open ports on firewall for sms client

myITforum.com Community Forum

Home Forums Blogs Live Support chat Search Articles Wiki FAQ Email Lists Register Login My Profile Inbox Address Book My Subscription My Forums

Photo Gallery Member List Search Calendars FAQ Ticket List Log Out

All Forums RSS Feed Subscription:

open ports on firewall for sms client

View related threads: (in this forum | in all forums)

Logged in as: Guest

Printable Version

All Forums >> [Management Products] >> Microsoft Systems Management Server >> SMS 2003 >> open ports on firewall for sms client

Page: [1]

Message

<< Older Topic Newer Topic >>

open ports on firewall for sms client - 10/22/2008 7:07:28 PM

phenry194

Posts: 206
Score: 0
Joined: 3/30/2007
Status: offline

OK, I am sure this has been asked about a hundred times, and I checked out kb article 826852 for information before I came to the forum, but I need a bit of clarification that the kb article does not offer. I have some very secure machines behind a firewall, and sms has never been able to install and be utilized on them. They are in the process of changing out hardware and want to try to get sms to work. I looked at the kb article to determine what ports need to be opened on the firewall, and I'm a little confused. I can see what ports need to be open for the 2003 advanced client to talk to active directory and for it to talk to an mp and/or dp. We have bits enabled on the dp, so that makes one think port 139 and 445 is not necessary, but it says if you are only opening port 80, you need to have a script in place instead. Why not just open those three ports, even if the dp is bits enabled? Is there a reason for this? Please advise. Thanks. : )

Post #: 1

RE: open ports on firewall for sms client - 10/23/2008 8:05:56 PM

jsandys

Posts: 628
Score: 27
Joined: 3/24/2005
From: San Antonio, TX
Status: offline

Ports 139 and 445 are only necessary to actually push the agent to the client system. This process involves open the admin$ share on the client system and copying the necessary files to it. After that, those ports are no longer necessary. Thus the reference to the script is suggesting an alternative means of delivering the agent to the client other than the direct push which will require 139 and 445. Your other option is to manually install the agent or better yet, include it as part of your image/build process.

_____________________________

Jason
________________________________________
http://myitforum.com/cs2/blogs/jsandys/default.aspx

(in reply to phenry194)

Post #: 2

RE: open ports on firewall for sms client - 10/23/2008 11:43:15 PM

mstoten

Posts: 59
Score: 0
Joined: 9/2/2007
Status: offline

If you are going to include the client in the build/image have a quick read of this:

http://support.microsoft.com/kb/828367

(in reply to jsandys)

Post #: 3

RE: open ports on firewall for sms client - 10/24/2008 12:52:25 PM

phenry194

Posts: 206
Score: 0
Joined: 3/30/2007
Status: offline

Thanks for the clarification. These machines have been around for quite some time, and have been locked down to within an inch of their life. As a result, we have never been able to utilize sms on them. They are in the process of changing out hardware and during this process want to open up some ports in the new firewall that will allow us to actually utilize sms. We have started to install sms through a policy, but I wouldn't think a firewall port would prevent that unless policies are dictated by ports (they aren't are they?). Is there anything else I need to do on the firewall piece besides opening ports? Wouldn't there need to be ports open for distribution of advertisements/packages?

(in reply to mstoten)

Post #: 4

RE: open ports on firewall for sms client - 10/24/2008 2:21:32 PM

jsandys

Posts: 628
Score: 27
Joined: 3/24/2005
From: San Antonio, TX
Status: offline

Everything in SMS/ConfigMr is pull based -- the client initiates all transactions and prcoessing. If you are using the Windows Firewall, it does not block outbound traffic by default so you don't have to change anything -- it is also stateful which means that reply traffic is also allowed. If you are using another firewall product, then you may have to explicitly open some outbound ports.

If when you say Policy you mean Group Policy, then no, you will not have to open anything on the client either (given that you are using the Windows Firewall) because Group Policy is also pull based.

_____________________________

Jason
________________________________________
http://myitforum.com/cs2/blogs/jsandys/default.aspx

(in reply to phenry194)

Post #: 5

RE: open ports on firewall for sms client - 10/24/2008 5:59:59 PM

phenry194

Posts: 206
Score: 0
Joined: 3/30/2007
Status: offline

We are using group policy, but we are not using windows firewall. We are using integrity firewall, but the firewall that will be switched out will be a hardware firewall. Would I want to open the same ports on the sw firewall as the hardware firewall? I am thinking we would want to.

(in reply to jsandys)

Post #: 6

RE: open ports on firewall for sms client - 10/24/2008 11:31:08 PM

jsandys

Posts: 628
Score: 27
Joined: 3/24/2005
From: San Antonio, TX
Status: offline

It all depends on the firewall and which interface on the firewall is considered the outside or lower security interface. I don't know anything about that firewall type, but I would venture to guess that yes you will have to open up port 80.

_____________________________

Jason
________________________________________
http://myitforum.com/cs2/blogs/jsandys/default.aspx

(in reply to phenry194)

Post #: 7