Hi,
I had to migrate from MIIS/ILM to FIM 2010. I got a new server, so old and new servers were running in parallel. New server, new SPN, new PCNS target.
We have two domains in our forest that are protected by a firewall: Traffic toward these domains is fully enabled, but traffic from there needs to be enabled on the firewall. Both MIIS and FIM are member in another domain, but we only have one forest, so there is no trust issue. The protected domain controllers can fully communicate with the DCs of the domain where the FIM is located.
So my first choice was to simply "copy" the firewall rules that were assigned to the old MIIS to the new FIM.
In the internet and also from a MS FIM expert I got the info that the ports didnt change since MIIS. So the documentation "Management Agent Communication Ports, Rights, and Permissions" should have been ok.
But it wasnt.
The documentation says that I need the ports 135, 5000-5100 and maybe 57500-57520 (I say "maybe" because with our old MIIS we didnt need this range, but to be on the safe side I've added them to new rules).
I got the copy of the existing (and working!) firewall rules implemented. I have switched over to the new PCNS target.
But I got the error event 6025 on the protected DCs: "The password change notification target could not be contacted."
Finally it worked after I requested to open all ports from the protected DCs towards FIM.
Firewall log said: <IP of dc>/57602 to <IP of FIM>/61857
Which means: The dc needed port 61857 on the FIM server. Such a port range is not documented within FIM at Microsoft.
So my conclusion is that the ports used by PCNS must have changed since MIIS, but this is not documented officially.
When we installed the DCs behind the firewall we didnt change any PCNS config, just executed the MSI.
The DCs and the FIM server are all running Server 2008 R2 SP1.
Can someone confirm this or am I wrong?
Thanks
Walter