Communication Ports
A list of communication ports used by PXE Everywhere. Useful, if needed, for network and device firewalls.
Although a computer with PXE Everywhere Agent installed can also be a PXE client, it cannot be both at the same time.
| Component | Ports | Protocol | Direction | Usage | Configurable | 
|---|---|---|---|---|---|
| Central | 80 | HTTP | Inbound | PXE Everywhere Agent communicating with the PXE Everywhere Central web application. Browser connections to the PXE Everywhere Central website to verify installation. | Yes, post-installation on the Central server, and during installation of Agents by configuring the URL. If HTTPS is required, please contact 1E for advice. | 
| Central | 135 and 445 (initially) | WMI-DCOMTCP | Outbound | PXE Everywhere Central installer requires access to the Configuration Manager Site server, and to the server hosting the SMS Provider role. If there is only one SMS Provider, it is often on the Site server. In each case, TCP 135 and 445 are used to initiate communications and negotiate a dynamic RPC port. The dynamic range depends on the Windows OS version. | No. | 
| Central | 1433 | (See usage for protocol) TCP | Outbound | PXE Everywhere Central to access to the SQL database role for the selected Configuration Manager Site. | Depends on the Configuration Manager SQL Server instance. The Central installer determines the connection string by querying the Site's SMS Provider. | 
| ConfigMgr Site Server (and SMS Provider) | 135 and 445 (initially) | WMI (DCOM) TCP | Inbound | PXE Everywhere Central installer requires access to the Configuration Manager Site server, and each of the servers hosting the SMS Provider role. If there is only one SMS Provider, it is often on the Site server. In each case, TCP 135 and 445 are used to initiate communications and negotiate a dynamic RPC port. The dynamic range depends on the Windows OS version. | No. | 
| ConfigMgr Site SQL database | 1433 | (See usage for protocol) TCP | Inbound | PXE Everywhere Central to access to the SQL database role for the selected Configuration Manager Site. | Depends on the Configuration Manager SQL Server instance. | 
| Agent (1E.Client.exe) | 80 | HTTP TCP | Outbound | PXE Everywhere Agent communicating with the PXE Everywhere Central web application. | Yes, post-installation on the Central server, and during installation of Agents by configuring the URL. If HTTPS is required, please contact 1E for advice. | 
| Agent (1E.Client.exe) | 2012 | UDP | Inbound & outbound | Election process inter-communication between PXE Everywhere Agents on a subnet. | Yes, during installation of PXE Everywhere Agents using the MODULE.PXEEVERYWHERE.COMMSPORT installer property. | 
| Agent (1E.Client.exe) | 67 or 2067 | BOOTP UDP | Inbound | Port 67 is the standard PXE discover port. PXE clients use this port to broadcast PXE discovers on the local subnet. PXE Everywhere Agents listen on this port for PXE discovers that are broadcast on the local subnet. If PXE Everywhere is configured to support DHCP Snooping, Agents use a custom port (default 2067) to listen for PXE requests, instead of standard port 67. | Only the DHCP Snooping ports are configurable, and must be the same on all Agents and Responders. | 
| Agent (1E.Client.exe) | 68 or 2068 | BOOTP UDP | Outbound | Port 68 is the standard PXE offer port. PXE Everywhere Agent uses this port to respond with offers to PXE discovers on the local subnet. If PXE Everywhere is configured to support DHCP Snooping, Agents use a custom port (default 2068) instead of the standard port 68. | Only the DHCP Snooping ports are configurable, and must be the same on all Agents and Responders. | 
| Agent (1E.Client.exe) | 69 | TFTP UDP | Inbound | Port 69 is the standard PXE TFTP port. The PXE client downloads the boot image from the elected PXE Everywhere Agent using TFTP. This port is also used if PXE Everywhere is configured to support DHCP Snooping. | No. | 
| Agent (1E.Client.exe) | 4011 | UDP | Inbound | Port 4011 is the standard PXE port used by PXE clients to communicate with a PXE Server after the initial discover / offer, to unicast a request for the location of the TFTP boot image file. This port is not used if PXE Everywhere is configured to support DHCP Snooping. | No. | 
