Client-to-Server Communications
Configuration Manager is
designed to use Internet standard protocols for most client
communications. In addition, most of the client communication ports are
configurable. Configuration Manager supports both mixed and native mode
sites. In mixed mode sites, most client communications are over HTTP,
whereas native mode sites use HTTPS.
Customizing Client Communications
Data sent across the network using the TCP or UDP protocol is transmitted in discrete units of data called packets. Each packet includes the following:
The
header includes the IP addresses of the source and destination machines
as well as the port numbers of the source and destination services or
applications. A port number
is a number from 1 to 65535 used to identify the application. An
application or service “listens” on a specific port if it has registered
with the operating system to receive packets addressed to that port.
Like many services, Configuration Manager services have standard ports
on which they listen by default.
Table 1
lists the communications protocols and ports used by various
applications and services. You can also find information regarding the
communication protocols and ports used by ConfigMgr at http://technet.microsoft.com/en-us/library/bb632618.aspx.
Table 1. Communication Paths and Ports
| From Component | Direction | To Component | Description | UDP Port | TCP Port |
|---|
| Site server | <-> | Site server | SMB | — | 445 |
| Site server | <-> | Site server | Point-to-Point Tunneling Protocol (PPTP) | — | 1723 |
| Primary site server | -> | Domain controller | Lightweight Directory Access Protocol (LDAP) | — | 389 |
| Primary site server | -> | Domain controller | LDAP (Secure Sockets Layer [SSL] connection) | 636 | 636 |
| Primary site server | -> | Domain controller | Global Catalog LDAP | — | 3268 |
| Primary site server | -> | Domain controller | Global Catalog LDAP SSL | — | 3269 |
| Primary site server | -> | Domain controller | RPC Endpoint Mapper | 135 | 135 |
| Primary site server | -> | Domain controller | RPC | — | DYNAMIC |
| Primary site server | -> | Domain controller | Kerberos | 88 | — |
| Site server | <-> | Software update point | SMB | — | 445 |
| Site server | <-> | Software update point | HTTP | — | 80 or 8530 |
| Site server | <-> | Software update point | HTTPS | — | 443 or 8531 |
| Software update point | -> | Internet | HTTP | — | 80 |
| Site server | <-> | State migration point | SMB | — | 445 |
| Site server | <-> | State migration point | RPC Endpoint Mapper | 135 | 135 |
| Site server | -> | Client | Client Push Installation | — | 135 |
| Client | -> | Software update point | HTTP | — | 80 or 8530 |
| Client | -> | Software update point | HTTPS | — | 443 or 8531 |
| Client | -> | State migration point | HTTP | — | 80 |
| Client | -> | State migration point | HTTPS | — | 443 |
| Client | -> | State migration point | SMB | — | 445 |
| Client | -> | PXE service point | Dynamic Host Configuration Protocol (DHCP) | 67, 68 | — |
| Client | -> | PXE service point | Trivial File Transfer Protocol (TFTP) | 69 | — |
| Client | -> | PXE service point | Boot Information Negotiation Layer (BINL) | 4011 | — |
| Site server | <-> | PXE service point | SMB | — | 445 |
| Site server | <-> | PXE service point | RPC Endpoint Mapper | 135 | 135 |
| Site server | <-> | PXE service point | RPC | — | DYNAMIC |
| Site server | <-> | System Health Validator | SMB | — | 445 |
| Site server | <-> | System Health Validator | RPC Endpoint Mapper | 135 | 135 |
| Site server | <-> | System Health Validator | RPC | — | DYNAMIC |
| Client | -> | System Heath Validator | DHCP | 67, 68 | — |
| Client | -> | System Heath Validator | IPSec | 500 | 80, 443 |
| Site server | <-> | Fallback status point | SMB | — | 445 |
| Site server | <-> | Fallback status point | RPC Endpoint Mapper | 135 | 135 |
| Site server | <-> | Fallback status point | RPC | — | DYNAMIC |
| Client | -> | Fallback status point | HTTP | — | 80 |
| Site server | -> | Distribution point | SMB | — | 445 |
| Site server | -> | Distribution point | RPC Endpoint Mapper | 135 | 135 |
| Site server | -> | Distribution point | RPC | — | DYNAMIC |
