I have a client that is moving from IBCM for workgroup computers to Workgroup computers over an Azure Site to Site VPN tunnel. All SCCM managed devices will communicate over the tunnel to an SCCM environment (1 MP, 1 DP) located in Azure. The client uses Symantec Endpoint Protection as their device firewall and that team is asking what SCCM client executables will communicate over the tunnel, so they can "white-list" those executables and appropriate ports.
Besides ccmexec.exe are there any other SCCM client executables or processes that would require "white-listing" in this scenario? the common ports (80,443,445, 10123) are already allowed.