Preparing your network for deployment

Applies To: Forefront Client Security

Before deploying Client Security to client computers, you should verify that:

  • They are part of one or more domains that have bidirectional trust with the domain that the Client Security servers are in.

  • Appropriate network ports are open.

Client computers in trusted domains

All client computers must be in a single domain or set of domains. Those domains must have bidirectional trust with the domain that the Client Security servers are in.


You can also deploy Client Security to client computers that are not part of a trusted domain. For example, you can install Client Security on your employees' home computers. When Client Security is installed on computers outside a trusted domain, however, the functionality is restricted. The computers cannot report to the Client Security server, and you cannot deploy Client Security policies to those computers. .

It is recommended that the client computers be part of organizational units or security groups. You can, however, deploy Client Security policies directly to an entire domain. You can also deploy Client Security policies by using registry files.

Client computers with an existing MOM agent

You can install the Client Security agent to client computers with an existing MOM agent. For more information, see Configuring MOM agents for multihoming.

Port usage for Client Security client components

The following table lists the network ports and protocols that are used for communications between Client Security servers and client computers. Depending on the type of firewalls you use and the location of those firewalls, you may need to open these ports.


These ports do not include the ports used for Group Policy, Domain Name System (DNS), and other standard technologies. For a list of ports used by Microsoft server products, see Network Ports Used by Key Microsoft Server Products (

Computer Connection Port (protocols)

Client computers

To collection server

1270 (TCP and UDP)

Client computers

To distribution server

80 (TCP) or 8530 (TCP) or custom

Opening ports in Windows Firewall

For instructions about opening ports using Group Policy, see Deploying Windows Firewall Settings for Microsoft Windows XP with Service Pack 2 (

To open ports manually, you can follow the steps in the following procedure.

To open ports in Windows Firewall

  1. Click Start, click Control Panel, and then double-click Windows Firewall.

  2. Click the Exceptions tab, and then click Add Port.

  3. In the Name box, type the new port's name.

  4. In the Port number box, type the port number.

  5. Select TCP or UDP.