| Client | -> | Distribution point | HTTP | — | 80 |
| Client | -> | Distribution point | HTTPS | — | 443 |
| Client | -> | Distribution point | SMB | — | 445 |
| Client | -> | Distribution point | Multicast Protocol | 63000-64000 | — |
| Client | -> | Branch distribution point | SMB | — | 445 |
| Client | -> | Management point | HTTP | — | 80 |
| Client | -> | Management point | HTTPS | — | 443 |
| Client | -> | Server locator point | HTTP | — | 80 |
| Branch distribution point | -> | Distribution point | HTTPS | — | 443 |
| Branch distribution point | -> | Distribution point | HTTP | — | 80 |
| Site server | -> | Provider | SMB | — | 445 |
| Site server | -> | Provider | RPC Endpoint Mapper | 135 | 135 |
| Site server | -> | Provider | RPC | — | DYNAMIC |
| Server locator point | -> | SQL Server | SQL over TCP | 1434 (for named instances only) | 1433 for default instance; DYNAMIC for named instances |
| Management point | -> | SQL Server | SQL over TCP | 1434 (for named instances only) | 1433 for default instance; DYNAMIC for named instances |
| Provider | -> | SQL Server | SQL over TCP | 1434 (for named instances only) | 1433 for default instance; DYNAMIC for named instances |
| Reporting point | -> | Reporting Services point, SQL Server | SQL over TCP | 1434 (for named instances only) | 1433 for default instance; DYNAMIC for named instances |
| Configuration Manager console | -> | Reporting point | HTTP | — | 80 |
| Configuration Manager console | -> | Reporting point | HTTPS | — | 443 |
| Configuration Manager console | -> | Provider | RPC Endpoint Mapper | 135 | 135 |
| Configuration Manager console | -> | Provider | RPC | — | DYNAMIC |
| Configuration Manager console | -> | Internet | HTTP | — | 80 |
| Primary site server | -> | SQL Server | SQL over TCP | 1434 (for named instances only) | 1433 for default instance; DYNAMIC for named instances |
| Management point | -> | Domain controller | LDAP | — | 389 |
| Management point | -> | Domain controller | LDAP SSL connection | 636 | 636 |
| Management point | -> | Domain controller | Global Catalog LDAP | — | 3268 |
| Management point | -> | Domain controller | Global Catalog LDAP SSL | — | 3269 |
| Management point | -> | Domain controller | RPC Endpoint Mapper | 135 | 135 |
| Management point | -> | Domain controller | RPC | — | DYNAMIC |
| Management point | -> | Domain controller | Kerberos | 88 | — |
| Site server | -> | Reporting point, Reporting Services point | SMB | — | 445 |
| Site server | -> | Reporting point, Reporting Services point | RPC Endpoint Mapper | 135 | 135 |
| Site server | -> | Reporting point, Reporting Services point | RPC | — | DYNAMIC |
| Site server | <-> | Server locator point | SMB | — | 445 |
| Site server | <-> | Server locator point | RPC Endpoint Mapper | 135 | 135 |
| Site server | <-> | Server locator point | RPC | — | DYNAMIC |
| Configuration Manager console | -> | Site server | RPC (initial connection to WMI to locate provider system) | — | 135 |
| Software update point | -> | Windows Software Update Services (WSUS) synchronization server | HTTP | — | 80 or 8530 |
| Software update point | -> | WSUS synchronization server | HTTPS | — | 443 or 8531 |
| Configuration Manager Console | -> | Client | Remote Control (control) | 2701 | 2701 |
| Configuration Manager console | -> | Client | Remote Control (data) | 2702 | 2702 |
| Configuration Manager console | -> | Client | Remote Assistance RDP (Remote Desktop Protocol) and Real-Time Communications (RTC) | — | 3389 |
| Configuration Manager console | -> | Client | RPC Endpoint Mapper | — | 135 |
| Management point | <-> | Site server | RPC Endpoint Mapper | — | 135 |
| Management point | <-> | Site server | RPC | — | DYNAMIC |
| Site server | -> | Client | Wake On LAN | 9 | — |
| PXE service point | -> | SQL Server | SQL over TCP | 1434 (for named instances only) | 1433 for default instance; DYNAMIC for named instances |
| Site server | <-> | Asset Intelligence synchronization point | SMB | — | 445 |
| Site server | <-> | Asset Intelligence synchronization point | RPC Endpoint Mapper | 135 | 135 |
| Site server | <-> | Asset Intelligence synchronization point | RPC | — | DYNAMIC |
