Port 10123 — Unassigned, Yet Everywhere

The Gap Between Registry and Reality

Port 10123 lives in the registered port range (1024–49151), which means it's theoretically available for anyone to request from IANA. Yet it remains unassigned in the official registry.¹ But walk into any enterprise using Microsoft System Center Configuration Manager (now called Configuration Manager or Endpoint Configuration Manager), and port 10123 is listening, working, and critical to their infrastructure.

What Runs Here

Configuration Manager uses TCP port 10123 for client notification—fast, low-latency communication between management servers and clients about policy updates, software deployments, and system tasks.² The port carries what Microsoft calls the "BGB channel" (Background Intelligent Transfer Service Group), designed to notify clients faster than traditional polling would allow.

When a Configuration Manager server needs to tell a client to do something, it tries 10123 first. If that port is blocked—by a firewall, security policy, or network misconfiguration—the client falls back to HTTP (port 80) or HTTPS (port 443).³ This fallback saves the system from total failure, but creates a problem: every blocked 10123 port pushes more traffic onto your standard web ports, increasing load on management points.

Other systems also use this port. TP-Link VIGI video management systems use 10123 for device communication.⁴ Dell's SRDF/Metro vWitness uses it on Linux systems.⁵ None of them registered it with IANA.

Why This Matters

Port 10123 is a port that shouldn't exist—officially speaking. It's unassigned, unregistered, yet deeply embedded in enterprise infrastructure. This gap between the registry and reality creates blind spots:

• Visibility is broken — When a tool scans your network for services, it doesn't know what should be listening on 10123, so it can't tell you if something unexpected is there
• Collision risk is real — Someone could legitimately request 10123 from IANA for a different service, creating chaos for enterprises that chose it first
• Firewall rules become tribal knowledge — Teams know "we need 10123 open" because their predecessor configured it, not because it's documented anywhere official

How to Check What's Listening

On Windows:

netstat -ano | find "10123"
# or
Get-NetTCPConnection -LocalPort 10123 -ErrorAction SilentlyContinue

On macOS/Linux:

lsof -i :10123
# or
ss -tlnp | grep 10123

If Configuration Manager is running, you'll see it listening. If something else is there, you'll need to investigate what claimed this port on your network.

The Lesson

Port 10123 teaches us that the Internet's nervous system runs partly on paper (the IANA registry) and partly on practice (what companies actually do). The gap between them is where confusion lives. When a critical system chooses an unassigned port and millions of machines depend on it, the registry becomes aspirational—a document of what should be, not what is.

The port works fine. Enterprises worldwide rely on it. It's just officially invisible, which might be the most honest thing about it.