SCOM internet clients

Similar Messages

• Internet Clients & Mac Enrollment

  Hello,
  I'm having some issues with Internet Clients and Mac Enrollment, the latter via both the Intranet and Internet.  Going over all the certificate steps again, the only thing I didn't do is have two FQDN for the Web Cert since I'm using the same FQDN for
  both internal and external traffic.  We have the external DNS setup and ports opened on the firewall to communicate with it.  External DNS resolution is working when doing a DIG or an NSLOOKUP with the trailing '.' due to the default domain suffix
  search.
   Are there some added steps that I need to do when using the same FQDN for internal and external?

  All roles are on a single server.  I've ensured that the DP Cert is imported into the DP.
  The DP certificate is not an, or the, issue in this case, because it's only used during OS deployment. Please start looking at the client log files when the download error appears (like the CAS.log).
  About the MAC issues, please keep that separated from this post, for two reason:
  Troubleshooting can be done better per issue;
  You've got a post already for that (http://social.technet.microsoft.com/Forums/windowsserver/en-US/f473a2bb-3eba-42fd-88c0-3a232b18a556/configmgr-r2-mac-os-enrollment-issues?forum=configmanagerdeployment).
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude
  Thanks.
  I combined both issues because I thought they may be related but I'll stick to the Windows Internet Clients for this one.
  We have a Palo Alto Firewall and have opened up several ports and applications and watched traffic.  The client still shows 'currently Internet' but the logs say the following:
  LocationServices.log
  LsRefreshManagementPointEx failed with 0x80004005
  Failed to refresh security settings over MP with error 0x80004005.
  Failed to send management point list Location Request Message to FQDN
  LSUpdateInternetManagementPoints: Failed to retrieve internet MPs from MP FQDNwith error 0x87d00231, retaining previous list.
  CcmMessaging.log
  Post to http://FQDN/ccm_system/request failed with 0x87d00231.
  Post to http://FQDN/ccm_system/request failed with 0x87d00231.
  Post to http://FQDN/ccm_system_windowsauth/request failed with 0x87d00231.Post to http://FQDN/ccm_system_windowsauth/request failed with 0x87d00231.
  OutgoingMessage(Queue='mp_[http]mp_locationmanager', ID={68E61B1F-05F4-4BD4-81E0-C9AF513635EE}): Will be discarded (expired).
  Ports needed for Internet-based Clients have been added from this: http://technet.microsoft.com/en-us/library/hh427328.aspx#BKMK_IBCMports

• Treating intranet client connecting differently from internet client

  Hi All,
  I am developing a server socket application that accept connection from client. The clients can connect either through internet or intranet. I need to treat them differently. Is there a way to know whether the client is an intranet client or an internet client?
  Best regards,
  Caesar

  Have a look at the remote socket address of the accepted socket.