| Asset Intelligence synchronization point | <-> | System Center Online | HTTPS | — | 443 |
| Multicast distribution point | -> | SQL Server | SQL over TCP | — | 1433 for default instance; DYNAMIC for named instances |
| Client status reporting host | -> | Client | RPC Endpoint Mapper | 135 | 135 |
| Client status reporting host | -> | Client | RPC | — | DYNAMIC |
| Client status reporting host | -> | Client | ICMPV4 Type 8 (echo) or ICMPV6 Type 128 (echo request) | n/a | n/a |
| Client status reporting host | -> | Management point | NetBIOS Session Service | — | 139 |
| Client status reporting host | -> | Management point | SMB | — | 445 |
| Client status reporting host | -> | SQL Server | SQL over TCP | — | 1433 for default instance; DYNAMIC for named instances |
| Site server | <-> | Reporting Services point | SMB | — | 445 |
| Site server | <-> | Reporting Services point | RPC Endpoint Mapper | 135 | 135 |
| Site server | <-> | Reporting Services point | RPC | — | DYNAMIC |
| Configuration Manager console | -> | Reporting Services point | HTTP | — | 80 |
| Configuration Manager console | -> | Reporting Services point | HTTPS | — | 443 |
| Reporting Services point | -> | SQL Server | SQL over TCP | — | 1433 for default instance; DYNAMIC for named instances |
| Site server | <-> | Out of Band service point | SMB | — | 445 |
| Site server | <-> | Out of Band service point | RPC Endpoint Mapper | 135 | 135 |
| Site server | <-> | Out of Band service point | RPC | — | DYNAMIC |
| AMT management controller | -> | Out of Band service point | Provisioning | — | 9971 (configurable) |
| Out of Band service point | -> | AMT management controller | Discovery | — | 16992 |
| Out of Band service point | -> | AMT management controller | Power control, provisioning, discovery | — | 16993 |
| Out of Band management console | -> | AMT management controller | General management tasks | — | 16993 |
| Out of Band management console | -> | AMT management controller | Serial over LAN and IDE redirection | — | 16995 |
|
In addition to standard ConfigMgr 2007 traffic, Network Access Protection (NAP) generates the traffic described in Table 2.
If you use firewalls that block this traffic, you must reconfigure them
for NAP to work with ConfigMgr 2007. You will also need to identify
ports used by the client to communicate with the System Health Validator
point (SHV). The NAP enforcement client you are using determines the
ports for system health validation.
Table 2. TCP Ports Required by Firewalls to Support NAP
| Function | TCP Port | Description |
|---|
| Site server publishing health state reference to AD domain services | 389 (LDAP) or 636 (LDAPS) | Writing to AD domain services |
| System Health Validator point querying AD for ConfigMgr health state reference | 3268 (Global Catalog lookup) or 3269 (secure Global Catalog lookup) | Reading from a global catalog server |
| Installing System Health Validator point and ongoing configuration | 445, 135 | SMBs to install; RPCs for configuration |
| Status messages from System Health Validator point to site server | 445 | SMBs |
Information online regarding ports for NAP in Configuration Manager 2007 is located at http://technet.microsoft.com/en-us/library/bb694170.aspx.
Reasons for Changing Ports
You may choose to use custom rather than standard ports for client-to-server communications for the following reasons:
Custom ports may be necessary for Configuration Manager to work with your network firewall policies.
You
may also need to use a custom website for ConfigMgr instead of the
default site on your Internet Information Services (IIS) servers.
Although this is not a best practice, it may be necessary if ConfigMgr
is sharing IIS servers with other applications that depend on the
default site.
Specifying Ports
You
may specify custom ports for client communications during either
Configuration Manager setup or later using the ConfigMgr console:
During setup,
you can specify a custom HTTP port for mixed mode sites or a custom
HTTPS port for native mode sites in the Port Settings dialog box,
displayed in Figure 4.
The port specified in Figure 4 is used for client-to-server communications by all site systems.
