view the port numbers for client requests that use HTTP and HTTPS connections

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management.

  2. Right-click <site code> – <site name>, and then click Properties.

  3. On the Ports tab in the site properties dialog box, view the Active Ports section.

  4. Locate the two services Client Requests-HTTP (TCP). Identify the configured port number if the service is selected to be used by the site. If both services are selected, you might need to configure firewalls for both port numbers if some clients are still using the default port number.

  5. Locate the service Client Requests-HTTPS (TCP). Identify the configured port number if the service is selected to be used by the site. If both services are selected, you might need to configure firewalls for both port numbers if some clients are still using the default port number.

  6. Click OK.

To view the port number for software update points that use HTTPS connections (client requests and synchronization to another software update point)

  1. In the Configuration Manager console, navigate to System Center Configuration Manager / Site Database / Site Management / <site code> – <site name> / Site Settings / Component Configuration.

  2. Right-click Software Update Point Component, and then click Properties.

  3. On the Internet -Based tab, locate the section Specify the port settings used by this WSUS server and then identify the configured port number for SSL port number.

  4. Click OK.

See Also

Tasks

How to Configure Request Ports for the Configuration Manager Client

Concepts

Supported Scenarios for Internet-Based Client Management
Ports Used by Configuration Manager
Implementing IPsec in Configuration Manager 2007