This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 20%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
According to MS article https://learn.microsoft.com/en-us/mem/configmgr/core/clients/manage/cmg/data-flow?source=docs#required-ports The firewall ports requirements are given, however I could not get the details about the Server column ( which is destination). Can someone tell me what should i mention(Ip address) in destination(Server Column) for both the services (Azure & CMG service)
Client Protocol Port Server Description
Service connection point HTTPS 443 Azure CMG deployment
CMG connection point TCP-TLS 10140-10155 CMG service Preferred protocol to build CMG channel Note 1
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 50%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
Usually 443 is open.
CMG service is nothing but CMG VM.
This video may help
https://www.youtube.com/watch?v=FfMfw4dDq5o (go to 51.59 minutes in the video, that talks about ports)
Thanks for the video, the video talks about CMG service, but however it does not talk about the first requirement which is opening 443 from Service connection point to Azure. what does the Azure means here in terms of IP's?
Hi,
Thanks for posting in Microsoft MECM Q&A forum.
We do not need to open any inbound ports to your on-premises network. The SCCM service connection point and CMG connection point initiate all communication with Azure and the CMG. These two site system roles must be able to create outbound connections to the Microsoft cloud.
For more information, please refer to: How to Setup Co-Management – Firewall Ports Proxy Requirements
Thanks for your time.
Best regards,
Simon
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you Simon, however the point no 1 (The service connection point connects to Azure over HTTPS port 443.) is not clear, it states to open 443 to Azure, does azure means all all Microsoft cloud IP ranges?
In my projects i did not have to take specific steps for "The service connection point connects to Azure over HTTPS port 443." usually it is open. I made sure the port for CMG VM (aka CMG service) are covered.
I do agree PAD-7009, outbound 443 should generally work to azure, but you know how difficult it is to explain firewall team what azure means here, i was just trying to find out, does azure means entire azure cloud, thanks to you and Simon for responding.