Internet or Intranet Clients - Content Location
Our current Configuration Manager 2012 R2 environment is running with existing servers and clients in intranet mode. We are wanting to add a server in our DMZ to support internet only mode for our DMZ servers. Additionally, we are contemplating leveraging
this new server to support laptops in an "Internet or Intranet" configuration as described here:
https://technet.microsoft.com/en-ca/library/bb693755.aspx
My question is regarding content location for these "Internet or Intranet" clients. If the client is offsite (so the intranet servers are viewed as offline) and the content is available on the server setup to support internet clients, obviously
the client will download the content from the internet server. However, should we be distributing all of the content that is available to the intranet servers to the internet server? If an "internet or intranet" client receives policy
for a package who's source is only available from an intranet server does the deployment completely fail when the client is offsite....or does the client wait until the content is available from an intranet server?
Also, if you have a link to documentation of this, that would be great.
Thanks!
There's no documentation describing this exact scenario. The client sends a content location request to its MP but if the necessary content is not on the Internet facing DP when the client is connected via the Internet, then the content location
request will fail. The client will periodically retry the content location request including when the client sees that it has changed network locations and so this will eventually succeed once the client is on the Intranet again. So, effectively, yes
the client will wait till its on the Intranet -- it doesn't really have a choice though.
What implications are you worried about here?
Jason | http://blog.configmgrftw.com | @jasonsandys
Similar Messages
-
How to enable for Internet-Based Client Management existing "intranet" clients
Hello,
Step #1
I have an existing "intranet-only" SCCM 2012 SP1 CU1 environment. It is made of HTTP Intranet-Only MP.
All clients are properly communicated with one of the intranet MP
All clients are leveraging auto-enrollment of our AD PKI and have a working client certificate recognized by SCCM client
Step #2
I expanded the above infrastructure to support IBCM clients. Basically I want the existing intranet clients still be managed when they are outside our network
I added MP, DP, SUP, FSP on dedicated DMZ servers. It has been published on Internet, and properly declared with public DNS
The DMZ MP has been configured for HTTPS / Internet client only
When I tested first this setup in my lab, it was working fine, and my "intranet" client moving to Internet was properly detecting this configuration, and was starting to contact the "DMZ/Internet MP" without any problem
I did the same on my production environment but this time, my client moving to "internet" detectes it is connected on Internet but does not have any clue about the DMZ/Internet MP to contact. According to logfile, it is trying to check on DNS,
WINS, etc. but obviously it is already too late when in Internet, this information is no longer available.
I guess I did something in my lab environment to make it work but I don't what. Any idea how to tell to existing clients they should use a new "Internet-Only" MP when they are on Internet ?
Regards.Basically I found my problem...
In my lab, I manually configured the SCCM client option Internet-based management point (FQDN) to use the public DNS address of my Internet/DMZ MP.
If I do the same for my production sample client, it works fine now.
Question: how can I enforce this change on all my existing clients ? -
Treating intranet client connecting differently from internet client
Hi All,
I am developing a server socket application that accept connection from client. The clients can connect either through internet or intranet. I need to treat them differently. Is there a way to know whether the client is an intranet client or an internet client?
Best regards,
CaesarHave a look at the remote socket address of the accepted socket.
-
Hi there
So, existing SCCM 2012 environment, OSD functioning at other sites, been in use for a while.
New location, new DP. PXE boot system, choose the task sequence, and I get the error that the package is not found.
Look at the SMSTS.log and sure enough I see the 0x80040102 error.
I have :
Removed the offending package and redistributed it. Verified it is present on the server.
Verified the boundary has the server as a site system.
Verified the boundaries have the correct IP range, and the correct Site.
I have tried it with just a Site boundary and just a IP Range boundary.
Created a copy of my TS, removed the offending package, deployed. Same error, just with a different package ID (which tells me that it isn't the package, it is something on the server DP itself).
Rebooted both the Site server and the DP.
I'm kind of at a loss, as I would expect to see the DP show up in the below log as a DP, but I don't see it. It looks like it gets policy, and it shows under the content location request Local: 1 (which I believe says it sees 1 local content location),
but further below in the log it says Processing 0 Locations.
Very confused.
Thanks for any help...
