gls-featured

What ports are used in config manager remote control?

by

Understanding Ports in Configuration Manager Remote Control

The core ports used in Configuration Manager (SCCM) Remote Control are primarily TCP ports 135 and 3389, and sometimes additional ports in the dynamic RPC port range (typically 1024-5000). However, it’s essential to understand how these ports facilitate the remote control process within the SCCM ecosystem, which also involves Remote Assistance and Remote Desktop functionalities. While port 3389 is straightforward as it’s dedicated for Remote Desktop Protocol (RDP), the usage of port 135 and dynamic RPC ports can be a little more nuanced. Let’s delve deeper into the role each of these ports plays in ensuring a smooth and secure remote control experience.

How Remote Control Works in Configuration Manager

Before diving into the specific ports, let’s briefly recap how SCCM remote control operates. SCCM Remote Control is a feature within the Configuration Manager console that enables administrators to remotely administer, assist, or view any client computer managed within the hierarchy. It’s a crucial tool for troubleshooting hardware and software problems, and for providing technical support.

The process involves the following high-level steps:

  1. Initiation: An administrator initiates a remote control session from the SCCM console.
  2. Connection Request: The SCCM console sends a connection request to the target client.
  3. Authentication and Authorization: The client checks the credentials and the remote control policy configured within SCCM.
  4. Session Establishment: If authorized, a remote control session is established, and the administrator can view and interact with the client’s desktop.
  5. Data Transmission: The remote control session transmits data about screen updates, keyboard input, and mouse clicks between the administrator’s console and the client machine.

Key Ports and Their Roles

Port 135 – RPC Endpoint Mapper

Port 135 is crucial for Remote Procedure Call (RPC) Endpoint Mapper. Think of it as a directory service for RPC. When a client machine needs to make an RPC call, it contacts the RPC Endpoint Mapper on port 135 of the server. The mapper then tells the client which dynamic port to use for the actual communication. In the context of SCCM remote control, port 135 is used to discover the dynamic ports used by the remote control service.

Port 3389 – Remote Desktop Protocol (RDP)

Port 3389 is the standard port for Remote Desktop Protocol (RDP). This is the primary port used for the actual remote connection. When you initiate a remote control session in SCCM, it often leverages RDP for the screen sharing and remote interaction functionalities. This means you’re essentially using the underlying technology of Remote Desktop within the SCCM framework for controlling devices remotely.

Dynamic RPC Ports

RPC also utilizes dynamic ports. These ports are dynamically allocated within a specific range. By default, RPC uses the range of 1024 to 5000. However, this range can be modified, and you may encounter settings where RPC uses ports in the range of 5001 to 5021 or another similar range, especially in specific enterprise environments. The RPC Endpoint Mapper on port 135 is responsible for assigning these ports. These dynamic ports are crucial for the actual communication channels between the SCCM components involved in remote control. They help ensure that the services do not conflict with other applications, and are allocated based on demand.

Configuration in Configuration Manager

To configure remote control settings in SCCM, you would navigate to Administration > Client Settings > Default Client Settings in the SCCM console. From there, you can customize the Remote Tools settings, including access permissions, allowed viewer accounts, and various other aspects of remote control, remote assistance, and Remote Desktop.

Frequently Asked Questions (FAQs)

Here are some common questions related to ports in Configuration Manager Remote Control:

1. Does SCCM require all the ports listed for remote control?

While TCP 135 and 3389 are essential, not all listed ports are always necessary. Ports 2701 and 2702 are specific to older or non-standard configurations and are not typically used in standard SCCM remote control. The dynamic RPC ports are automatically allocated as needed.

2. What is the role of port 135 again?

Port 135 is for the RPC Endpoint Mapper. It acts like a directory service, helping clients find out which dynamic port to use for specific RPC communications. SCCM utilizes this port to discover the dynamic ports for remote control services.

3. Why is port 3389 used?

Port 3389 is used for Remote Desktop Protocol (RDP). It’s the port where the actual remote session is established, allowing screen sharing and remote interaction. SCCM relies on RDP for core remote control functionality.

4. What are dynamic RPC ports, and why are they used?

Dynamic RPC ports are allocated by the operating system for RPC communication, usually within a specified range, to avoid port conflicts. They provide flexibility and security, ensuring that RPC services do not interfere with each other or other network services.

5. What is the default dynamic RPC port range?

The default dynamic RPC port range is usually 1024 to 5000. However, this can be modified in specific configurations, like using a range such as 5001 to 5021.

6. How can I configure the remote control ports?

You don’t typically configure specific ports for SCCM remote control except for the firewall rules. The dynamic ports are assigned automatically. In SCCM, configure the remote control settings within Client Settings > Remote Tools.

7. Can I use a non-standard dynamic RPC port range?

Yes, you can configure a custom dynamic RPC port range in the operating system settings, though modifying the range is not normally needed. The RPC endpoint mapper will honor the operating system defined configuration.

8. Does SCCM use port 443 for Remote Control?

No, port 443, which is associated with HTTPS, is not typically directly used for SCCM Remote Control sessions. SCCM uses HTTP or HTTPS for communication with the management point for other functions but not the actual remote control sessions themselves.

9. Is port 445 involved in SCCM remote control?

While port 445, which is used for SMB communication, is generally associated with file sharing and other related activities, it’s not directly involved in the process of initiating remote control sessions in SCCM.

10. Do firewalls need to be configured for SCCM remote control?

Yes, firewalls on both client and server must be configured to allow communication over the necessary ports: 135, 3389, and the dynamic RPC port range. Without the correct firewall rules, remote control will not function properly.

11. Can I use alternative remote control protocols besides RDP?

SCCM remote control is primarily designed around RDP functionality. While some extensions may offer alternative capabilities, RDP is the standard protocol for remote interaction in SCCM.

12. What is the difference between Remote Control and Remote Assistance?

Remote Control gives the administrator full control of the client device without requiring the user’s explicit permission. Remote Assistance requires the client user’s permission to allow the administrator to connect and requires in session chat. SCCM supports both features, and they use the same ports.

13. What security considerations should I keep in mind regarding these ports?

Restrict access to ports 135 and 3389, and the used dynamic RPC ports, to only authorized IP addresses. Ensure that firewall rules only permit traffic from known administrator consoles. Regularly update your SCCM infrastructure with the latest security patches.

14. Can I customize the port used for RDP in SCCM?

SCCM remote control uses RDP via the standard port 3389 by default. If you change the RDP listening port on the target machine, you can configure that specific port in the client settings remote tools configuration.

15. How do I troubleshoot remote control issues related to ports?

Use tools like PortQry, netstat, and firewall logs to diagnose port connectivity problems. Verify that firewalls aren’t blocking essential ports and that the correct rules are applied. Review the SCCM logs on both the client and server sides for detailed error messages related to remote control.

Understanding the ports used in SCCM Remote Control is vital for ensuring a functional and secure environment. By knowing the roles of ports 135, 3389, and the dynamic RPC range, you can effectively troubleshoot connectivity issues and maintain a reliable remote management system. Properly configured firewall rules, along with an understanding of the remote control process, are crucial components in a robust SCCM infrastructure.

Leave a Comment