| Responder (PXEEverywhereResponder.exe) | 67 | BOOTP UDP | Inbound | Port 67 is the standard PXE discover port. A Responder is only required when DHCP Snooping is enabled, and listens for PXE requests from PXE clients on this port. See note below about DHCP Snooping and DHCP Relays. | No. | 
| Responder (PXEEverywhereResponder.exe) | 68 | BOOTP UDP | Outbound | Port 68 is the standard PXE offer port. A Responder is only required when DHCP Snooping is enabled, and responds to PXE clients with offers unicast on this port. See note below about DHCP Snooping and DHCP Relays.. | No. | 
| PXE client | 67 | BOOTP UDP | Outbound | Port 67 is the standard PXE discover port. PXE clients use this port to broadcast PXE discovers on the local subnet. If DHCP Snooping is being used these discovers are forwarded to a Responder. See note below about DHCP Snooping and DHCP Relays. . | No. | 
| PXE client | 68 | BOOTP UDP | Inbound | Port 68 is the standard PXE offer port. PXE Everywhere Agent broadcasts on this port with an offer in response to PXE discovers on the local subnet. If DHCP Snooping is being used, then Responders respond with offers on this port. See note below about DHCP Snooping and DHCP Relays.. | No. | 
| PXE client | 69 | BOOTP UDP | Outbound | Port 69 is the standard PXE TFTP port. A PXE client uses TFTP to download the boot image from the elected PXE Everywhere Agent on the local subnet. This port is also used if PXE Everywhere is configured to support DHCP Snooping. | No. | 
| PXE client | 4011 | UDP | Outbound | Port 4011 is the standard PXE port used by PXE clients to unicast a request to the PXE Everywhere Agent for the location of the TFTP boot image file, after the initial discover/offer. This port is not used if PXE Everywhere is configured to support DHCP Snooping. | No. | 
| PXE client | 2067 | BOOTP UDP | Outbound | If PXE Everywhere is configured to support DHCP Snooping, a custom port is used (default 2067) to perform a PXE request after the PXE client has downloaded a boot loader from a Responder. Only used if DHCP Snooping is being used, and PXE Everywhere has been configured to use this port. | Yes. DhcpPort is configured during installation of Agents. AltPxeServerPort is manually configured on Responders. | 
| PXE client | 2068 | BOOTP UDP | Inbound | If PXE Everywhere is configured to support DHCP Snooping, a custom port is used (default 2068) to respond to a PXE request after the PXE client has downloaded a boot loader from a Responder. Only used if DHCP Snooping is being used, and PXE Everywhere has been configured to use this port. | Yes. AltPxeClientPort is manually configured on Responders. | 
Note
PXE client ports do not need to be configured on the OS firewall because it is the network interface which is doing the communicating. However you may need to configure intervening network firewalls for communication beyond the local subnet.
PXE Everywhere Responders communicate only with PXE clients; they do not communicate with PXE Central, PXE Everywhere Agents, other Responders, or Configuration Manager.
Note
If DHCP Snooping is enabled on networks, then DHCP Relays (IP helpers) must be configured to forward PXE requests (discovers) from client VLANs to specific Responders on port 67 and return the responses (offers) on port 68.
If DHCP Snooping is not enabled, then all PXE-boot traffic is on the local subnet, except for communication between the elected PXE Everywhere Agent and the PXE Everywhere Central server, and DHCP Relays are not required to forward PXE requests.
Note
Ports used by PXE clients to communicate with DHCP servers are not included in the above table. Communication with DHCP servers occurs before a PXE client PXE-boots, and typically use their own DHCP Relays (IP helpers).
Ports used by PXE clients to communicate with ConfigMgr Site systems are not included in the above table. Communication with ConfigMgr occurs only after a PXE client has downloaded the WinPE boot image (referenced in the deployed task sequence) from a local PXE Everywhere Agent, and booted into WinPE to start the Task Sequence.
Ports used by ConfigMgr Administrator workstations to communicate with ConfigMgr Site systems are not included in the above table. ConfigMgr Console extensions for PXE Everywhere Admin Tools use the same ports as ConfigMgr Console.