Preparation

What you will need to prepare in advance of implementing Content Distribution in your network. Typically, these are tasks that may take some time, depending on how your organization works. A more complete checklist of tasks is provided in Requirements.

Content Distribution preinstallation checks

If you are upgrading, refer to Upgrading Nomad. You must upgrade in the following order to avoid potential forward compatibility issues:
- Upgrade all site servers and Distribution Points first. Old and new clients can then be sure to connect to the latest version on servers.
- Upgrade all Content Distribution clients running on a single subnet at the same time. This avoids potential issues with older clients attempting to peer connect with new clients on the same subnet, even if the client configuration remains the same.
Ensure DNS is working properly.
Ensure client side firewalls have exceptions in place for NomadBranch.exe, NomadPackageLocator.exe and PackageStatusRequest.exe.
Ensure local broadcasts are enabled on each subnet that Content Distribution operates in.

Some wireless access points may be configured to prevent broadcasts, which will prevent Content Distribution peer-sharing features from working. See the Network requirements prerequisite for details on WAP configuration.
Ensure the Configuration Manager client is healthy and functioning properly.
The latest version of 1E Platform should be installed to support certain features, refer to the 1E Platform section.
If you want Nomad integration with WakeUp then you will need the following:

1E Platform:
- The Content Distribution app must be installed on the latest version of 1E Platform, and the single-site download feature enabled as described in Single Site Download.
NightWatchman Management Center with WakeUp Server infrastructure:
- NightWatchman Management Center 7.3 or later must be installed.

WakeUp Server 7.0 or later must be installed.
1E Client 8.1 or later (with the WakeUp component enabled and reporting turned on) must be deployed to all the clients on the required subnets.

You will need a valid NightWatchman Enterprise license to use these components.

On Content Distribution peers:
- ContentRegistration must be enabled on all machines where the WakeUp feature is to be used.
On Content Distribution devices requesting the download:
- Enable the 1E Client WakeUp component.
- Enable Single Site Download if you require site-wide wake-up.
On the devices where you use wake-up:
- The BIOS on each client must be configured to support wake from off.
- The network adapter on each client must be configured to support wake from sleep (1E Services can help configure this using vendor utilities and scripts).

To support enhanced package consistency checking, the Content Distribution client must be installed on each Configuration Manager DP. This client enables file-level consistency checking by creating a manifest file on the DP for every version of each package created, enabling Content Distribution to verify that each file it downloads is consistent with the version available on the DP.

LSZ generation using HTTP/HTTPS is automatically configured only on DPs that are also Site servers. For standalone DPs (those not on a site server), enable the following on the Content Distribution client running on the DP either during installation or by updating the Content Distribution registry:

Installer property	Registry value	Description
MODULE.NOMAD.SIGSFOLDER	SigsFolder	Content Distribution is able to leverage Configuration Manager's binary differential replication (BDR) if the Windows remote differential compression feature is installed on the DP server using the Windows Server Manager. On the Content Distribution side, set this registry value on the DP to point to the Configuration Manager RDC signatures folder. Refer to Remote differential compression (RDC) integration.
MODULE.NOMAD.SPECIALNETSHARE	SpecialNetShare	The 0x4000 bit must be set to enable the Content Distribution client to handle LSZ file generation requests coming from HTTP/HTTPS enabled clients.
MODULE.NOMAD.PERMITTEDLSZSHARES	PermittedLSZShares	When installed on a standalone DP (not on a site server), ensure that this registry value contains the local share names used on the server (e.g. SMSPKGF$; SMSPKGG$; etc) to host Configuration Manager packages. The default value satisfies the default locations used by Configuration Manager.

Accounts needed to install Content Distribution

1E Server Installation Account

The server installation account has the following requirements on the server.

Local admin rights on the 1E Server. It must be an Directory domain user account that is a direct or indirect member of the Administrators local group on the server where 1E Server will be installed.
Can be disabled (not deleted) in Directory after additional 1E admin users have been created in 1E, and installation has been verified.