• Internet Client Not talking to DMZ MP

  I am facing issues in communication of Internet Client to my MP sitting in DMZ.
  Scenario:
  Primary Site 2012
  MP, DP role installed Site system in DMZ domain joined.
  DMZ talking to DC, and site server, bidirectional.
  Installed MP and DP role, with Internet only client, created FQDN, and published FQDN to public DNS
  created certs following steps in http://www.systemcenterdudes.com/internet-based-client-management/.
  Tried installing client manually in domain, using switches ccmsetup.exe /usePKICert /NoCRLCheck CCMHOSTNAME="MP public FQDN" DNSSUFFIX="public DNS" SMSSITECODE=XXX 
  When moved the client to open internet, I see below error in locations services.log
  Attempting to retrieve site information from lookup MP(s) via HTTPS
  LocationServices 3/18/2015 4:28:41 PM
  2424 (0x0978)
  Failed to send site information Location Request Message to XXXXXXX
  LocationServices 3/18/2015 4:29:01 PM
  2424 (0x0978)
  Attempting to retrieve site information from lookup MP(s) via HTTP
  LocationServices 3/18/2015 4:29:01 PM
  2424 (0x0978)
  Failed to refresh security settings over MP with error 0x80004005.
  LocationServices 3/18/2015 4:29:01 PM
  2424 (0x0978)
  No security settings update detected. LocationServices
  3/18/2015 4:29:01 PM 2424 (0x0978)
  Using INF MP XXXXXXXXXXX as lookup MP. LocationServices
  3/18/2015 4:29:01 PM 2424 (0x0978)
  Attempting to retrieve site information from lookup MP(s) via HTTPS
  LocationServices 3/18/2015 4:29:01 PM
  2424 (0x0978)
  Failed to send site information Location Request Message to XXX
  LocationServices 3/18/2015 4:29:08 PM
  2424 (0x0978)
  Attempting to retrieve site information from lookup MP(s) via HTTP
  LocationServices 3/18/2015 4:29:08 PM
  2424 (0x0978)
  Failed to refresh Site Signing Certificate over MP with error 0x80004005.
  LocationServices 3/18/2015 4:29:08 PM
  2424 (0x0978)
  Refreshing Site Signing Certificate over HTTP
  LocationServices 3/18/2015 4:29:08 PM
  2424 (0x0978)
  [CCMHTTP] AsyncCallback(): -----------------------------------------------------------------
  LocationServices 3/18/2015 4:29:26 PM
  2424 (0x0978)
  [CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered
  LocationServices 3/18/2015 4:29:26 PM
  2424 (0x0978)
  [CCMHTTP]                : dwStatusInformationLength is 4
  LocationServices
  3/18/2015 4:29:26 PM 2424 (0x0978)
  [CCMHTTP]                : *lpvStatusInformation is 0x10
  LocationServices
  3/18/2015 4:29:26 PM 2424 (0x0978)
  [CCMHTTP]            : WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
  LocationServices
  3/18/2015 4:29:26 PM 2424 (0x0978)
  [CCMHTTP] AsyncCallback(): -----------------------------------------------------------------
  LocationServices 3/18/2015 4:29:26 PM
  2424 (0x0978)
  Raising event:
  instance of CCM_CcmHttp_Status
  ClientID = "GUID:8BD27970-C69F-483D-A7E5-0DC76DC7A836";
  DateTime = "20150318105926.499000+000";
  HostName = "XXXXXXXX";
  HRESULT = "0x80072f8f";
  ProcessID = 5868;
  StatusCode = 16;
  ThreadID = 2424;
  LocationServices
  3/18/2015 4:29:26 PM 2424 (0x0978)
  Failed to send request to /SMS_MP/.sms_aut?SITESIGNCERT at host XXX, error 0x2f8f
  LocationServices 3/18/2015 4:29:26 PM
  2424 (0x0978)
  [CCMHTTP] ERROR: URL=https://XXXXXXXX/SMS_MP/.sms_aut?SITESIGNCERT, Port=443, Options=480, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE
  LocationServices 3/18/2015 4:29:26 PM
  2424 (0x0978)
  Successfully sent location services HTTPS failure message.
  LocationServices 3/18/2015 4:29:27 PM
  2424 (0x0978)
  Failed to refresh Site Signing Certificate over HTTP with error 0x80072f8f.
  LocationServices 3/18/2015 4:29:27 PM
  2424 (0x0978)
  Using INF MP XXXXXXXX as lookup MP. LocationServices
  3/18/2015 4:29:27 PM 2424 (0x0978)
  Attempting to retrieve default management points from lookup MP(s) via HTTPS
  LocationServices 3/18/2015 4:29:27 PM
  2424 (0x0978)
  LSGetManagementPointsForSiteFromManagementPoint: Client is on Internet, skipping Intranet MP list request.
  LocationServices 3/18/2015 4:29:27 PM
  2424 (0x0978)
  Unable to retrieve compatible MP(s) from AD
  LocationServices 3/18/2015 4:29:27 PM
  2424 (0x0978)
  LSGetManagementPointsForSite: Domain joined client is in Internet - INF MP will be used to get other INF MPs.
  LocationServices 3/18/2015 4:29:27 PM
  2424 (0x0978)
  LSUpdateInternetManagementPoints LocationServices
  3/18/2015 4:29:27 PM 2424 (0x0978)
  Current AD site of machine is XXXXX LocationServices
  3/18/2015 4:29:27 PM 2424 (0x0978)
  Failed to send management point list Location Request Message to XXXXX
  LocationServices 3/18/2015 4:29:34 PM
  2424 (0x0978)
  LSUpdateInternetManagementPoints: Failed to retrieve internet MPs from MP XXX with error 0x87d00231, retaining previous list.
  LocationServices 3/18/2015 4:29:34 PM
  2424 (0x0978)
  There is no AMP for site code XXXX Nulling existing entry in WMI
  LocationServices 3/18/2015 4:29:34 PM
  2424 (0x0978)
  Assigned MP changed from XXXXXXXX to <>.
  LocationServices 3/18/2015 4:29:34 PM
  2424 (0x0978)
  Persisted Default Management Point Locations locally
  LocationServices 3/18/2015 4:29:34 PM
  2424 (0x0978)
  [CCMHTTP] AsyncCallback(): -----------------------------------------------------------------
  LocationServices 3/18/2015 4:29:37 PM
  2432 (0x0980)
  [CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered
  LocationServices 3/18/2015 4:29:41 PM
  2432 (0x0980)
  [CCMHTTP]                : dwStatusInformationLength is 4
  LocationServices
  3/18/2015 4:29:41 PM 2432 (0x0980)
  [CCMHTTP]                : *lpvStatusInformation is 0x10
  LocationServices
  3/18/2015 4:29:41 PM 2432 (0x0980)
  [CCMHTTP]            : WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
  LocationServices
  3/18/2015 4:29:41 PM 2432 (0x0980)
  [CCMHTTP] AsyncCallback(): -----------------------------------------------------------------
  LocationServices 3/18/2015 4:29:41 PM
  2432 (0x0980)
  Raising event:
  instance of CCM_CcmHttp_Status
  ClientID = "GUID:8BD27970-C69F-483D-A7E5-0DC76DC7A836";
  DateTime = "20150318105941.428000+000";
  HostName = "XXXXXXXX";
  HRESULT = "0x80072f8f";
  ProcessID = 5868;
  StatusCode = 16;
  ThreadID = 2432;
  LocationServices
  3/18/2015 4:29:41 PM 2432 (0x0980)
  Failed to send request to /SMS_MP/.sms_aut?MPLIST2&XXXXX at host XXXXXXX, error 0x2f8f
  LocationServices 3/18/2015 4:29:41 PM
  2432 (0x0980)
  [CCMHTTP] ERROR: URL=https://XXXXXXXX/SMS_MP/.sms_aut?MPLIST2&XXXXX, Port=443, Options=480, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE
  LocationServices 3/18/2015 4:29:41 PM
  2432 (0x0980)
  Successfully sent location services HTTPS failure message.
  LocationServices 3/18/2015 4:29:41 PM
  2432 (0x0980)
  Failed to send web service info Location Request Message
  LocationServices 3/18/2015 4:29:41 PM
  2424 (0x0978)
  Modassir Khan

