System Center Configuration Manager 2007 : Configuration Manager Network Communications (part 2) - Client-to-Server Communications

9/25/2012 9:02:14 PM

Client-to-Server Communications

Configuration Manager is designed to use Internet standard protocols for most client communications. In addition, most of the client communication ports are configurable. Configuration Manager supports both mixed and native mode sites. In mixed mode sites, most client communications are over HTTP, whereas native mode sites use HTTPS. 

Customizing Client Communications

Data sent across the network using the TCP or UDP protocol is transmitted in discrete units of data called packets. Each packet includes the following:

  • A body that contains the actual data

  • A header with addressing and other control information

The header includes the IP addresses of the source and destination machines as well as the port numbers of the source and destination services or applications. A port number is a number from 1 to 65535 used to identify the application. An application or service “listens” on a specific port if it has registered with the operating system to receive packets addressed to that port. Like many services, Configuration Manager services have standard ports on which they listen by default.

Table 1 lists the communications protocols and ports used by various applications and services. You can also find information regarding the communication protocols and ports used by ConfigMgr at http://technet.microsoft.com/en-us/library/bb632618.aspx.

Table 1. Communication Paths and Ports
From ComponentDirectionTo ComponentDescriptionUDP PortTCP Port
Site server<->Site serverSMB445
Site server<->Site serverPoint-to-Point Tunneling Protocol (PPTP)1723[1]
Primary site server->Domain controllerLightweight Directory Access Protocol (LDAP)389
Primary site server->Domain controllerLDAP (Secure Sockets Layer [SSL] connection)636636
Primary site server->Domain controllerGlobal Catalog LDAP3268
Primary site server->Domain controllerGlobal Catalog LDAP SSL3269
Primary site server->Domain controllerRPC Endpoint Mapper135135
Primary site server->Domain controllerRPCDYNAMIC
Primary site server->Domain controllerKerberos88
Site server<->[2]Software update pointSMB445
Site server<->[2]Software update pointHTTP80 or 8530[3]
Site server<->[2]Software update pointHTTPS443 or 8531[3]
Software update point->InternetHTTP80[3]
Site server<->[2]State migration pointSMB445
Site server<->[2]State migration pointRPC Endpoint Mapper135135
Site server->ClientClient Push Installation135
Client->Software update pointHTTP80 or 8530[3]
Client->Software update pointHTTPS443 or 8531[3]
Client->State migration pointHTTP80[5]
Client->State migration pointHTTPS443[5]
Client->State migration pointSMB445
Client->PXE service pointDynamic Host Configuration Protocol (DHCP)67, 68
Client->PXE service pointTrivial File Transfer Protocol (TFTP)69[6]
Client->PXE service pointBoot Information Negotiation Layer (BINL)4011
Site server<->[2]PXE service pointSMB445
Site server<->[2]PXE service pointRPC Endpoint Mapper135135
Site server<->[2]PXE service pointRPCDYNAMIC
Site server<->[2]System Health ValidatorSMB445
Site server<->[2]System Health ValidatorRPC Endpoint Mapper135135
Site server<->[2]System Health ValidatorRPCDYNAMIC
Client->[7]System Heath ValidatorDHCP67, 68
Client->[7]System Heath ValidatorIPSec50080, 443
Site server<->[2]Fallback status pointSMB445
Site server<->[2]Fallback status pointRPC Endpoint Mapper135135
Site server<->[2]Fallback status pointRPCDYNAMIC
Client->Fallback status pointHTTP80[5]
Site server->Distribution pointSMB445
Site server->Distribution pointRPC Endpoint Mapper135135
Site server->Distribution pointRPCDYNAMIC
Client->Distribution pointHTTP80[5]
Client->Distribution pointHTTPS443[5]
Client->Distribution pointSMB445
Client->Distribution pointMulticast Protocol63000-64000
Client->Branch distribution pointSMB445
Client->Management pointHTTP80[5]
Client->Management pointHTTPS443[5]
Client->Server locator pointHTTP80[5]
Branch distribution point->Distribution pointHTTPS443[5]
Branch distribution point->Distribution pointHTTP80[5]
Site server->ProviderSMB445
Site server->ProviderRPC Endpoint Mapper135135
Site server->ProviderRPCDYNAMIC
Server locator point->SQL ServerSQL over TCP1434 (for named instances only)1433 for default instance; DYNAMIC for named instances
Management point->SQL ServerSQL over TCP1434 (for named instances only)1433 for default instance; DYNAMIC for named instances
Provider->SQL ServerSQL over TCP1434 (for named instances only)1433 for default instance; DYNAMIC for named instances
