Firewall Considerations

The 2PXE and iPXE Anywhere web service both potentially requires changes to your firewall configuration. Generally changes these are not required if you are using the Microsoft Windows firewall.

2PXE uses the following protocols for booting WinPE images:

  • Dynamic Host Configuration Protocol (DHCP)

  • Pre-Boot Execution Environment (PXE)

  • Trivial File Transfer Protocol (TFTP)

  • Hyper Text Transfer Protocol (HTTP)

The following table outlines the User Data Protocol (UDP) and Transmission Control Protocol (TCP) network ports that are used during the process. You can modify the values that have an asterisk (*) by using the instructions in this manual.

Step by Step UDP and TCP ports used during image deployment:

  1. The client performs a network boot.

  2. 2PXE uses DHCP ports and TFTP to download the binary files. For TFTP and DHCP, you need to enable ports 67, 69, and 4011. The TFTP and multicast servers use ports in the range 64001 through 65000 by default.

  3. In accordance with RFC 1783 (, the client chooses random UDP ports to establish the session with the server. If you are using a non-Microsoft firewall, you may need to use an application exception for TFTP on the 2PXE Server.

  4. PXE Client downloads the configured boot loader using TFTP.

  5. The client downloads Windows PE, typically over HTTP or HTTPS and boots to the Windows Deployment Services client. This download also uses the same TFTP ports as mentioned previously or using HTTP directly from the 2PXE server or from the Configuration Manager DP or any other configured HTTP server.

  6. If reporting is enabled, the PXE client will try to communicate over to the iPXE Anywhere Web Service.

The following rules are automatically created when 2PXE starts:

Last updated