Installation Requirements for Internet-Based Site Systems

As many of you know, the current network diagrams for the Internet-based client management scenarios do not include port information required to install the site systems or install packages.  Thank you to everybody who contacted us about this and your patience in waiting for us to update the documentation.  The documentation team cannot document what isn’t tested and verified by the product group, and we had to wait until we had this confirmation before updating the documentation.   Unfortunately, there wasn’t sufficient time to revise the network diagrams for the R2 documentation update, but we’ve now added the information below to the popular and much-read topic Ports Used by Configuration Manager.  The relevant network diagrams have a callout that they do not include installation requirements with a link to the relevant information.


The topic Determine the Ports Required for Internet-Based Client Management has also been updated to include the RPC requirement.  We’ve had a few customers asking about the port information for the Internet-based software update point to synchronize with the active software update point on the intranet (HTTPS, port 8531 by default), but this information is already in this topic and the ports topic.


Note that for site system installation only, an inbound SMB connection is required to the site server - even if you have selected the option Allow only site server initiated data transfers from this site system on the site system properties.  If this blocked by firewalls, the Internet-based site system installation will fail.  After installation, only outbound SMB connections are used unless Configuration Manager detects a problem with the site system and attempts to reinstall in order to repair the site system.




Installation Requirements for Internet-Based Site Systems

The Internet-based management point, software update point, and fallback status point use the following ports for installation and repair:

·         Site server --> site system: RPC endpoint mapper using UDP and TCP port 135.

·         Site server --> site system: RPC dynamic TCP ports.

·         Site server < --> site system: Server message blocks (SMB) using TCP port 445.


Distribution points do not install until the first package is targeted to them. Package installations on distribution points require the following RPC ports:

·         Site server --> distribution point: RPC endpoint mapper using UDP and TCP port 135.

·         Site server --> distribution point: RPC dynamic TCP ports.



Before installing these site systems, ensure that the remote registry service is running on the site system server and that you have specified a site system installation account if the site system is in a different Active Directory forest without a trust relationship. For more information, see How to Configure the Site System Installation Account. 


Update September 3rd 2008:  The information in this blog post is now published online with the August 2008 documentation update.  In the next documentation update we will also be adding the following information: 

Use IPsec to help secure the traffic between the site server and site systems. If you need to restrict the dynamic ports used with RPC, the Microsoft RPC configuration tool (rpccfg.exe) can be used to configure a limited range of ports for these RPC packets. For more information about the RPC configuration tool, see


- Carol Bailey


This posting is provided “AS IS” with no warranties and confers no rights.

Comments (1)

  1. Anonymous says:

    The docs team for ConfigMgr 2007 has been busy releasing updated content and product clarifications recently

Skip to main content