  Hi,
  Here is a blog has a similar problem that a Certificate Revocation List was not configured. You could have a look to check if you missed anything.
  Certificate Revocation Lists and Your Config Manager Client
  Note:
  Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  Best Regards,
  Joyce
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• SCCM design DMZ for intranet and internet clients

  Hello,
  I am looking for some design recommendations for my test environment that I would like to apply to one production environment (I already posted about this topic but I still have some questions).
  I am working with 2 domains (2 forests) with no trust relationships.
  Domain A : internal
  Domain B : DMZ
  From a firewall point of view, only the ports from the internal to the DMZ will be opened.
  From the internet to the DMZ, only HTTPS will be opened.
  Currently, I only manage the clients connected to the internal domain.
  I would like to deploy a new management point in DMZ that will allow me to manage my DMZ clients (servers) and my Internet clients (laptops).
  Should I use 2 management points ? Is it supported ?
  - one for the DMZ clients
  - one dedicated to my internet clients
  If I use only one MP, should I allow Intranet and Internet clients ?
  Should I allow my DMZ clients to communicate with the internal management point (port 80) and only use the MP in DMZ for my Internet clients.
  The only documents I can find on Technet require too many ports to be opened in the firewall (From DMZ to Internal) and can't be applied to my environment.
  Thanks.

