Preparation
What you will need to prepare in advance of implementing Nomad in your network. Typically, these are tasks that may take some time, depending on how your organization works. A more complete checklist of tasks is provided in Requirements.
Nomad preinstallation checks
-
If you are upgrading, please refer to Upgrading Nomad. You must upgrade in the following order to avoid potential forward compatibility issues:
-
Upgrade all site servers and Distribution Points first. Old and new clients can then be sure to connect to the latest version on servers.
-
Upgrade all Nomad clients running on a single subnet at the same time. This avoids potential issues with older clients attempting to peer connect with new clients on the same subnet, even if the client configuration remains the same.
-
-
Ensure DNS is working properly.
-
Ensure client side firewalls have exceptions in place for
NomadBranch.exe
,NomadPackageLocator.exe
andPackageStatusRequest.exe
. -
Ensure local broadcasts are enabled on each subnet that Nomad operates in.
Some wireless access points may be configured to prevent broadcasts, which will prevent Nomad peer-sharing features from working. See the Basic Nomad architecture prerequisite for details on WAP configuration.
-
Ensure the Configuration Manager client is healthy and functioning properly.
-
The latest version of 1E Platform should be installed to support certain features, please refer to the 1E Platform section.
-
If you want Nomad integration with WakeUp then you will need the following:
-
1E Platform:
-
The Nomad app must be installed on the latest version of 1E Platform, and the single-site download feature enabled as described in Single Site Download.
-
-
NightWatchman Management Center with WakeUp Server infrastructure:
-
NightWatchman Management Center 7.3 or later must be installed.
-
-
WakeUp Server 7.0 or later must be installed.
-
1E Client 8.1 or later (with the WakeUp component enabled and reporting turned on) must be deployed to all the clients on the required subnets.
You will need a valid NightWatchman Enterprise license to use these components.
-
On Nomad peers:
-
ContentRegistration must be enabled on all machines where the WakeUp feature is to be used.
-
-
On Nomad devices requesting the download:
-
Enable the 1E Client WakeUp component.
-
Enable Single Site Download if you require site-wide wake-up.
-
-
On the devices where you use wake-up:
-
The BIOS on each client must be configured to support wake from off.
-
The network adapter on each client must be configured to support wake from sleep (1E Services can help configure this using vendor utilities and scripts).
-
-
To support enhanced package consistency checking, the Nomad client must be installed on each Configuration Manager DP. This client enables file-level consistency checking by creating a manifest file on the DP for every version of each package created, enabling Nomad to verify that each file it downloads is consistent with the version available on the DP.
LSZ generation using HTTP/HTTPS is automatically configured only on DPs that are also Site servers. For standalone DPs (those not on a site server), enable the following on the Nomad client running on the DP either during installation or by updating the Nomad registry:
Installer property
Registry value
Description
Nomad is able to leverage Configuration Manager's binary differential replication (BDR) if the Windows remote differential compression feature is installed on the DP server using the Windows Server Manager. On the Nomad side, set this registry value on the DP to point to the Configuration Manager RDC signatures folder. Refer to Remote differential compression (RDC) integration.
The 0x4000 bit must be set to enable the Nomad client to handle LSZ file generation requests coming from HTTP/HTTPS enabled clients.
When installed on a standalone DP (not on a site server), ensure that this registry value contains the local share names used on the server (e.g.
SMSPKGF$
;SMSPKGG$
; etc) to host Configuration Manager packages. The default value satisfies the default locations used by Configuration Manager.
-
If you are using the BIOS to UEFI feature, ensure you meet its prerequisites described in BIOS to UEFI 1.4 - Requirements.
Accounts needed to install Nomad
1E Server Installation Account
The server installation account has the following requirements on the server.
-
Local admin rights on the 1E Server. It must be an Directory domain user account that is a direct or indirect member of the Administrators local group on the server where 1E Server will be installed.
-
Can be disabled (not deleted) in Directory after additional 1E admin users have been created in 1E, and installation has been verified.
In addition, the server installation account requires SQL rights as described in SQL Databases and SSAS Databases. The server installation account is granted the following permissions as a 1E user, configured during installation of the 1E Server.
-
It is the first 1E user account and is a System Principal, which means it cannot be deleted or assigned any other rights.
-
It is assigned to the 1E system role of Installer.
-
It should be used to add additional 1E users and administrators, assign them to 1E roles, which should then be used for ongoing use and management of 1E.
-
It may be included in any AD security group assigned to a 1E System Role or Custom Role.
Refer to Roles and Securables for a complete reference of 1E system roles, custom roles, securables and operations.
1E Platform
The following features require 1E Platform, and CD features of 1E Client to be enabled:
-
Content Distribution app provides visibility of content distribution activity.
-
Single Site Download (SSD)
-
Get Migration Settings task sequence action used to manage computer associations.
Nomad Download Pause
Nomad Download Pause is available if you implement a 1E server infrastructure, including enabling the 1E client features in 1E Client in addition to the Nomad client. It also requires Single Site Download.
