locked
IBCM: How to Configure the Firewall ? RRS feed

  • Question

  • Hi,

    we a going to configure IBCM. 

    We want to provide software deployment, software update management and inventory for our internet clients.

    We will install an aditional site server in the DMZ which will be configured as the Internet facing Management Point / Distribution Point / Software Update Point.

    My question:

    which ports must be open for the communication between this site server and our ConfigMgr (intranet) environment ?

    Thanks

    Friday, February 27, 2015 3:52 PM

Answers

    • Marked as answer by Joyce L Monday, March 9, 2015 9:38 AM
    Friday, February 27, 2015 3:56 PM
  • Yes, and if you have single direction into the DMZ and not back into the intranet, which most people do then you will need to check the box for "site server intiated content" so it will reach into the DMZ and pull back the data.

    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

    • Marked as answer by Joyce L Monday, March 9, 2015 9:38 AM
    Friday, February 27, 2015 5:13 PM
  • Following Ports needs to be opened in the Firewall b/w Work Network & DMZ

    DMZ Site Server to DB – 1433 (bi-directional)

    DMZ Site Server to Primary Site Server – 445 (TCP) (bi-directional)

    Primary to DMZ Site Server RPC endpoint mapper – 135(UDP & TCP) (bi-directional)

    DMZ Site Server to SUP – 80 & 443 (TCP)

    Primary to DMZ Site Server – RPC dynamic TCP Ports

    Primary to DMZ site Server RDP – TCP 3389 (uni-directional)

    Allowed traffic from internet to communicate with DP/MP/SUP (443 Bi-directional)

    Active Directory and Certificate Services Ports required communicating DMZ Server and DNS Ports as per Company’s DMZ policy

    -RG

    • Marked as answer by Joyce L Monday, March 9, 2015 9:39 AM
    Sunday, March 1, 2015 7:53 AM

All replies

    • Marked as answer by Joyce L Monday, March 9, 2015 9:38 AM
    Friday, February 27, 2015 3:56 PM
  • is this correct ?

    RPC : These connections typically use ports UDP and TCP 135 and a dynamic TCP port range
    SMB : These connections typically use ports TCP 445.
    Microsoft SQL Server : SQL Server connections use port TCP 1433
    HTTP : TCP 80
    HTTPS : TCP 443
    WSUS: 80, 443, 8530 & 8531

    • Proposed as answer by Thomas Kurth Sunday, March 1, 2015 11:56 AM
    Friday, February 27, 2015 4:18 PM
  • and for the internet

    HTTP : TCP 80


    • Edited by dnl24 Friday, February 27, 2015 4:26 PM
    Friday, February 27, 2015 4:21 PM
  • Yes, and if you have single direction into the DMZ and not back into the intranet, which most people do then you will need to check the box for "site server intiated content" so it will reach into the DMZ and pull back the data.

    http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

    • Marked as answer by Joyce L Monday, March 9, 2015 9:38 AM
    Friday, February 27, 2015 5:13 PM
  • Following Ports needs to be opened in the Firewall b/w Work Network & DMZ

    DMZ Site Server to DB – 1433 (bi-directional)

    DMZ Site Server to Primary Site Server – 445 (TCP) (bi-directional)

    Primary to DMZ Site Server RPC endpoint mapper – 135(UDP & TCP) (bi-directional)

    DMZ Site Server to SUP – 80 & 443 (TCP)

    Primary to DMZ Site Server – RPC dynamic TCP Ports

    Primary to DMZ site Server RDP – TCP 3389 (uni-directional)

    Allowed traffic from internet to communicate with DP/MP/SUP (443 Bi-directional)

    Active Directory and Certificate Services Ports required communicating DMZ Server and DNS Ports as per Company’s DMZ policy

    -RG

    • Marked as answer by Joyce L Monday, March 9, 2015 9:39 AM
    Sunday, March 1, 2015 7:53 AM
  • THANKS 
    Wednesday, March 4, 2015 9:03 PM
  • and if we want to patch our internet clients ... ?

    Do we have to install the SUP on the DMZ Site Server, that will talk to WSUS on the Intranet (Work Network) ?

    Tuesday, March 10, 2015 5:07 PM