Firewall and Proxy Server Settings for Client Computers

Firewall and Proxy Server Settings for Client Computers

  • Comments 3
  • Likes

Those of you out there with firewalls may have run into issues with the Windows Intune clients having difficulty communicating with the service.  The excerpt below provides detailed information on how to set up your firewall for a successful Windows Implementation.  Thanks goes to our awesome documentation team for putting this together, and to the Windows Intune client team for doing the research and testing.

If you want to use Windows Intune™ to manage client computers that exist behind firewalls or proxy servers, you must configure the firewall or proxy server to allow Windows Intune to communicate with the client computers.

Required firewall configuration

If the client computers exist behind a firewall, you must configure the firewall to allow communications with the domains through the specified ports that are listed in the following tables.

Required domains for documentation, online Help, and support

Domain Ports

*.livemeeting.com

80 and 443

*.microsoftonline.com

80

onlinehelp.microsoft.com

80

*.social.technet.microsoft.com

80

blogs.technet.com

80

go.microsoft.com

80

www.microsoft.com

80

Required domains for Microsoft Update Services

Domain Ports

*.update.microsoft.com

80 and 443

download.microsoft.com

80 and 443

update.microsoft.com

80 and 443

Depending on the firewall and how it processes DNS lookup requests, you might also need to allow access to the domain manage.microsoft.com.nsatc.net on port 80.

Required domains for Windows Intune and related services

Domain Ports

*.manage.microsoft.com

80 and 443

*.spynet2.microsoft.com

443

manage.microsoft.com

80 and 443

wustat.microsoft.com

80 and 443

Required domains for Windows Update Services

Domain Ports

*.download.windowsupdate.com

80 and 443

*.windowsupdate.com

80 and 443

download.windowsupdate.com

80 and 443

ntservicepack.microsoft.com

80 and 443

windowsupdate.microsoft.com

80 and 443

Required proxy server configuration

If the client computers exist behind a proxy server, you must configure the proxy server as follows:

  • Windows Intune communicates with client computers by using both the HTTP and HTTPS protocols. Confirm that the proxy server supports HTTP and HTTPS.
  • Windows Intune supports the Non-auth and Negotiate (Kerberos) authentication methods. If the proxy server uses the Negotiate (Kerberos) authentication method, the proxy server must allow computer accounts (instead of domain user accounts) to be enrolled in the service because the client software enrollment package runs as user LocalSystem.

You can modify proxy server settings on individual client computers, or you can use Group Policy to change settings for all client computers that exist behind a specified proxy server. Authenticated proxy servers are not supported.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi

    just to clarify:

    - settings above are not only for manged clients but also for Admin and Account Console devices?

    - for WUS you list *.download.windowsupdate.com, *.windowsupdate.com, and download.windowsupdate.com - only the second entry is actually necessary - correct?

    Tia for clarification

    Marc

  • Hello Marc -

    Thank you for your comment.  To answer your questions please see my responses below.

    - settings above are not only for managed clients but also for Admin and Account Console devices?

    The settings that are listed in the article are for managed clients or PC's that you have enrolled into the Windows Intune service and to allow the enrolled PC's computer account access to the Windows Intune Service.  By following the information in the content of this article it will ensure that your PC's that are enrolled in the service the ability to be managed with Windows Intune.

    However, you are correct that for access to the Windows Intune Admin Console (admin.manage.microsoft.com) and the Windows Intune Account Portal (account.manage.microsoft.com) that ports 80 and 443 should be open.

    - for WUS you list *.download.windowsupdate.com, *.windowsupdate.com, and download.windowsupdate.com - only the second entry is actually necessary - correct?

    Access to all the listed URLs are necessary for proper communication with the Windows Intune service and the management of updates for your enrolled devices.

  • Dear Paul,

    thank you for all this information. I have one additional question though: is it possible to implement Intune for PC in a confined LAN, e.g. lab, utilizing some sort of staging/proxing/forwarding, where all PCs in this LAN are communicating with one server within this LAN and only the latter is routed outside and to the internet?

    Thanks in advance for any hint!