Content location request: TSPxe
8/26/2014 10:48:46 AM 1584 (0x0630)
Package : packageid.3 TSPxe
8/26/2014 10:48:46 AM 1584 (0x0630)
Client : c713c862-e9be-4f67-a6d3-f164e05c29a2
TSPxe 8/26/2014 10:48:46 AM
1584 (0x0630)
Local : 1 TSPxe
8/26/2014 10:48:46 AM 1584 (0x0630)
Remote : 0 TSPxe
8/26/2014 10:48:46 AM 1584 (0x0630)
Internet: 0 TSPxe
8/26/2014 10:48:46 AM 1584 (0x0630)
Sending RequestContentLocations for packageid
TSPxe 8/26/2014 10:48:46 AM
1584 (0x0630)
Setting message signatures. TSPxe
8/26/2014 10:48:46 AM 1584 (0x0630)
Setting the authenticator. TSPxe
8/26/2014 10:48:46 AM 1584 (0x0630)
CLibSMSMessageWinHttpTransport::Send: URL: siteserver.domain.local:80 CCM_POST /ccm_system/request
TSPxe 8/26/2014 10:48:46 AM
1584 (0x0630)
Request was succesful. TSPxe
8/26/2014 10:48:47 AM 1584 (0x0630)
::DecompressBuffer(65536) TSPxe
8/26/2014 10:48:47 AM 1584 (0x0630)
Decompression (zlib) succeeded: original size 99, uncompressed size 178.
TSPxe 8/26/2014 10:48:47 AM
1584 (0x0630)
Location Reply: <ContentLocationReply SchemaVersion="1.00"><ContentInfo/><Sites/></ContentLocationReply>
TSPxe 8/26/2014 10:48:47 AM
1584 (0x0630)
Processing 0 locations. TSPxe
8/26/2014 10:48:47 AM 1584 (0x0630)
LocationsList.size() > 0, HRESULT=80040102 (e:\qfe\nts\sms\framework\tscore\resolvesource.cpp,2142)
TSPxe 8/26/2014 10:48:47 AM
1584 (0x0630)
FALSE, HRESULT=80040102 (e:\qfe\nts\sms\framework\tscore\tspolicy.cpp,1863)
TSPxe 8/26/2014 10:48:47 AM
1584 (0x0630)
Content location request for packageid:3 failed. (Code 0x80040102)
TSPxe 8/26/2014 10:48:47 AM
1584 (0x0630)
hr, HRESULT=80040102 (e:\qfe\nts\sms\framework\tscore\tspolicy.cpp,2626)
TSPxe 8/26/2014 10:48:47 AM
1584 (0x0630)
Failed to resolve PackageID= TSPxe
8/26/2014 10:48:47 AM 1584 (0x0630)
(*iTSReference)->Resolve( pTSPolicyManager, dwResolveFlags ), HRESULT=80040102 (e:\qfe\nts\sms\framework\tscore\tspolicy.cpp,3412)
TSPxe 8/26/2014 10:48:47 AM
1584 (0x0630)
m_pSelectedTaskSequence->Resolve( m_pPolicyManager, TS::Policy::TaskSequence::ResolvePolicy | TS::Policy::TaskSequence::ResolveSource, fpCallbackProc, pv, hCancelEvent), HRESULT=80040102 (e:\nts_sccm_release\sms\client\tasksequence\tsmbootstrap\tsmediawizardcontrol.cpp,1523)
TSPxe 8/26/2014 10:48:47 AM
1584 (0x0630)
Failed to resolve selected task sequence dependencies. Code(0x80040102)
TSPxe 8/26/2014 10:48:47 AM
1584 (0x0630)
hrReturn, HRESULT=80040102 (e:\nts_sccm_release\sms\client\tasksequence\tsmbootstrap\tsmediaresolveprogresspage.cpp,445)
TSPxe 8/26/2014 10:48:47 AM
1584 (0x0630)
ThreadToResolveAndExecuteTaskSequence failed. Code(0x80040102)
TSPxe 8/26/2014 10:48:47 AM
1584 (0x0630)
ThreadToResolveAndExecuteTaskSequence returned code 0x80040102
TSPxe 8/26/2014 10:48:47 AM
892 (0x037C)
Setting wizard error: This task sequence cannot be run because the program files for packageid cannot be located on a distribution point. For more information, contact your system administrator or helpdesk operator.
TSPxe 8/26/2014 10:48:47 AM
892 (0x037C)It was not just driver packages, it was whatever package was next in line in the Task Sequence.
The issue got even more strange...I added a DP from my central location to the boundary group of the site that was failing.
Now it pulls from the local DP.
If I remove the DP from my central location (that is not local to the failing site), then it stops working again. -
Need to understand Site Assignment and Content Location Boundary Groups
Okay I am very confused about something that I am seeing that is throwing my understanding of how Boundary Groups work completely off.
Here is my dilemma:
I created two boundary groups, a site assignment and a content location boundary group. The site assignment boundary group contains all of my sites. The content location boundary group I have just has my datacenter systems where the DP installed on my site
server is being referenced in that boundary group.
