I have several clients that need to be firewalled off and I would prefer to not to have to open port 445. We are in Native mode and both 80 and 445 are open as well as BITS is enabled. Have I misconfigured something? I thought I wouldn't need to use 445 in Native mode with BITS. I'm guessing I will have to bring up a Branch Distribution Point, but that is annoying since it has to have ports popped for AD since it has to be a member server. TIA Paul

Not sure what you are requestung here? All client traffic in ConfigMgr is client initiated so if you are talking about host based firewalls, then nothing should need to be opened. As for native mode, the default port is 443 (not 445) because the traffic is SSL over HTTP (HTTPS). Here's a detailed page and graphic of traffic: http://technet.microsoft.com/en-us/library/bb632618.aspxJason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

I have that article modified and sitting on my wall as I try to wade through it, but if you notice it does state (15) that 445 is needed. If I use a BDP then only 80 /443 are used. Paul

Pay close attention to the documentation... it is correct. In my environment, I set up a new Site System in the DMZ (off the Central site), hosting Management Point and Distribution Point roles. The biggest problem I had was with Dynamically-allocated RPC ports. Open a specific block of ports through your firewall, and configure your servers to use those ports. Nick.

Yes, port 445 SMB is needed to move the files to the DP. You can get away from this by using a BDP. As you stated you must ues AD, but you must use AD for all site servers so eitherway you need access to the AD. Port 445 is necessary to be open both ways to setup. After that you can turn 445 in 1 direction Site server>DP. If you ever had to repair the the role or add/remore a role then 445 has to be turned back on in both directions for the repair to work correctly. http://www.sccm-tools.com http://sms-hints-tricks.blogspot.com

I have that article modified and sitting on my wall as I try to wade through it, but if you notice it does state (15) that 445 is needed. If I use a BDP then only 80 /443 are used. No, BDP use 445 on the local subnet (16. Client -- > Branch Distribution Point) and 80/443 to download content from a DP.http://www.enhansoft.com/

The way I read the info is (My SCCM server is a single box with all roles on it): SCCM Client connecting to the DP: 80, 443 and 445 SCCM Client connectint to the BDP: 445 BDP connecting to the DP: 80 and 443 http://technet.microsoft.com/en-us/library/bb632618.aspx http://blogcastrepository.com/forums/p/44990/48583.aspx#48583 I was thinking about creating a BDP inside my firewall and then only having to deal with 80 and 443. Can I have both a DP and BDP in the same site? Paul

I still don't understand what you're after here as you've never really explained your scenario in the amount of detail needed to suffciently make any statements and that's why there's so much confusion in the responses above. Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

Well I don't want to open up 445 through the firewall. I believe I have it figured out though. If I bring up a BDP inside the data center and get my firewalled off clients to go to the BDP then only ports 80 and 443 are required. http://technet.microsoft.com/en-us/library/bb680853.aspx I see in my intial statement: "We are in Native mode and both 80 and 445 are open as well as BITS is enabled." Should have said "We are in Native mode and both 80 and 443 are open as well as BITS is enabled." Paul

I wouldn't use a BDP for this. That's part of the confusion here also: why are you choosing to use a BDP for this? Also, clients still need to communicate back to the MP on 443 so what's the point of putting any kind of DP with the clients. DP placement is about moving content closer to the clients, it has nothing to do with security or isolation. So that means you will have to open 443 from the clients to the MP. If you're already doing that, then clients will also be able to retrieve content over 443 via BITS from your regular DP. 445 is only required if your clients retrieve content via SMB. Going back to trying figure out what your scenario is here. Without the bigger picture, al you can do is offer help on the details but as they've come out, it seems the path that you've chosen has design flaws.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

I have a single site server with all roles residing on it. I went through the process of flipping everything over to Native mode in the hopes I wouldn't have to open anything other than port 443. We have multiple firewalled off segments and we have to work to keep the number of ports open to a minimum, pretty standard corporate stuff, etc... I realize that clients will still have to talk to the mp on 443 and that is ok, smb is a really bad option that I don't want to have to deploy and that is my intent. Any clients outside of the datacenter shouldn't be using port 445. Going through Microsoft's port defintion, I don't see how I can avoid using 445, I do have bits enabled and the clients are using the cert. It wouldn't surprise me if there were some problems with design flaws with the exception I have a single site with a seperate WSUS server. I don't see where there could be any design errors since it is completely self contained with the exception of the contemplation of the BDP. Thx Paul

If I place the BDP in the firewalled off area, then it only have to talk 445 inside the firewalled off area. The BDP will then talk 445 to the DP only. Thx Paul

As I said above, 445/SMB is only required for clients if your DP is not BITS enabled. That's it. The diagram depicts all possible traffic but does not explicitly address the difference between these configuration choices. To prove this point you have to look no further than IBCM; IBCM clients are merely native clients outside of the corporate perimter and most liekly across the Internet where 445 is not going travel and yet these clients work fine with only 443 available.Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys

Well something isn't working correctly for me then. I have BITS enabled and I see it in the logs but policies won't come across until smb is enabled. Paul

Policies come from the MP not the DP so that is always 443 in native mode (unless you've specified an alternate port). This isn't SMB or BITS, it's HTTPS. Have you verified name resolution and examined the client logs files?Jason | http://myitforum.com/cs2/blogs/jsandys | Twitter @JasonSandys