  Have a look at the following blog which explains your queries comprehensively.
  http://blogs.technet.com/b/neilp/archive/2012/08/20/cross-forest-support-in-system-center-2012-configuration-manager-part-1.aspx
  -RG

• SCCM MAC management server and internet Client management server in on system

  dear all
   we have an internet based management system (IBCM server ) sccm 2012  sp1 ,can we make the same servers as MAC management server  ,is there any challenge in this ,because as per TechNet mac mangemetn server works in internet mode
  even though in intranet ,also there is no documentation when mac clients are  in internet   
  ankith

  hi Torensten
  we need enrolment point and enrolment proxy point can we do install in same server
  I have doubt enrolment proxy point works on 443 will that confilit  with IBCM external MP which also in 443
  ankith

• SCOM 2012 client movement between Management servers

  Hi all,
  I know In SCOM 2012 sp1 all management servers are peers , if I have five management servers ( A, B, C, D,E ) and 2 gateway servers ( F, G ) . One client is assigned to A management server , in case if that management server down , to which management servers
  or Gateway server that particular client will move any rule.
  Thanks,
  Sengottuvel M

  By default, "the first available management server". There is a black-box algorithm that works behind the scenes in terms of agent failover selection. The only way to control this is to set agent failover lists, and this is only possible via the command
  shell (powershell) - but it's relatively easy to do.
  Here are a couple interesting articles about the topic:
  http://blog.scomskills.com/agent-managementlist-primary-and-failover-configuration/
  http://blogs.technet.com/b/jonathanalmquist/archive/2009/11/11/set-failover-management-server-for-gateway-role.aspx
  ...and there are probably 100 other blog posts talking about the same thing.
  Jonathan Almquist | SCOMskills, LLC (http://scomskills.com)

• Installing Internet Clients Using Client Push

  I've read throught the MS documentation on how to install internet based clients (http://technet.microsoft.com/en-us/library/gg712298.aspx#BKMK_Manual) and it indicates
  that they can be installed using client push. So, if I just add the CCMHOSTNAME property in the client push settings I can then use automatic site wide installation? This is assuming the clients already have a certificate installed. I'm confused because it
  shows in this article that you must include other properties and even ccmsetup properties such as /usepkicert. You can only use the client msi properties in the client push settings. Would this work with just CCMHOSTNAME? Also, would I have to add SMSSITECODE
  since clients won't automatically be assigned a site based on there boundaries?

  You can even leave that property out, as long as you're clients are on the intranet during the client installation. During the first policy retrieval the client will get the information about the Internet-facing site system.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Managing Internet clients with non unique names

  I've got a wee complication which revolves around the fact the majority clients I am looking to deploy to are workgroup clients which have non-unique netbios/short names. 
  So when trying to manage said clients when looking at the Assets / Devices tab they for all intensive purposes appear identical - until I look at the properties of each item and look at the Resource Name - which will show the FQDN fo said machine.
  If I was able to select Resource name as a viewable field in the view this would fix my problem. Unfortunately all machines currently have the same Workgroup set so just displaying the "Domain" field will not suffice.
  Has anyone run into this issue and what can be done to work around it short of renaming all my intended clients? I've seen mention of creating your own Console custom nodes however this looks rather hairy.
  Any thoughts are greatly appreciated. Cheers.

  Also, I don't think that it will really help you, because the Devices
  node is build on the SMS_CombinedDeviceResources class and that WMI class simply doesn't contain the
  Resource Name property.
  In this case it would mean creating a whole new node in the console. Probably using a Query, or Report is the most simple and best workaround.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Workgroup internet clients issue

  Hey guys,
  I got https management point and I created couple machines not domain joined. These are workgroup clients all with one the same certificate from our CA. I can see only one of them in console and when i check on them all of them got the same GUID. Does this
  means that everyone of them have to have separate certificate from CA or that i messed something up when i was creating image?