Now, I had two pilot deployments. The very first pilot deployment I had I created a content location boundary group for that site and referenced the local DP and when I deployed software updates to the clients there, I kept getting timeout errors. The second
pilot deployment i had, I totally forgot to create a content location boundary group, but the software updates installed perfectly fine on those clients.
What the heck is going on here?
I thought if a content locatoin boundary group was NOT created for a remote site, then those clients would not be able to receive any content at all, period.
Can someone please, please explain to me what is going on here?
Thanks everyoneA couple of additional comments here that build on the previous by Peter and Nick.
Site assignment has nothing to do clients finding content so while it's good that you have a site assignment boundary group and even that you mentioned it, it has nothing to do with what's going on here. Also as a semantic side note, when referring
to remote locations, you shouldn't use the word "site" when discussing ConfigMgr because "site" means something very specific and could cause confusion. I typically try to use the word "location".
Clients that do not fall into a boundary within a content location boundary group automatically fall into a "default" boundary marked as slow in a default "boundary group". Neither of these is defined anywhere in the console or the product
so default isn't exactly the right word here, but it does convey the meaning. Thus, not being in a defined boundary does not mean that clients cannot get content, just that they will only get content allowed for slow boundaries or where fallback is enabled.
Jason | http://blog.configmgrftw.com | @jasonsandys -
Intranet Clients try to access SUP Point Over http instead of https
Hi
My internet clients on DMZ Network trying to access my SUP Server over http instead of https.
So the clients are not downloading any updates, here is my ContentTransferManager log on a DMZ Client
Persisted locations for CTM job {31F9D2B4-1289-4EB3-926F-83770BC6D294}:
(LOCAL) net:http://wsus.ds.download.windowsupdate.com/msdownload/update/software/crup/2014/02/windows6.1-kb2929733-x64_8856fdc2cde01190e69f849eb279b4e6e0e1868a.cab
switched to location 'http://xxx.xxx.xx/SMS_DP_SMSPKG$/a48042d8-b0e5-4246-9282-02c331ea184c
The client is activated as PKI client in my sccm site and and everthing else is working except for SUP.
Best regards AndreasHi
Reinstalled the MP for the Internet clients and can now the MP is now in the list of MP´s
But when the internet clients trying to download the updates it only try from
(LOCAL) net:http://wsus.ds.download.windowsupdate.com/msdownload/update/software/updt/2013/06/windows6.1-kb2836942-x64_b576b76c2c385f390b77f1727ecd804d9718821f.cab
But I still got this in the LocationService log
WSUS Path='https://xxx.xxx.xx:8531', Server='xxx.xxx.xx', Version='1037'
Calling back with locations for WSUS request {4166FE44-C262-4BE4-AD58-7C81A3C3E16C}
Executing Task LSSiteRoleCycleTask
1 internet MP errors in the last 10 minutes, threshold is 5.
Executing Task LSMPCommSuccessTask
Reset internet MP error count
Calling back with the following distribution points
Distribution Point='net:http://wsus.ds.download.windowsupdate.com/msdownload/update/software/updt/2013/06/windows6.1-kb2836942-x64_b576b76c2c385f390b77f1727ecd804d9718821f.cab', Locality='LOCAL', DPType='WUMU', Version='0', Capabilities='<Capabilities/>',
Signature='', ForestTrust='FALSE',
Calling back with locations for location request {EE7E4CFC-AAD6-4908-B30D-68F524E55166}
Executing Task LSSiteRoleCycleTask
1 internet MP errors in the last 10 minutes, threshold is 5.
Best regards Andreas -
Problems with http header "Content-Location"
Does anyone know how to override the
"Content-Location" http header. We are having issues with search engines and this header being returned from Apache/oc4j. In a nutshell, I have a site that uses the
Struts framework, where the actual urls submitted would be for example
(http://mysite/home.do), where ".do" is just a servlet mapping. When we have
tried to follow the one link that has been spidered, it actually contains
the full path that appears in the "Content-Location" header (i.e.
http://mysite/web-inf/jsps/bogus.jsp) which in this case can't even be
accessed. The feedback we get from third-party utilities that try to spider
the site is that it is stopping because it has already indexed "bogus.jsp",
which in reality will always appear since it is a template, where the actual
urls will be different as is above.
Because the "Content-Location" header is being returned to any
client hitting the site, search engine spiders stop indexing at the first page because the value in "Content-Location" is the same.