In addition, the server installation account requires SQL rights as described in SQL Databases and SSAS Databases. The server installation account is granted the following permissions as a 1E user, configured during installation of the 1E Server.

It is the first 1E user account and is a System Principal, which means it cannot be deleted or assigned any other rights.
It is assigned to the 1E system role of Installer.
It should be used to add additional 1E users and administrators, assign them to 1E roles, which should then be used for ongoing use and management of 1E.
It may be included in any AD security group assigned to a 1E System Role or Custom Role.

Refer to Roles and Securables for a complete reference of 1E system roles, custom roles, securables and operations.

1E Platform

The following features require 1E Platform, and CD features of 1E Client to be enabled:

Content Distribution app provides visibility of content distribution activity.
Single Site Download (SSD)
1E Nomad PBA task sequence actions (PBA)
Get Migration Settings task sequence action used to manage computer associations.
Nomad Pre-caching
Nomad Download Pause

Nomad Download Pause

Nomad Download Pause is available if you implement a 1E server infrastructure, including enabling the 1E client features in 1E Client in addition to the Content Distribution client. It also requires Single Site Download.

NightWatchman Enterprise

Content Distribution integration with WakeUp is available if you enable this feature when installing NightWatchman Management Center. You should install the 1E Platform first and then install NightWatchman Management Center. In summary, you require the following:

1E Platform.
NightWatchman Management Center server.
WakeUp Server installed on each Configuration Manager site server.
WakeUp client module enabled in the 1E Client on all client computers.
Wake-on-LAN enabled on all client computers.

Refer to Integrating Nomad with WakeUp.

If you are also implementing a PXE Everywhere solution using Content Distribution, ensure you meet its prerequisites. Refer to Requirements.

Certificates

You can use digital certificates to certify the identity of entities in your network. We support the use of Public key infrastructure (PKI) based certificates or self-signed certificates. If you are using PKIs to digitally sign entities from the outset, ensure that they are deployed to all agents. Alternatively, you can deploy PKIs post-installation. Refer to Peer copy over HTTP or HTTPS. Things to bear in mind when using the HTTPS protocol:

Define the certificate type using P2PSslSettings (0 – self-signed certificates or 1 – PKI certificates). By default, self-signed is enabled.
When self-signed is enabled, a self-signed certificate is created by the installer and stored in MY store.

Diagrams and tables with all the external Content Distribution communication ports. Useful, if needed, for network and device firewalls.

Networking

Due to the nature of how proxy servers can be implemented, some of which can be quite complex, you may need to consult your networking specialist to see if exceptions need to be added to enable Content Distribution’s peer-copy over HTTP or HTTPS.

The following are the ports used by Content Distribution client on clients and on Distribution Points. The table does not include Configuration Manager communications, which can be found here: Communications between endpoints in Configuration Manager.

Ports	Notes	Configurable
UDP 1779	Default port Content Distribution uses for listening to elections to determine the master on a subnet, control traffic and for content transfer if you have Connectionless enabled. A firewall exception must exist for this port. Content Distribution will create one automatically for Windows firewall, but not for other firewall software.	Yes, during installation.
TCP 80 (HTTP) or TCP 443 (HTTPS)	Used when the Content Distribution master requests LSZ files from Content Distribution running on the DP and when the Content Distribution master downloads content using Content Distribution as provider. Communications depend on how the DP is configured. Configuration Manager is configured to use either HTTP or HTTPS. If Content Distribution clients and Content Distribution are configured to use HTTP/S, Content Distribution clients using SSD register and query for content.	No, for communications with CM components. Content Distribution service on startup reads the configured ports from CM client registry and uses the same for LSZ generation. Yes, for communications with 1E Platform using Content Distribution's PlatformURL setting.
TCP 5080 (HTTP) or TCP 5443 (HTTPS)	Default HTTP port to use for peer copy. If you are using a custom port, ensure that all agents use the same custom port. From Content Distribution 6.2, peer copy can be enabled over HTTP (default 5080) or HTTPS (default 5443). You can customize the ports for this feature in the host registry but a change to the default impacts Content Distribution's peer backup assistant which is used to capture user data on remote peers during OS deployments.	Yes, during installation.
TCP 139 (SMB) and TCP 445 (SMB over TCP)	Required only if SMB is enabled. Used for peer-to-peer content transfer between the Content Distribution master and Content Distribution peers. Communications depend on how the DP is configured. That is HTTP, HTTPS, SMB or SMB over TCP. For Configuration Manager the default is HTTP or HTTPS. Windows Firewall automatically adds the exception when you enable File and Print Sharing but you may have to do this manually if you are using a different firewall product.	No. SMB ports cannot be configured.
TCP 137 (SMB) and TCP 139 (SMB)	Required only if SMB is enabled. Used by SMB for data transfer and related communications. It is used to resolve NetBIOS names during a transfer. UDP NetBIOS name query packets are sent to this port. Windows Firewall automatically adds the exception when you enable File and Print Sharing but you may have to do this manually if you are using a different firewall product.	No. SMB ports cannot be configured.

