Microsoft KB Archive/826852

From BetaArchive Wiki

Article ID: 826852

Article Last Modified on 8/16/2007



APPLIES TO

  • Microsoft Systems Management Server 2003



For a Microsoft Systems Management Server (SMS) 2.0 version of this article, visit the following Microsoft Knowledge Base Web site:

200898 How to use Systems Management Server through a firewall


INTRODUCTION

This article lists the ports that Microsoft Systems Management Server (SMS) 2003 uses to communicate through a firewall or through a proxy server.

MORE INFORMATION

After the SMS schema is extended, SMS 2003 uses new ports to access the Active Directory directory service. The following list includes the ports that SMS uses for communication.

Port Requirements: SMS site server to Active Directory

SMS 2003 site servers require access to the Active Directory global catalog server in order to do the following:

  • Publish site systems to Active Directory
  • Publish and query for Active Directory site boundaries
  • Run Active Directory discovery methods
Service Name UDP TCP
LDAP 389 389
LDAP SSL N/A 636
RPC Endpoint Mapper 135 135
Global Catalog LDAP N/A 3268
Global Catalog LDAP SSL N/A 3269
Kerberos 88 88

Port requirements: SMS 2003 site server to the child site, to the secondary site, or to the SMS SQL Server

Port 445 Server Message Block (SMB)

Port requirements: SMS 2003 site server to remote SMS SQL Server database. Proxy management points, management point, server locator points, and reporting points to the SMS SQL Server database

Port 1433 TCP (SMS site server to SQL server)

Note For more information about SQL server ports, see the section “Microsoft SQL Server ports” section.

Port requirements: SMS 2003 Advanced Client to Active Directory

In an Active Directory environment, the Advanced client makes a Lightweight Directory Access Protocol (LDAP) query to the global catalog server to find a management point that matches the client’s IP address. The following ports are required in Active Directory to allow the client to contact the global catalog server.

Port 389 UDP (User Datagram Protocol) LDAP Ping
Port 389 TCP LDAP
Port 636 TCP LDAP (SSL Connection)
Port 3268 TCP (explicit connection to Global Catalog)
Port 3269 TCP (explicit SSL connection to Global Catalog)

Port requirements: SMS 2003 Advanced Client to Management Point or to distribution point

Port 80 Hypertext Transfer Protocol (HTTP)
Port 139 Client sessions (for non BITS-enabled DPs)
Port 445 Server Message Block (for non BITS-enabled DPs)

Note When you use a Background Intelligent Transfer Service (BITS)-enabled distribution point through a firewall, only port 80 needs to opened both the management point and BITS-enabled distribution point. All communications will be initiated from the client. If you are only opening port 80, you will need to specify the management point by using the following script:

dim oSMSClient 
set oSMSClient = CreateObject ("Microsoft.SMS.Client") 
oSMSClient.SetCurrentManagementPoint "MP NetBIOS name",0  
set oSMSClient=nothing 

For more information, visit the following Web site:

Without access to the active directory or WINS in the environment, the advanced client will need an lmhosts file on the client computers. You will need entries for one or more MPs. For example, the following MP has an IP address of 10.0.0.1 and a site code of AAA: 10.0.0.1 "MP_AAA \0x1A" #PRE. For more information about how to write an LMHOSTS file, click the following article number to view the article in the Microsoft Knowledge Base:

180094 How to write an Lmhosts file for domain validation and other name resolution issues


Port requirements: SMS Remote Control System service: Wuser32

Application protocol Protocol Ports
SMS Remote Chat TCP 2703
SMS Remote Chat UDP 2703
SMS Remote Control (control) TCP 2701
SMS Remote Control (control) UDP 2701
SMS Remote Control (data) TCP 2702
SMS Remote Control (data) UDP 2702
SMS Remote File Transfer TCP 2704
SMS Remote File Transfer UDP 2704

SMS Remote Control UDP

When you use NetBIOS over TCP/IP for SMS Remote Control, the following ports are used:

Port 137 Name resolution
Port 138 Messaging
Port 139 Client sessions

Note When you use NetBIOS over Novell NWLink, you must configure the router to forward type 20 packets. Type 20 packets provide NetBIOS support.

Microsoft Windows NT UDP

The following list includes the core UDP ports that Windows NT uses, and it also lists their respective functions:

Domain Name System (DNS) UDP 53
Dynamic Host Configuration Protocol (DHCP) UDP 67
Remote procedure call (RPC) TCP 135
Windows Internet Name Service (WINS) UDP 138
NetBIOS datagrams UDP 138
NetBIOS datagrams TCP 139

Note The SMS Administrator console must have TCP port 135 open for communication. Otherwise, the console cannot display all the items in the console tree.

Microsoft SQL Server ports

If you use the TCP/IP Net-Library, enable port 1433 on the firewall. Use the Hosts file or an advanced connection string for host name resolution.

If you use named pipes over TCP/IP, enable port 139 for NetBIOS functions.

Microsoft does not recommend that you enable UDP ports 137 and 138 for NetBIOS name resolution by using B-node broadcasts. Instead, you can use a WINS server or an Lmhosts file for name resolution.

By default, SQL Server uses TCP (not UDP) port 1433 to listen on TCP/IP. To change the port, run SQL Server Setup on the server and then click Change Network Support. If SQL Server uses port 1433, the client Net-Library works. If SQL Server uses a custom port number, the client must specify that port in the Data Source Name (DSN).

SMS RAS Sender

SMS can also use the SMS RAS Sender with Point to Point Tunneling Protocol (PPTP) to send and to receive SMS site, client, and administrative information through a firewall. Under these circumstances, the following port is used:

PPTP TCP 1723

Security

To help improve the security of your computer, you can configure your firewall to use Internet Protocol (IP) filters that permit only registered addresses to pass through the firewall.

If you enable specific ports on a proxy server or on a firewall, this may affect the security of your computer. For additional information about security issues, visit the following Microsoft Web site:

For more information about how to restrict TCP/IP ports for DCOM, click the following article number to view the article in the Microsoft Knowledge Base:

300083 How to restrict TCP/IP ports on Windows 2000 and Windows XP




The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.


Additional query words: Firewall Ports SMS2003 ports LMHOSTS Lmhosts lmhosts

Keywords: kbinfo kbhowto KB826852