Solutions tried:
mod_headers in Apache - have tried "Header unset"
HttpServletResponse.setHeader()
Any help would be appreciatedHi there,
i'm having a similar problem to this when trying to run some web page speed optimisation software...
i think the issue also causes problems with the Opera browser (although this may have been fixed in the latest version).
anybody any ideas how to stop the header being sent in the response?
many thanks,
Andy -
IBCM internet and intranet management on the same server
Could anyone help me see what I am missing? We are trying to test setting up IBCM using the same management point as the intranet clients. We have already successfully implemented PKI for intranet clients because we were bringing in a MacBook Air. We have
an external URL coming through reverse proxy and forwarded to our internal server. I can navigate to
https://sccmext.domain.com/sms_mp/.sms_aut?MPlist and get 403 access denied I also get that when I am on prem and navigate to the local server
The CcmMessging.log has errors regarding post to
https://sccmext.domain.com/ccm_system/request failed with 0x87d00231
I think this has something to do with certificates... I have a SCCM Web certificate for the internal server hostname and another certificate for the external name coming through the reverse proxy.
I have the internet FQDN on the site system properties, MP and DP are set to allow internet and intranet based clients...Here are some entries before and after that entry above:
10.7.29.195 GET / - 443 - 10.7.29.81 - 200 0 0 778 0
10.7.29.195 GET / - 443 - 10.7.29.82 - 200 0 0 778 0
10.7.29.195 GET / - 80 - 10.7.29.82 - 200 0 0 701 0
10.7.29.195 GET / - 80 - 10.7.29.81 - 200 0 0 701 0
10.7.29.195 GET / - 443 - 10.7.29.81 - 200 0 0 778 0
10.7.29.195 GET / - 443 - 10.7.29.82 - 200 0 0 778 0
10.7.29.195 CCM_POST /ccm_system/request - 443 - 10.7.29.9 ccmhttp 403 7 5 1466 15
10.7.29.195 GET / - 80 - 10.7.29.82 - 200 0 0 701 0
10.7.29.195 GET / - 80 - 10.7.29.81 - 200 0 0 701 0
10.7.29.195 GET / - 443 - 10.7.29.81 - 200 0 0 778 0
10.7.29.195 GET / - 443 - 10.7.29.82 - 200 0 0 778 0
These are from the IIS log file .195 is the SCCM site server, 81 and 82 are the reverse proxy servers. Sorry if I am not answering questions accurately, this is getting into parts of SCCM I am not familiar with at all. -
Best Place for Source Content Location?
Hey Guys,
Currently we are planning for 2 sites with our Configuration Manager designing but we are unsure what would be the best scenario for the Source Content Location.
Should we just use DFS? or keep it local per site?It can go anywhere, but you should put it close to your ConfigMgr Primary Site Server. The primary will copy the content from the source to the content library (and then to the distribution points).
Regardless of which file share location you chose, I recommend accessing it from a DNS Alias so that it can be moved later on without having to update all packages/apps/driver packages etc.
I hope that helps,
Nash
Nash Pherson, Senior Systems Consultant
Now Micro -
My Blog Posts
If you've found a bug or want the product worked differently,
share your feedback.
<-- If this post was helpful, please click "Vote as Helpful". -
How can I control internet access of clients
Hi all,
I don't know how I can limit or stop internet activities on client computers. We have windows XP and Mac computer in our network. We use domain. If you have any suggestion about this, please let me know. Thanks
Regards,
Quoc Phi
Ho Chi Minh - Vietnam
[email protected]I've been wondering about this myself. I'm new to OSX server so I'm not all that familiar with the range of software and setups that are out there. This weekend however, I plan to take my Server and install another ethernet card in it. I'll proceed to hook one ethernet card into my DSL router and the built in card to the rest of the network.
I already have DNS set up in my server admin, but I'll additionally need to set up NAT and DHCP, i think this can be done through the 'Gateway Setup Assistant', but I think I know how to do it in server admin should that fail.
Once that's set up, users will access the internet directly through the gateway provided by the OSX Server. I'm not sure what kind of built in monitoring mechanisms are provided, but judging from the lack of detail I've found in my own research I'd say they're insufficient at best.
I'm looking to installing Viacoms "Intercept" software (http://www.vicomsoft.com/download/download.main.html) on the mac, it has a range of monitoring tools I think I'll need, also they offer a 2 week demo version for download. So it's worth a try
Hope this helps you save some time... -
Content location mass update at the site level
Hi,
I am looking for a way to mass update the content location at the site level. Right now, we can do the mass update at the folder level. We have about 80 folders or so. Is there a way we can mass update the starting url at the site level?
Environment: Oracle iLearning 5.2.1
Thanks
SudIf you are mass updating the content location, you need to inspect the following three tables in the ILEARN schema.