Ports

Notes

Configurable

UDP 1779

Default port Content Distribution uses for listening to elections to determine the master on a subnet, control traffic and for content transfer if you have Connectionless enabled.

A firewall exception must exist for this port. Content Distribution will create one automatically for Windows firewall, but not for other firewall software.

Yes, during installation.

TCP 80 (HTTP) or

TCP 443 (HTTPS)

Used when the Content Distribution master requests LSZ files from Content Distribution running on the DP and when the Content Distribution master downloads content using Content Distribution as provider.

Communications depend on how the DP is configured. Configuration Manager is configured to use either HTTP or HTTPS.

If Content Distribution clients and Content Distribution are configured to use HTTP/S, Content Distribution clients using SSD register and query for content.

No, for communications with CM components. Content Distribution service on startup reads the configured ports from CM client registry and uses the same for LSZ generation.

Yes, for communications with 1E Platform using Content Distribution's PlatformURL setting.

TCP 5080 (HTTP) or

TCP 5443 (HTTPS)

Default HTTP port to use for peer copy. If you are using a custom port, ensure that all agents use the same custom port.

From Content Distribution 6.2, peer copy can be enabled over HTTP (default 5080) or HTTPS (default 5443). You can customize the ports for this feature in the host registry but a change to the default impacts Content Distribution's peer backup assistant which is used to capture user data on remote peers during OS deployments.

Yes, during installation.

TCP 139 (SMB) and

TCP 445 (SMB over TCP)

Required only if SMB is enabled.

Used for peer-to-peer content transfer between the Content Distribution master and Content Distribution peers. Communications depend on how the DP is configured. That is HTTP, HTTPS, SMB or SMB over TCP. For Configuration Manager the default is HTTP or HTTPS.

Windows Firewall automatically adds the exception when you enable File and Print Sharing but you may have to do this manually if you are using a different firewall product.

No. SMB ports cannot be configured.

TCP 137 (SMB) and

TCP 139 (SMB)

Required only if SMB is enabled.

Used by SMB for data transfer and related communications. It is used to resolve NetBIOS names during a transfer. UDP NetBIOS name query packets are sent to this port.

Windows Firewall automatically adds the exception when you enable File and Print Sharing but you may have to do this manually if you are using a different firewall product.

No. SMB ports cannot be configured.

Content Distribution can use ephemeral ports (not discussed here). Ephemeral or high ports can either be UDP or TCP depending on the protocols used and are used to send information out. In a typical client-server communication, these are ports opened by the client on its own machine in order to send something to the server and they are closed as soon as the transmission is done, hence the term ephemeral. From a security perspective, it is not an issue.

Most firewalls will allow outgoing communications by default so in all likelihood, you will not need to do any firewall configuration. However, if your firewall blocks these outbound communications, consult the documentation for your firewall on how to enable these types of communications.

Content Distribution architecture

The Content Distribution architecture from 1E, detailing its peer-to-peer content distribution model, key components, port configurations, and integration with Configuration Manager. Learn. Refer to Content Distribution architecture.