After
setup, you can change your selection and add alternate ports on the
Ports tab of the Site Properties sheet in the ConfigMgr console. Perform
the following steps:
1. | Navigate to System Center Configuration Manager -> Site Database -> Site Management -> <Site Code> <Site Name>.
|
2. | Right-click the site name, choose Properties, and then select the Ports tab. As shown in Figure 5, you can specify both default ports and alternate ports for client communications.
|
3. | To
enable a port, modify an enabled port or change the default port and
then double-click the entry to bring up the Port Detail dialog box shown
in Figure 6.
|
Tip: Specifying Different Ports
If
you utilize custom ports or custom websites, you should use them
consistently throughout your hierarchy. Using different ports or
websites at different sites can cause problems as clients roam from one
site to another.
Regardless of whether
you change the default HTTP and HTTPS ports, it is always a good idea
to specify alternate ports to increase the availability of these
services.
Initial Communication
The initial
communication between the client and the ConfigMgr hierarchy occurs
during client installation. The sequence of network calls depends on the
client installation method used. For purposes of this discussion, there are two general types of client installation methods:
Client push installation includes a preinstallation phase in which the site server connects to the client to initiate installation:
In the
client push installation method, the server makes an initial connection
to the admin$ share on the prospective client computer using Windows
file sharing protocols.
The
server also establishes a WMI connection to the client using the
Distributed Component Object Model (DCOM) through TCP port 135.
DCOM
is a Microsoft standard for communication between software components,
either on a local computer or across a network. This approach differs
from SMS 2003, which used a remote Registry connection rather than WMI.
The
site server uses these connections to copy the required setup files to
the client and then installs and starts the ccmsetup service.
Once the preinstallation phase is complete, the installation proceeds in a manner similar to other installation methods.
Regardless of
the client installation method used, the first network-related task for
the new client is to locate and contact a management point (MP) for its
assigned site. From this point onward, the MP will be the primary point
of contact between the client and its site. Unless the client
installation source files are staged locally, the setup process uses
BITS to pull the files from the CCM_CLIENT website on the MP. Once the
client is installed, it continues to communicate with the management
point using HTTP or HTTPS, and generally uses BITS to download policy
and component updates and to send client information, including
inventory, metering data, state messages, and status messages, to the
site.
Identifying the Client’s Assigned Site
There are three general
ways for the client to determine the site it is assigned to as well as
to locate the management point for that site:
Depending on
the installation method used, the site code and management point may
have been supplied as command-line arguments. The management point may
be specified using an IP address, a Fully Qualified Domain Name (FQDN),
or a simple name.
If
the information is not provided via the command line, clients in the
same Active Directory forest with the site server can generally retrieve
this information by querying AD (assuming the schema is extended and
the appropriate information is published in AD).
If
the required information is not available in AD, the client must
contact a server locator point for site and management point
information:
The SLP may be specified in the command line.
If the SLP is not provided through the command line, it must be resolved through NetBIOS name resolution.
If
you are using WINS server for NetBIOS name resolution, you must
manually add the SLP entry to WINS following the procedure found at http://technet.microsoft.com/en-us/library/bb632567.aspx:
Open a command prompt (Start -> Run, and then type cmd), type netsh, and then press Enter.
Type wins and then press Enter.
Type server and then press Enter.
Type the appropriate command to add the name. Here’s an example:
add name Name=SMS_SLP endchar=1A rectype=0 ip=<server locator point IP
address>
If
a WINS server is not available, you can supply the SLP information
using an LMHosts file. The SLP information in LMHosts is as follows:
<SLP IP address > "SMS_SLP \0x1a" #PRE.
|
Server locator points
support only HTTP communications; they do not support HTTPS. By default,
intranet clients assigned to native mode sites require HTTPS for all
web-based communications. If a native mode intranet client needs to
contact an SLP, enable the option Allow HTTP communication for roaming
and site assignment. This option can be enabled by supplying the /native:FALLBACK switch or the /native:CRLANDFALLBACK switch in the ccmsetup command line.
Enabling HTTP also
allows the client to download content from mixed mode sites when roaming
within the boundaries of the site. You can apply this option on a
sitewide basis, allowing clients already assigned to the native mode
site to use downloads from mixed mode sites. The Allow HTTP
communication for roaming and site assignment option is located on the
Site Mode tab of the Site Properties sheet, displayed in Figure 7.