  "I have one image which i put on one hard drive and then clone hard drive with cloning hardware so its fast and easy".
  I hope that image is syspreped.
  Yes, cert deployment can be a pain. No there is no automated solution in the Microsoft stack outside of AD domain joining them although NDES may be helpful:
  http://social.technet.microsoft.com/wiki/contents/articles/9063.network-device-enrollment-service-ndes-in-active-directory-certificate-services-ad-cs.aspx
  There are community based solutions out there that have scripted the moving parts. This pose security risks IMO though as they require the user to be a local admin on their systems (shudder). A web search should turn these up.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• PLEASE HELP!!!! ITS URGENT!!!! image merging and uploading to server by internet clients

  I have 2 movie clips on my site viz. M1 and M2. Images in
  both the MCs (viz. J1.JPG and J2.JPG) are dynamically replaced
  through ASP pages. User is given facility to resize, rotate and
  move images of M2 over M1.
  I want to enable user to upload this modified version of M1
  (after puting M2 over it) on my server in any printable graphics
  format viz. JPEG/JPG/ GIF/ PNG/ BMP etc.
  Is there any facility like that in flash/actionScript.
  Please help its urgent.

  yope ani, you got me right. would you please help me.
  Although SAVING the image is not so important.... i just want to
  see that at which location internet user has imposed J2.JPG over
  J1.JPG. I am less concerned about the XY coordinates, instead i
  would like to see the output of the image after imposition.
  I guess i've been able to express my imagination to you.
  thanks and regards

• Internet Based Clients and Native Mode

  Hi guys,
  I have a question.... We have SCCM 2007 SP2 running in mixed mode in the environment. Now we plan to support internet based clients. Here is the current Hierarchy in mixed mode.
  1 Central Server
  1 Primary Server
  3 Secondary servers under above Primary Server
  Now as the requirement is to support internet based clients and want them to support on office LAN as well when they come to the office....this is what I would be doing : ( Theoretically I know, I need the practical steps to achieve that )
  1. Get all the 3 PKI Certificates : Site Server Signing, Web Server, Client agent.
  2. Make sure all the required ports are opened in-between Intranet <->DMZ AND DMZ <-> Internet
  3. Migrate Central server from Mixed to Native Mode.
  4. Install another Primary Server on Intranet in Native mode.
  5. Create a site system server connected to newly created Native Primary Site in the DMZ zone with these roles installed : MP, SUP and DP.
  6. Re-install all the SCCM clients in the environment with the command-line so that they can be supported on both internet and intranet.
  7. Make sure internet clients are able to connect DMZ site system server via internet.
  Please let me know if I'm missing something here and let me know the practical steps to achieve this. 
  Request you not to share Microsoft technet link for the same. Please share some step-by-step practical document etc.. to achieve this.
  Thanks,
  Sam

  1. This is incorrect. You need more than a single web server cert and client cert. You need a unique server auth cert for *every* one of your systems hosting a client role like the MP, DP, and SUP. Also, you need a unique client auth cert for each and *every*
  client that may/will connect via the Internet.
  4. Standing up a whole extra site just to support IBCM is a bit overkill. It does allow you to keep your "main" primary site in mixed mode, but it does add some overhead and cost and is not technically necessary.
  6. Incorrect. You only need to reinstall clients that will be configured as "Internet-only". Intranet clients should pick up the internet facing roles via policy. You can verify this by checking locationservices.log on the clients after they are successfully
  communicating and the Internet facing roles are stood up and healthy.
  You've made no account above for the CDP or CRL checking. This is a major stumbling block for many folks.
  Jason | http://blog.configmgrftw.com