Reporting point->Reporting Services point, SQL ServerSQL over TCP1434 (for named instances only)1433 for default instance; DYNAMIC for named instances
Configuration Manager console->Reporting pointHTTP80[5]
Configuration Manager console->Reporting pointHTTPS443[5]
Configuration Manager console->ProviderRPC Endpoint Mapper135135
Configuration Manager console->ProviderRPCDYNAMIC
Configuration Manager console->InternetHTTP80
Primary site server->SQL ServerSQL over TCP1434 (for named instances only)1433 for default instance; DYNAMIC for named instances
Management point->Domain controllerLDAP389
Management point->Domain controllerLDAP SSL connection636636
Management point->Domain controllerGlobal Catalog LDAP3268
Management point->Domain controllerGlobal Catalog LDAP SSL3269
Management point->Domain controllerRPC Endpoint Mapper135135
Management point->Domain controllerRPCDYNAMIC
Management point->Domain controllerKerberos88
Site server->Reporting point, Reporting Services pointSMB445
Site server->Reporting point, Reporting Services pointRPC Endpoint Mapper135135
Site server->Reporting point, Reporting Services pointRPCDYNAMIC
Site server<->[2]Server locator pointSMB445
Site server<->[2]Server locator pointRPC Endpoint Mapper135135
Site server<->[2]Server locator pointRPCDYNAMIC
Configuration Manager console->Site serverRPC (initial connection to WMI to locate provider system)135
Software update point->Windows Software Update Services (WSUS) synchronization serverHTTP80 or 8530[3]
Software update point->WSUS synchronization serverHTTPS443 or 8531[3]
Configuration Manager Console->ClientRemote Control (control)27012701
Configuration Manager console->ClientRemote Control (data)27022702
Configuration Manager console->ClientRemote Assistance RDP (Remote Desktop Protocol) and Real-Time Communications (RTC)3389
Configuration Manager console->ClientRPC Endpoint Mapper135
Management point<->[2]Site serverRPC Endpoint Mapper135
Management point<->[2]Site serverRPCDYNAMIC
Site server->ClientWake On LAN9[5]
PXE service point->SQL ServerSQL over TCP1434 (for named instances only)1433 for default instance; DYNAMIC for named instances
Site server<->Asset Intelligence synchronization pointSMB445
Site server<->Asset Intelligence synchronization pointRPC Endpoint Mapper135135
Site server<->Asset Intelligence synchronization pointRPCDYNAMIC
Asset Intelligence synchronization point<->System Center OnlineHTTPS443
Multicast distribution point->SQL ServerSQL over TCP1433 for default instance; DYNAMIC for named instances
Client status reporting host->ClientRPC Endpoint Mapper135135
Client status reporting host->ClientRPCDYNAMIC
Client status reporting host->ClientICMPV4 Type 8 (echo) or ICMPV6 Type 128 (echo request)n/an/a
Client status reporting host->Management pointNetBIOS Session Service139
Client status reporting host->Management pointSMB445
Client status reporting host->SQL ServerSQL over TCP1433 for default instance; DYNAMIC for named instances
Site server<->[2]Reporting Services pointSMB445
Site server<->[2]Reporting Services pointRPC Endpoint Mapper135135
Site server<->[2]Reporting Services pointRPCDYNAMIC
Configuration Manager console->Reporting Services pointHTTP80[5]
Configuration Manager console->Reporting Services pointHTTPS443[5]
Reporting Services point->SQL ServerSQL over TCP1433 for default instance; DYNAMIC for named instances
Site server<->Out of Band service pointSMB445
Site server<->Out of Band service pointRPC Endpoint Mapper135135
Site server<->Out of Band service pointRPCDYNAMIC
AMT management controller->Out of Band service pointProvisioning9971 (configurable)
Out of Band service point->AMT management controllerDiscovery16992
Out of Band service point->AMT management controllerPower control, provisioning, discovery16993
Out of Band management console->AMT management controllerGeneral management tasks16993
Out of Band management console->AMT management controllerSerial over LAN and IDE redirection16995

[1] ConfigMgr 2007 can use the RAS sender with PPTP to send and receive site, client, and administrative information through a firewall using PPTP TCP port 1723.

[2] Communication between a site server and site systems is bidirectional by default. The site server initiates communication to configure the site system, and then most site systems will connect back to the site server to return status information (although reporting points and distribution points do not send back status information). Selecting “Allow only site server initiated data transfers from this site system” on the site system properties page keeps the site system from initiating communication to the site server.