To access the property sheet, open the Configuration Manager console
and navigate to System Center Configuration Manager -> Site Database
-> Site Management -> <Site Code> <Site Name>, then right-click the site name and choose Properties and select the Site Mode tab.
If your installation
requires server locator points for site assignment, enable HTTP for
native mode clients. HTTP traffic is not encrypted and therefore less
secure than HTTPS. If you are considering enabling HTTP for client
roaming functionality, you will need to evaluate the tradeoff between
security and network functionality.
|
Client Protocols
The Configuration
Manager client uses the HTTP or HTTPS protocol exclusively to
communicate with the management point and the software update point.
These two roles are among the systems having the highest volume and
frequency of communication with ConfigMgr clients. Clients communicate
with the management point more frequently than with any of the other
Configuration Manager site systems.
Client systems poll the management point regularly for policy updates. The default polling interval is every hour.
Clients
send state, status, inventory, metering, and discovery data to the
management point. State information is sent every 5 minutes by default.
Inventory, metering, and heartbeat discovery data is sent every 7 days
by default.
You
can configure the schedules for clients to pull policy and send state,
inventory, metering, and heartbeat discovery data .
Choosing a simple schedule for inventory causes the network load to
spread over time, because not all clients will send inventory at the
same time. A custom schedule provides more control over the timing of
inventory collection, but may have considerable impact when inventory
runs.
Initial
inventory on new clients is considerably larger than regular inventory
updates, which only send a delta (only the files that have changed since
the previous version) over the network.
The frequency and size
of client downloads of software updates from the SUP depends on how you
configure software updates and the client configuration. Many individual
software updates are relatively small (a few megabytes or smaller).
Some can be quite large, however, including service packs, which can be
hundreds of megabytes or even larger.
Tip: More about Software Updates
Microsoft
generally releases critical security updates for its products monthly on
the second Tuesday of the month, known as “Patch Tuesday.” Typically,
once you evaluate and approve the Patch Tuesday updates for your
environment, you will make them available as a group for distribution to
your clients.
Some new
features of Configuration Manager 2007 decrease the network impact of
software updates. The Software Updates agent uses selective download
technology to download only the individual files that the client
requires from a software updates package. In addition, supersedence
information is provided to help administrators avoid deploying updates
superseded by a newer update. Even with these enhancements, software
updates can require significant network bandwidth. You will want to
consider this requirement when planning your software updates strategy.
Clients use HTTP/HTTPS or the SMB protocol to pull data from distribution points and state migration points:
Clients downloading a package to their local cache from a BITS-enabled distribution point use BITS over HTTP or HTTPS.
Clients running the package directly from the distribution point use SMB.
Clients retrieving packages from branch distribution points use only the SMB protocol.
Depending on the
size of the software package, downloads from distribution points can be
quite large. Clients do not use either binary differential replication
or delta replication; therefore, changes to a package the client has
cached will trigger a full download to the client.
Clients use
state migration points less frequently, generally during operating
system upgrades or hardware replacement. The amount of traffic sent to
and from the state migration point depends on the amount of user data to
be preserved.
The remaining site systems handle relatively little client traffic, but use a variety of protocols:
The PXE
service point responds to PXE boot requests and initiates boot image
downloads. The PXE boot process is an extension of the DHCP protocol.
DHCP is widely used for assigning IP addresses and TCP/IP
configurations.
If
you enable Configuration Manager for NAP, clients will pass a statement
of health (SoH) to the System Health Validator when making a new DHCP
request or a new IPSec (Internet Protocol Security) connection to the
network. Once connected, the client will periodically submit a new SoH
to the System Health Validator. The default interval for system health
to be reevaluated is 24 hours.
The fallback status point, like the server locator point, responds to client requests using HTTP communications only.
The
site server connects to the client when Wake On LAN functionality is
required for patch deployment or other activities. The default port for
Wake On LAN is UDP port 9; however, you can configure this using the
dialog box shown previously in Figure 5.6.
If
administrators use the Configuration Manager Remote Tools, the machine
on which the console is running contacts the client directly. Remote
tools use the SMS/Configuration Manager Remote Control protocol (UDP and
TCP ports 2701 and 2702) to connect to Windows 2000 computers, and RDP
(which uses TCP port 3389) to connect to computers running Windows XP or
later.