NightWatchman Enterprise
Nomad integration with WakeUp is available if you enable this feature when installing NightWatchman Management Center. You should install the 1E Platform first and then install NightWatchman Management Center. In summary, you require the following:
-
1E Platform.
-
NightWatchman Management Center server.
-
WakeUp Server installed on each Configuration Manager site server.
-
WakeUp client module enabled in the 1E Client on all client computers.
-
Wake-on-LAN enabled on all client computers.
Please refer to Integrating Nomad with WakeUp.
If you are also implementing a PXE Everywhere solution using Nomad, ensure you meet its prerequisites. Please refer to PXE Everywhere Requirements.
Certificates
You can use digital certificates to certify the identity of entities in your network. We support the use of Public key infrastructure (PKI) based certificates or self-signed certificates. If you are using PKIs to digitally sign entities from the outset, ensure that they are deployed to all agents. Alternatively, you can deploy PKIs post-installation. Refer to Peer copy over HTTP or HTTPS. Things to bear in mind when using the HTTPS protocol:
-
Define the certificate type using P2PSslSettings (0 – self-signed certificates or 1 – PKI certificates). By default, self-signed is enabled.
-
When self-signed is enabled, a self-signed certificate is created by the installer and stored in
MY
store.
Diagrams and tables with all the external Nomad communication ports. Useful, if needed, for network and device firewalls.
Networking
Due to the nature of how proxy servers can be implemented, some of which can be quite complex, you may need to consult your networking specialist to see if exceptions need to be added to enable Nomad’s peer-copy over HTTP or HTTPS.
The following are the ports used by Nomad client on clients and on Distribution Points. The table does not include Configuration Manager communications, which can be found here: https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/communications-between-endpoints.
Ports |
Notes |
Configurable |
---|---|---|
UDP 1779 |
Default port Nomad uses for listening to elections to determine the master on a subnet, control traffic and for content transfer if you have Connectionless enabled. A firewall exception must exist for this port. Nomad will create one automatically for Windows firewall, but not for other firewall software. |
Yes, during installation. |
TCP 80 (HTTP) or TCP 443 (HTTPS) |
Used when the Nomad master requests LSZ files from Nomad running on the DP and when the Nomad master downloads content using Nomad as provider. Communications depend on how the DP is configured. Configuration Manager is configured to use either HTTP or HTTPS. If Nomad clients and Content Distribution are configured to use HTTP/S, Nomad clients using SSD register and query for content. |
No, for communications with CM components. Nomad service on startup reads the configured ports from CM client registry and uses the same for LSZ generation. Yes, for communications with 1E Platform using Nomad's PlatformURL setting. |
TCP 5080 (HTTP) or TCP 5443 (HTTPS) |
Default HTTP port to use for peer copy. If you are using a custom port, ensure that all agents use the same custom port. From Nomad 6.2, peer copy can be enabled over HTTP (default 5080) or HTTPS (default 5443). You can customize the ports for this feature in the host registry but a change to the default impacts Nomad's peer backup assistant which is used to capture user data on remote peers during OS deployments. |
Yes, during installation. |
TCP 139 (SMB) and TCP 445 (SMB over TCP) |
Required only if SMB is enabled. Used for peer-to-peer content transfer between the Nomad master and Nomad peers. Communications depend on how the DP is configured. That is HTTP, HTTPS, SMB or SMB over TCP. For Configuration Manager the default is HTTP or HTTPS. Windows Firewall automatically adds the exception when you enable File and Print Sharing but you may have to do this manually if you are using a different firewall product. |
No. SMB ports cannot be configured. |
TCP 137 (SMB) and TCP 139 (SMB) |
Required only if SMB is enabled. Used by SMB for data transfer and related communications. It is used to resolve NetBIOS names during a transfer. UDP NetBIOS name query packets are sent to this port. Windows Firewall automatically adds the exception when you enable File and Print Sharing but you may have to do this manually if you are using a different firewall product. |
No. SMB ports cannot be configured. |
Nomad can use ephemeral ports (not discussed here). Ephemeral or high ports can either be UDP or TCP depending on the protocols used and are used to send information out. In a typical client-server communication, these are ports opened by the client on its own machine in order to send something to the server and they are closed as soon as the transmission is done, hence the term ephemeral. From a security perspective, it is not an issue.
Most firewalls will allow outgoing communications by default so in all likelihood, you will not need to do any firewall configuration. However, if your firewall blocks these outbound communications, consult the documentation for your firewall on how to enable these types of communications.