• Internet or Intranet Clients - Content Location

  Our current Configuration Manager 2012 R2 environment is running with existing servers and clients in intranet mode. We are wanting to add a server in our DMZ to support internet only mode for our DMZ servers.  Additionally, we are contemplating leveraging
  this new server to support laptops in an "Internet or Intranet" configuration as described here: 
  https://technet.microsoft.com/en-ca/library/bb693755.aspx
  My question is regarding content location for these "Internet or Intranet" clients.  If the client is offsite (so the intranet servers are viewed as offline) and the content is available on the server setup to support internet clients, obviously
  the client will download the content from the internet server.   However, should we be distributing all of the content that is available to the intranet servers to the internet server?  If an "internet or intranet" client receives policy
  for a package who's source is only available from an intranet server does the deployment completely fail when the client is offsite....or does the client wait until the content is available from an intranet server?
  Also, if you have a link to documentation of this, that would be great.
  Thanks!

  There's no documentation describing this exact scenario. The client sends a content location request to its MP but if the necessary content is not on the Internet facing DP when the client is connected via the Internet, then the content location
  request will fail. The client will periodically retry the content location request including when the client sees that it has changed network locations and so this will eventually succeed once the client is on the Intranet again. So, effectively, yes
  the client will wait till its on the Intranet -- it doesn't really have a choice though.
  What implications are you worried about here?
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Support for Internet based client Management - SCCM 2012

  Hi There,
  My Company wants to go for Internet based client Management in SCCM 2012 SP1 R2 and here is the design I'm proposing. I'm getting a bit confused at one point and need suggestion....
  Everything would work on HTTPS ( PKI Certificate based )... LAN and Internet.
  1 Primary ( with non-client facing roles installed ) on LAN with two site systems.
  - One Site System configured for INTRANET support only with MP, DP and SUP -> To support LAN users ( Allow
  Intranet-only connections )
  - One Site System configured for INTERNET support only with MP, DP and SUP -> To support Internet users ( Allow 
      Internet-only connections )
  The INTERNET facing site system is in DMZ network connected to parent Primary via Firewall.
  We want internet clients to talk to ONLY DMZ SCCM Site System and no connection to corporate LAN. We cannot open any ports for internet based clients to LAN.
  If this is the supported scenario, then why we need to put the Internet FQDN in the Primary server Site System property. This server would not be available to internet. It should only be my DMZ SCCM server client should connect for MP, DP and SUP and only
  this DMZ server should be accessible to client over internet.
  Also, what least ports should be opened between :
  - Parent Primary and its internet facing site system kept in DMZ
  - DMZ Site system and internet clients.
  Thanks in advance for your suggestions.
  Sam

  The FQDN has only to be specified on the Internet facing site system. You can leave this field blank on the primary site Server.
  Ports to Open:
  Internet --> DMZ Site Server:
  TCP Port 443
  TCP Port 80, if Fallback Status Point is installed
  DMZ Site Server --> Primary Site:
  TCP 135, 49152-65535
  TCP 445
  TCP 135, 24158 (fixed with
  http://msdn.microsoft.com/en-us/library/bb219447(v=vs.85).aspx )
  TCP 80, 443
  If you have some other roles installed, please consult this page:
  http://technet.microsoft.com/en-us/library/hh427328.aspx
  Cheers,
  Thomas Kurth
  Netree AG, System Engineer
  Blog:
  http://netecm.netree.ch/blog | Twitter:
  | LinkedIn:
  | Xing:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• SCCM Internet Based Client Communication

  We have one primary server (which includes all the general roles) and two remote distribution points. Question is, after I configure the MP for internet clients (HTTP and HTTPS), setup the necessary PKI infrastructure, publish the site server FQDN to public
  DNS servers, and install the internet client, how does it communicate back to the internal server? We don't have a DMZ and our primary site server is completely internal. If I add our external IP to public DNS the internet client can resolve this and our firewall
  is open to HTTPS traffic. Once the client reaches the front facing IP how does it than contact a strictly internal management point and distribution point?

  HTTPS client communication and IBCM don't change anything about how ConfigMgr works really. The traffic must still flow from the client to the client facing sites roles. Thus, you need to facilitate this flow of traffic no different than hosting a
  web site that both internal users and users on the Internet access -- in fact, it is exactly the same from a network perspective.
  Jason | http://blog.configmgrftw.com | @jasonsandys