Table Columns Description
content_server host, physical_directory Content Server Definition
rco starting_url Self Explanatory
host_adapter adapter_path CMI Adapter
You might not have to change all of them, if you are only changing the path and not the host.
Scott
http://www.seertechsolutions.com -
Best practices for securing communication to internet based SCCM clients ?
What type of SSL certs does the community think should be used to secure traffic from internet based SCCM clients ? should 3rd party SSL certs be used ? When doing an inventory for example of the clients configuration in order to run reports
later how the data be protected during transit ?From a technical perspective, it doesn't matter where the certs come from as there is no difference whatsoever. A cert is a cert is a cert. The certs are *not* what provide the protection, they simply enable the use of SSL to protect the data in transit
and also provide an authentication mechanism.
From a logistics and cost perspective though, there is a huge difference. You may not be aware, but *every* client in IBCM requires its own unique client authentication certificate. This will get very expensive very quickly and is a recurring cost because
certs expire (most commercial cert vendors rarely offer certs valid for more than 3 years). Also, deploying certs from a 3rd party is not a trivial endeavor -- you more less run into chicken and egg issues here. With an internal Microsoft PKI, if designed
properly, there is zero recurring cost and deployment to internal systems is trivial. There is still certainly some cost and overhead involved, but it is dwarfed by that that comes with using with a third party CA for IBCM certs.
Jason | http://blog.configmgrftw.com | @jasonsandys -
Generating a content location request
Hi,
I'd like to generate a content location request from within a task sequence using my .net code. Assuming these are the correct classes; can anyone give me an exampe of using the
ContentLocationRequest etc from the messaging SDK. Thanks.
Simon BurbidgeWhy do you want to re-invent something that's already built into the product? What's the reason behind it? Answering that question would help to understand what you are trying to achieve ...
Torsten Meringer | http://www.mssccmfaq.de -
Can we run Internet and intranet application on same node?
Hi,
Could we run Internet and Intranet applications on same node?
Regards,Hi,
You can run both sites on the same server. You should just set the site security on the intranet site to only allow access from internal IP addresses. But for security reason, it's not adviceable to do that.
Regards,
Hamdy -
Application Deployment Type Content Locations in CM 2012 R2 DB
Hello,
Does anyone know the view or table in the SCCM DB for an application's deployment type's content location?
I found the package view which lists all packages content info. but haven't been able to find the content location for our application's deployment types.
Any help would be appreciated.
Thanks
Dave
- DaveThe information is stored in v_ContentInfo.ContentSource
you can use this query to view the Content Source for each application:
SELECT DISTINCT app.Manufacturer, app.DisplayName, app.SoftwareVersion, dt.DisplayName AS DeploymentTypeName, dt.PriorityInLatestApp, dt.Technology, v_ContentInfo.ContentSource, v_ContentInfo.SourceSize
FROM dbo.fn_ListDeploymentTypeCIs(1033) AS dt
INNER JOIN dbo.fn_ListLatestApplicationCIs(1033) AS app ON dt.AppModelName = app.ModelName
LEFT OUTER JOIN v_ContentInfo ON dt.ContentId = v_ContentInfo.Content_UniqueID
WHERE (dt.IsLatest = 1)
Benoit Lecours | Blog: System Center Dudes
Maybe you are looking for
-
Iphoto and aperture compatibility with maverick
El iphoto no arranca. Me dice que el "iphoto" no es compatible con este Mac (una vez actualizado). Lo mismo pasa con Aperture 3.2.4, me dice que no es compatible. Me ha dejado sin poder trabajar. Iphoto does not work, Error message: iPhoto not compat
-
Source:Essbase, how to convert char in date format
Hello Version OBI EE:10.1.3.4.1.090414.1900 Source:Essbase We have date in format VARCHAR (01.01.2008). I want to have date in format DATE. I transform our date on Business Level in DATE (yyyy-mm-dd) CAST ( SUBSTRING(Copeck."Time"."Gen5,Time" FROM 7
-
Viewing Graphics in email 8830 software vs 4.2
I am unable to view any graphics in my personal email boxes. Even advertisments come as text. Is there anyway to fix?
-
Firefox downloads a file, even if I choose "Cancel".
If I click a link to a file (eg, PDF, DOC), a dialog box appears that asks me to either "Open with [some application]" or "Save File". This dialog has a "Cancel" or "OK" button. So if I choose cancel -- meaning that I do not want to download the file
-
Whenever I try to download a pdf file, Firefox hangs and my only recourse is to power down and power up again. I have to use IE to get the pdf I am after.