Basic Nomad architecture
Ports |
Notes |
---|---|
UDP 1779 |
Step 1 By default, Nomad uses UDP Port 1779 to communicate during the election process for determining the master on a subnet. The Nomad installer will automatically add The default value for the port may be changed at install time using the MODULE.NOMAD.P2PPORT installer property or post-installation by changing the P2P_Port registry value. If you change the default port, you must ensure all Nomad clients communicate using the same port. The Nomad port (by default UPD Port 1779) must be open on all wireless access points to facilitate Nomad peer-to-peer communications. Not all vendors enable this port by default, please refer to the specific device vendor's documentation for details on how to enable ports on each WAP device. |
TCP 80 (HTTP) TCP 443 (HTTPS) |
Step 2 Nomad Master requests LSZ file from Nomad running on the DP. |
TCP 80 (HTTP) TCP 443 (HTTPS) TCP 139 (SMB) TCP 445 (SMB over TCP) |
Step 3 Nomad Master downloads content using Nomad as provider. This communication depends on how the DP is configured. It may be one of the following:
For Configuration Manager the default setting is HTTP or HTTPS. |
TCP 139 (SMB) TCP 445 (SMB over TCP) UDP 1779 (used for connectionless P2P) TCP 5080 (HTTP) TCP 5443 (HTTPS) |
Step 4 Local copies from the Nomad master. The recommended way to facilitate Nomad cache access is to enable Windows File and Print Sharing. If this is not feasible on your network environment you can configure Nomad to use different means to access network shares, see Nomad cache for more details on configuring this option. Connections may use one of the following:
|
Nomad pre-caching architecture and ports
The Nomad pre-caching uses the following ports in its communications. If a site server is configured to use custom ports, pre-caching will use those ports to communicate with a management or distribution points. To ensure high-availability, pre-caching falls back to next available site server if it fails to communicate with a management or distribution point.
Ports |
Description |
---|---|
N/A |
Step 1 Choose a package and run the Nomad pre-caching wizard, selecting the target device collection. This step does not require any port configuration but the Nomad Configuration Manager console extensions must be installed in the Configuration Manager Console. |
TCP 80 (HTTP) TCP 443 (HTTPS) |
Step 2 The Nomad pre-caching wizard stores the target device and package information in 1E Platform. |
TCP 80 (HTTP) TCP 443 (HTTPS) |
Step 3 The Nomad clients, where the pre-cache feature has been enabled, poll 1E every 24 hours to see if they need to pre-cache some content. This takes the form of pre-caching notifications that tell the Nomad clients they need to process a download job to fetch the specified content. |
TCP 80 (HTTP) TCP 443 (HTTPS) |
Step 4 The Nomad clients, with pre-caching notifications, contact the Management Point to locate the Distribution Point that holds the content. This may use HTTP or HTTPS depending on how the Management Point is configured. |
TCP 80 (HTTP) TCP 443 (HTTPS) TCP 139 (SMB) TCP 445 (SMB over TCP) |
Step 5 A Nomad Master election takes place and the elected master processes the job by downloading the pre-cache content using Nomad as provider. This is then distributed locally to the Nomad peers that also require the pre-cached content. This communication depends on how the DP is configured. It may be one of the following:
For Configuration Manager the default setting is either HTTP or HTTPS. |
Nomad and WakeUp integration architecture and ports
Nomad integration with WakeUp is deprecated from 1E Platform v23.11
Ports |
Description |
---|---|
TCP 80 (HTTP) TCP 443 (HTTPS) |
Step 1 Nomad Master contacts Content Distribution and gets a list of Nomad devices that hold the content it requires. Nomad sends a request to wake the top 5 devices on the list. Refer to WakeUpBatchSize for details about how you can set the maximum number of machines to wake up in a single call. |
TCP 80 (HTTP) TCP 443 (HTTPS) TCP 139 (SMB) TCP 445 (SMB over TCP) |
Step 2 Without waiting for any devices to be awoken, the Nomad master starts to download content from the DP. This communication depends on how the DP is configured. It may be one of the following:
For Configuration Manager, the default setting is HTTP or HTTPS. |
TCP 80 (HTTP) TCP 443 (HTTPS) |
Step 3 Content Distribution posts the wake message from Nomad to the NightWatchman Management Center Web API. |
WMI (DCOM) |
Step 4 NightWatchman Management Center tells the WakeUp server to wake the requested devices. |
TCP 1776 |
Step 5 WakeUp Server signals the WakeUp Agent on the appropriate subnet to wake the requested devices. |
UDP 1776 |
Step 6 The WakeUp agent on the subnet sends a wakeup request to the requested devices. |
TCP 139 (SMB) TCP 445 (SMB over TCP) UDP 1779 (connectionless P2P) |
Step 7 As part of its standard behavior, Nomad holds regular elections (every 5 minutes) to determine the most appropriate master. If a device is found (i.e. one that has been recently awoken) that holds more of the required content, it stops downloading from the DP and fetches the content from the new device's cache. This may be via SMB or via connectionless P2P, depending on the configuration of Nomad. |
Nomad SSD architecture and ports
Nomad SSD uses the following ports in its communications:
Ports |
Notes |
---|---|
TCP 80 (HTTP) TCP 443 (HTTPS) |
Step 1 Nomad systems on the branch site register in Content Distribution the content they hold in their shares |
TCP 80 (HTTP) TCP 443 (HTTPS) |
Step 2 Nomad Masters get information on which Nomad systems hold specific content |
TCP 80 (HTTP) TCP 443 (HTTPS) TCP 139 (SMB) TCP 445 (SMB over TCP) |
Step 3 Nomad Master fetches a package from the registered Nomad share on a neighboring subnet |
We recommend that the latest version of 1E Platform is installed to support this feature, please refer to Requirements for more details.