[3] You can install WSUS on the default website (port 80) or on a custom website (port 8530). You can change this port after installation. If the HTTP port is 80, the HTTPS port must be 443. If the HTTP port is something other than 80, then the HTTPS port must be 1 higher (for example 8530 and 8531).

[5] You can define an alternate port in ConfigMgr for this value. If you define a custom port, substitute that port when defining the IP filter information for your IPSec policies.

[6] The TFTP Daemon system service does not require a username or password and is an integral part of Windows Deployment Services (WDS). TFTP is designed to support diskless boot environments. The daemons listen on UDP port 69, but they respond from a dynamically allocated high port. Enabling this port allows the TFTP service to receive incoming requests but does not allow the server to respond to the requests. (Allowing a response requires configuring the TFTP server to respond from port 69.)

[7] The client requires the ports established with NAP, such as DHCP and IPSec. No port is required for 802.1x.

[4] You cannot configure the proxy server port, but you can route it through a configured proxy server.

In addition to standard ConfigMgr 2007 traffic, Network Access Protection (NAP) generates the traffic described in Table 2. If you use firewalls that block this traffic, you must reconfigure them for NAP to work with ConfigMgr 2007. You will also need to identify ports used by the client to communicate with the System Health Validator point (SHV). The NAP enforcement client you are using determines the ports for system health validation.

Table 2. TCP Ports Required by Firewalls to Support NAP
FunctionTCP PortDescription
Site server publishing health state reference to AD domain services389 (LDAP) or 636 (LDAPS)Writing to AD domain services
System Health Validator point querying AD for ConfigMgr health state reference3268 (Global Catalog lookup) or 3269 (secure Global Catalog lookup)Reading from a global catalog server
Installing System Health Validator point and ongoing configuration445, 135SMBs to install; RPCs for configuration
Status messages from System Health Validator point to site server445SMBs

Information online regarding ports for NAP in Configuration Manager 2007 is located at http://technet.microsoft.com/en-us/library/bb694170.aspx.

Reasons for Changing Ports

You may choose to use custom rather than standard ports for client-to-server communications for the following reasons:

  • Custom ports may be necessary for Configuration Manager to work with your network firewall policies.

  • You may also need to use a custom website for ConfigMgr instead of the default site on your Internet Information Services (IIS) servers. Although this is not a best practice, it may be necessary if ConfigMgr is sharing IIS servers with other applications that depend on the default site.

Specifying Ports

You may specify custom ports for client communications during either Configuration Manager setup or later using the ConfigMgr console:

  • During setup, you can specify a custom HTTP port for mixed mode sites or a custom HTTPS port for native mode sites in the Port Settings dialog box, displayed in Figure 4.

    Figure 4. Specifying an alternate TCP port for client-to-server communications during setup

    The port specified in Figure 4 is used for client-to-server communications by all site systems.

  • After setup, you can change your selection and add alternate ports on the Ports tab of the Site Properties sheet in the ConfigMgr console. Perform the following steps:

    Navigate to System Center Configuration Manager -> Site Database -> Site Management -> <Site Code> <Site Name>.

    Right-click the site name, choose Properties, and then select the Ports tab. As shown in Figure 5, you can specify both default ports and alternate ports for client communications.

    Figure 5. Specifying the TCP ports clients will use from the ConfigMgr console
    To enable a port, modify an enabled port or change the default port and then double-click the entry to bring up the Port Detail dialog box shown in Figure 6.

    Figure 6. The Port Detail dialog box

Tip: Specifying Different Ports

If you utilize custom ports or custom websites, you should use them consistently throughout your hierarchy. Using different ports or websites at different sites can cause problems as clients roam from one site to another.

Regardless of whether you change the default HTTP and HTTPS ports, it is always a good idea to specify alternate ports to increase the availability of these services.

Initial Communication

The initial communication between the client and the ConfigMgr hierarchy occurs during client installation. The sequence of network calls depends on the client installation method used.  For purposes of this discussion, there are two general types of client installation methods:

  • Server initiated (client push)

  • Client initiated (all other methods)

Client push installation includes a preinstallation phase in which the site server connects to the client to initiate installation:

  • In the client push installation method, the server makes an initial connection to the admin$ share on the prospective client computer using Windows file sharing protocols.

  • The server also establishes a WMI connection to the client using the Distributed Component Object Model (DCOM) through TCP port 135.

    DCOM is a Microsoft standard for communication between software components, either on a local computer or across a network. This approach differs from SMS 2003, which used a remote Registry connection rather than WMI.

  • The site server uses these connections to copy the required setup files to the client and then installs and starts the ccmsetup service. 

