That has already been done. We tuned port 10123 off there and specified 80 and 443. No firewalls anywhere. Some clients, particularly in untrusted domains make a query for policy and never get a response. Clients see the correct MP and are approved. Presumably they aren't able to get the policy that they can't talk on port 10123 anymore. I'm wondering if it's a value I can change in WMI, and it's not the client computer online status.
Thanks, -S From: jmar...@babc.com To: mssms@lists.myitforum.com Subject: RE: [mssms] Change Port 10123 Date: Thu, 6 Mar 2014 21:09:26 +0000 Configure the client notification port. By default, client notification communication uses TCP port 10123. In the Configuration Manager console, click Administration, Expand Site Configuration, click Sites, open Properties dialog, from here you can configure the TCP port value in the Ports tab. You might have to configure the firewall on the management point, clients, and any intervening firewalls to allow communication over this new port. However, client notification can fall back to using HTTP and HTTPS. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of s kissel Sent: Thursday, March 06, 2014 2:41 PM To: mssms@lists.myitforum.com Subject: [mssms] Change Port 10123 Hi So there may be a bug with port 10123 in that it opens a connection to the server, and when it doesn't get a response, it leaves the connection open. Naturally, it should fall back to port 80 or 443, but the open connections raise the handle count on ccmexec to often well over 20,000 threads, rendering the client essentially useless without stopping the service remotely. We have a case open with CSS on this now, but suffice to say, there are no firewalls between the clients and servers that have this issue, and it mainly happens on Server 2003 systems and VMWare systems. So we turned off port 10123. However, it appears that some of the clients now request policy but never download any, even after reinstalling the client. We are thinking that is because they believe they are still supposed to talk on port 10123 still since they never received the policy that that port is now blocked. I queried the registry to see if there was port 10123 in there anywhere but was not able to find it. Thus, it must be in WMI. Does anyone off the top of their head know where to find this in WMI? I started poking around in the Root\CCM\Policy, but haven't found it yet. Any ideas? Thanks, -S Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer.
