The question is regarding Dynamic Port Confiuration for RPC within SCCM. I have created the reg key to limit the port to 5100 - 5200 per the article http://support.microsoft.com/Default.aspx?id=154596. The implenation of this reg key taken from the, http://technet.microsoft.com/en-us/library/bb632618.aspx, needs to go on Primary Sites, Central Site, or where ever there is a MP, correct or am I missing a spot to configure this?

I have never gotten that reg key from the KB to work. I know a MS guy who also tested it and couldn't get it to work. That's why the reference to that article was removed from the SCCM docs. For client push to work you have to open those ports AFAIK.John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum

What are you trying to open up though? Nearly all communication in ConfigMgr is client initiated and all client to site server communication is via http/https except for package download with can also be SMB. The only time ConfigMgr uses RPC is to push client agents and then it is a client side issue and not a server-side one.Jason | http://myitforum.com/cs2/blogs/jsandys | http://blogs.catapultsystems.com/jsandys/default.aspx | Twitter @JasonSandys

Try the RPCCFG utility, it configures the registry settings for you.How to use RPCCFG to configure specific ports for use with RPC dynamic port allocation http://networkadminkb.com/kb/Knowledge%20Base/ActiveDirectory/How%20to%20use%20RPCCFG%20to%20configure%20specific%20ports%20for%20use%20with%20RPC%20dynamic%20port%20allocation.aspx

Jason, I assumed he meant for client push. If anyone gets RPC to use specified ports I will be amazed. I gave up on it. I "think" you'd have to make the registry setting on the clients not the servers but that was just my excuse to give up on it and get the ports opened.John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum

Thanks, trying to get all my ducks in a row and documented for an upgrade. The reg key is not a valide approach for SCCM then. All dynamic ports for your experience should be open and not limited for client push installs? The reason for the limiting was a more to secure enviroment and the possiblity of system services stepping on each other. No dynamic ports should be limited them?

We tested the RPCCFG utility for Internet-based site systems - and I know that we did get this to work (I have network traces to prove it!) and people in the field have also successfully used it for this scenario. This is a server-side configuration so for Internet-based site systems you configure the registry on the site server and not the site system servers. We haven't tested it for client push, so no, it wouldn't be supported for this scenario.If security is a concern, I wouldn't use client push. Consider one of the other client installation methods that uses fewer ports - such as software update point-based installation or running CCMSetup.exe from logon scripts. Later this month we're hoping to be able to publish all the port requirements for each of the different client installation methods. Client push requires SMB in addition to RPC (and HTTP), which makes it particularly challenging if there is a firewall in between the site server and clients.- CarolThis posting is provided “AS IS” with no warranties and confers no rights. New ports topic published for client installation: http://technet.microsoft.com/en-us/library/ff189805.aspx

I think in client push the client requests the port number which is why it won't work.John Marcum | http://www.TrueSec.com/en/Training.htm | http://myitforum.com/cs2/blogs/jmarcum