Once the preinstallation phase is complete, the installation proceeds in a manner similar to other installation methods.

Regardless of the client installation method used, the first network-related task for the new client is to locate and contact a management point (MP) for its assigned site. From this point onward, the MP will be the primary point of contact between the client and its site. Unless the client installation source files are staged locally, the setup process uses BITS to pull the files from the CCM_CLIENT website on the MP. Once the client is installed, it continues to communicate with the management point using HTTP or HTTPS, and generally uses BITS to download policy and component updates and to send client information, including inventory, metering data, state messages, and status messages, to the site.

Identifying the Client’s Assigned Site

There are three general ways for the client to determine the site it is assigned to as well as to locate the management point for that site:

  • Depending on the installation method used, the site code and management point may have been supplied as command-line arguments. The management point may be specified using an IP address, a Fully Qualified Domain Name (FQDN), or a simple name.

  • If the information is not provided via the command line, clients in the same Active Directory forest with the site server can generally retrieve this information by querying AD (assuming the schema is extended and the appropriate information is published in AD).

  • If the required information is not available in AD, the client must contact a server locator point for site and management point information:

    • The SLP may be specified in the command line.

    • If the SLP is not provided through the command line, it must be resolved through NetBIOS name resolution.

      • If you are using WINS server for NetBIOS name resolution, you must manually add the SLP entry to WINS following the procedure found at http://technet.microsoft.com/en-us/library/bb632567.aspx:

        Open a command prompt (Start -> Run, and then type cmd), type netsh, and then press Enter.

        Type wins and then press Enter.

        Type server and then press Enter.

        Type the appropriate command to add the name. Here’s an example:

        add name Name=SMS_SLP endchar=1A rectype=0 ip=<server locator point IP
      • If a WINS server is not available, you can supply the SLP information using an LMHosts file. The SLP information in LMHosts is as follows:

        <SLP IP address > "SMS_SLP        \0x1a" #PRE.

About HTTP Communications for Native Mode Clients

Server locator points support only HTTP communications; they do not support HTTPS. By default, intranet clients assigned to native mode sites require HTTPS for all web-based communications. If a native mode intranet client needs to contact an SLP, enable the option Allow HTTP communication for roaming and site assignment. This option can be enabled by supplying the /native:FALLBACK switch or the /native:CRLANDFALLBACK switch in the ccmsetup command line.

Enabling HTTP also allows the client to download content from mixed mode sites when roaming within the boundaries of the site. You can apply this option on a sitewide basis, allowing clients already assigned to the native mode site to use downloads from mixed mode sites. The Allow HTTP communication for roaming and site assignment option is located on the Site Mode tab of the Site Properties sheet, displayed in Figure 7. To access the property sheet, open the Configuration Manager console and navigate to System Center Configuration Manager -> Site Database -> Site Management -> <Site Code> <Site Name>, then right-click the site name and choose Properties and select the Site Mode tab.

Figure 7. Enabling native mode clients to use HTTP

If your installation requires server locator points for site assignment, enable HTTP for native mode clients. HTTP traffic is not encrypted and therefore less secure than HTTPS. If you are considering enabling HTTP for client roaming functionality, you will need to evaluate the tradeoff between security and network functionality.

Client Protocols

The Configuration Manager client uses the HTTP or HTTPS protocol exclusively to communicate with the management point and the software update point. These two roles are among the systems having the highest volume and frequency of communication with ConfigMgr clients. Clients communicate with the management point more frequently than with any of the other Configuration Manager site systems.

  • Client systems poll the management point regularly for policy updates. The default polling interval is every hour.

  • Clients send state, status, inventory, metering, and discovery data to the management point. State information is sent every 5 minutes by default. Inventory, metering, and heartbeat discovery data is sent every 7 days by default.

  • You can configure the schedules for clients to pull policy and send state, inventory, metering, and heartbeat discovery data . Choosing a simple schedule for inventory causes the network load to spread over time, because not all clients will send inventory at the same time. A custom schedule provides more control over the timing of inventory collection, but may have considerable impact when inventory runs.

  • Initial inventory on new clients is considerably larger than regular inventory updates, which only send a delta (only the files that have changed since the previous version) over the network.

The frequency and size of client downloads of software updates from the SUP depends on how you configure software updates and the client configuration. Many individual software updates are relatively small (a few megabytes or smaller). Some can be quite large, however, including service packs, which can be hundreds of megabytes or even larger.

