Port requirements for MCollective on Windows

Evening all, can anyone clarify what the port requirements are for MCollective on Windows? Our production puppet master is behind a firewall, but we have a requirement to be able to launch puppet runs from the puppet master on some clients, including Windows clients. In our sandbox for testing, our GPO disables the firewall, so it's tough for me to test. I can see that pe-mcollective is listening on a random RPC port, but can't verify that the puppet master is actually contacting the client on that port, or if the client's subscription to 61613 is how the communication actually takes place. I basically just need to determine if the Puppet master is using RPC for launching MCollective commands, or if the clients are receiving those commands via their subscription.

Apologies for such a dumb question, just have to make sure I get it right before opening the firewall. Any advice or feedback would be appreciated, thanks all!

The MCollective agent running on the Windows client makes an outbound connection to the activemq (or rabbitmq) server typically on port 61613. See , but keep in mind the MCollective Server referenced in documentation is really the daemon (mcollectived) running on the client machine.

When you want to trigger an action, e.g. via mco on the command line, MCollective will post a message to activemq, and the appropriate Windows/Linux client(s), also connected to the queue, will respond.

Your Windows firewall will need to allow outbound connections on typically ports 8140 (puppetmaster) and 61613 (activemq).

