Hi,
Thanks for posting in Microsoft MECM Q&A forum.
We do not need to open any inbound ports to your on-premises network. The SCCM service connection point and CMG connection point initiate all communication with Azure and the CMG. These two site system roles must be able to create outbound connections to the Microsoft cloud.
- The service connection point connects to Azure over HTTPS port 443.
- The CMG connection point connects to the CMG in Azure over TCP-TLS or HTTPS. It holds the connection open and builds the channel for future two-way communication.
- The client connects to the CMG over HTTPS port 443.
- The CMG forwards the client communication over the existing connection to the on-premises CMG connection point. You don’t need to open any inbound firewall ports.
- The CMG connection point forwards the client communication to the on-premises management point and software update point.
For more information, please refer to: How to Setup Co-Management – Firewall Ports Proxy Requirements
Thanks for your time.
Best regards,
Simon
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.