10123 is used for the client notification feature only and is unrelated to a client downloading policy. That's not to say some bug can't foul things up, but under normal operating circumstances, 10123 (and client notification) has nothing to do with the client retrieving policy.
Have you reviewed the policyagent and policyevaluator log files on the clients experiencing these symptoms? J ________________________________ From: [email protected] <[email protected]> on behalf of Trevor Sullivan <[email protected]> Sent: Friday, March 7, 2014 7:21 AM To: [email protected] Subject: RE: [mssms] Change Port 10123 To the best of my knowledge, the policy that tells the client to turn off TCP 10123 should be coming down as part of ConfigMgr client policy, which would be retrieved over TCP 80 or TCP 443 (via HTTP or HTTPS protocols, of course). Does that sound right to you folks? Cheers, Trevor Sullivan From: [email protected] [mailto:[email protected]] On Behalf Of Marcum, John Sent: Friday, March 7, 2014 7:05 AM To: [email protected] Subject: RE: [mssms] Change Port 10123 Interesting, I had an issue recently where clients would not pull changes in client agent settings. I wonder if it's related? From: [email protected] [mailto:[email protected]] On Behalf Of s kissel Sent: Thursday, March 06, 2014 3:42 PM To: [email protected] Subject: RE: [mssms] Change Port 10123 That has already been done. We tuned port 10123 off there and specified 80 and 443. No firewalls anywhere. Some clients, particularly in untrusted domains make a query for policy and never get a response. Clients see the correct MP and are approved. Presumably they aren't able to get the policy that they can't talk on port 10123 anymore. I'm wondering if it's a value I can change in WMI, and it's not the client computer online status. Thanks, -S ________________________________ From: [email protected]<mailto:[email protected]> To: [email protected]<mailto:[email protected]> Subject: RE: [mssms] Change Port 10123 Date: Thu, 6 Mar 2014 21:09:26 +0000 Configure the client notification port. By default, client notification communication uses TCP port 10123. In the Configuration Manager console, click Administration, Expand Site Configuration, click Sites, open Properties dialog, from here you can configure the TCP port value in the Ports tab. You might have to configure the firewall on the management point, clients, and any intervening firewalls to allow communication over this new port. However, client notification can fall back to using HTTP and HTTPS. From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of s kissel Sent: Thursday, March 06, 2014 2:41 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] Change Port 10123 Hi So there may be a bug with port 10123 in that it opens a connection to the server, and when it doesn't get a response, it leaves the connection open. Naturally, it should fall back to port 80 or 443, but the open connections raise the handle count on ccmexec to often well over 20,000 threads, rendering the client essentially useless without stopping the service remotely. We have a case open with CSS on this now, but suffice to say, there are no firewalls between the clients and servers that have this issue, and it mainly happens on Server 2003 systems and VMWare systems. So we turned off port 10123. However, it appears that some of the clients now request policy but never download any, even after reinstalling the client. We are thinking that is because they believe they are still supposed to talk on port 10123 still since they never received the policy that that port is now blocked. I queried the registry to see if there was port 10123 in there anywhere but was not able to find it. Thus, it must be in WMI. Does anyone off the top of their head know where to find this in WMI? I started poking around in the Root\CCM\Policy, but haven't found it yet. Any ideas? Thanks, -S ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer.