Tip: More about Software Updates

Microsoft generally releases critical security updates for its products monthly on the second Tuesday of the month, known as “Patch Tuesday.” Typically, once you evaluate and approve the Patch Tuesday updates for your environment, you will make them available as a group for distribution to your clients.

Some new features of Configuration Manager 2007 decrease the network impact of software updates. The Software Updates agent uses selective download technology to download only the individual files that the client requires from a software updates package. In addition, supersedence information is provided to help administrators avoid deploying updates superseded by a newer update. Even with these enhancements, software updates can require significant network bandwidth. You will want to consider this requirement when planning your software updates strategy.

Clients use HTTP/HTTPS or the SMB protocol to pull data from distribution points and state migration points:

  • Clients downloading a package to their local cache from a BITS-enabled distribution point use BITS over HTTP or HTTPS.

  • Clients running the package directly from the distribution point use SMB.

  • Clients retrieving packages from branch distribution points use only the SMB protocol.

Depending on the size of the software package, downloads from distribution points can be quite large. Clients do not use either binary differential replication or delta replication; therefore, changes to a package the client has cached will trigger a full download to the client.

Clients use state migration points less frequently, generally during operating system upgrades or hardware replacement. The amount of traffic sent to and from the state migration point depends on the amount of user data to be preserved. 

The remaining site systems handle relatively little client traffic, but use a variety of protocols:

  • The PXE service point responds to PXE boot requests and initiates boot image downloads. The PXE boot process is an extension of the DHCP protocol. DHCP is widely used for assigning IP addresses and TCP/IP configurations.

  • If you enable Configuration Manager for NAP, clients will pass a statement of health (SoH) to the System Health Validator when making a new DHCP request or a new IPSec (Internet Protocol Security) connection to the network. Once connected, the client will periodically submit a new SoH to the System Health Validator. The default interval for system health to be reevaluated is 24 hours.

  • The fallback status point, like the server locator point, responds to client requests using HTTP communications only.

  • The site server connects to the client when Wake On LAN functionality is required for patch deployment or other activities. The default port for Wake On LAN is UDP port 9; however, you can configure this using the dialog box shown previously in Figure 5.6.

  • If administrators use the Configuration Manager Remote Tools, the machine on which the console is running contacts the client directly. Remote tools use the SMS/Configuration Manager Remote Control protocol (UDP and TCP ports 2701 and 2702) to connect to Windows 2000 computers, and RDP (which uses TCP port 3389) to connect to computers running Windows XP or later.

Most View
Microsoft SharePoint 2010 Web Applications : Presentation Layer Overview - Ribbon (part 1)
The Cyber-athletic Revolution – E-sports’ Era (Part 1)
Windows Server 2003 : Implementing Software Restriction Policies (part 4) - Implementing Software Restriction Policies - Creating a Path Rule, Designating File Types
Sql Server 2012 : Hierarchical Data and the Relational Database - Populating the Hierarchy (part 1)
Two Is Better Than One - WD My Cloud Mirror
Programming ASP.NET 3.5 : Data Source-Based Data Binding (part 3) - List Controls
Windows 8 : Configuring networking (part 5) - Managing network settings - Understanding the dual TCP/IP stack in Windows 8, Configuring name resolution
Nikon Coolpix A – An Appealing Camera For Sharp Images (Part 2)
Canon PowerShot SX240 HS - A Powerful Perfection
LG Intuition Review - Skirts The Line Between Smartphone And Tablet (Part 2)
Popular Tags
Microsoft Access Microsoft Excel Microsoft OneNote Microsoft PowerPoint Microsoft Project Microsoft Visio Microsoft Word Active Directory Biztalk Exchange Server Microsoft LynC Server Microsoft Dynamic Sharepoint Sql Server Windows Server 2008 Windows Server 2012 Windows 7 Windows 8 Adobe Indesign Adobe Flash Professional Dreamweaver Adobe Illustrator Adobe After Effects Adobe Photoshop Adobe Fireworks Adobe Flash Catalyst Corel Painter X CorelDRAW X5 CorelDraw 10 QuarkXPress 8 windows Phone 7 windows Phone 8 BlackBerry Android Ipad Iphone iOS
Top 10
Review : Acer Aspire R13
Review : Microsoft Lumia 535
Review : Olympus OM-D E-M5 Mark II
TomTom Runner + MultiSport Cardio
Timex Ironman Run Trainer 2.0
Suunto Ambit3 Peak Sapphire HR
Polar M400
Garmin Forerunner 920XT
Sharepoint 2013 : Content Model and Managed Metadata - Publishing, Un-publishing, and Republishing
Sharepoint 2013 : Content Model and Managed Metadata - Content Type Hubs