SCCM Remote Tools firewall ports

James Clements — Tue, 16 Feb 2010 18:07:07 +0000

I have been using System Center Configuration Manager to deploy software to clients for a while now but I recently had a requirement to control a client remotely. In order to control clients using the SCCM Remote Tools feature, some ports needed to be opened on the client in the Windows firewall.

These were as follows:

1. TCP port 135
2. TCP port 2701
3. TCP port 2702

Of course a port/service should never be exposed unless absolutely required. The best practice to reduce the level of exposure would be to also configure the scope of the users that can connect to the above ports. This should be limited to specific computers that have the SCCM ConfigMgr Console installed.

To do this using Group Policy I navigated to the following location in a GPO:

Computer Configuration --> Administrative Templates --> Network --> Network Connections --> Windows Firewall --> Domain Profile --> Windows Firewall: Define inbound port exceptions

I then defined the following exceptions:

135:TCP:(scope):enabled:SCCM
2701:TCP:(scope):enabled:SCCM
2702:TCP:(scope):enabled:SCCM

Note: (scope) is either "*" (for all networks - although this is not advised) or a comma-separated list that contains any number or combination of these:

IP addresses, such as 10.0.0.1
Subnet descriptions, such as 10.2.3.0/24
The string "localsubnet"

After adding the above exceptions to clients via an existing GPO I could successfully connect to them using the Remote Tools feature in SCCM.

JJClements.co.uk » SCCM

SCCM Remote Tools firewall ports