SCMDM 2008 SP1 MDM Connect Now Problem
Hi there guys,
I hope this is something you guys can help me with. I am in the process of deploying SCMDM. I am going with the integrated approach where mdm enrollment,devicemanagement will be siting on 1 server and a gateway server in the DMZ. I managed to prep Active directory and create a SCMDM instance. I also managed to install MDM device management server roles but before i deploy the ateway server i wanted to do some testing.
Currently using a WM 6.1 Pro emulator on my laptop connected through active sync. I manage to enroll the device on the domain it sucessfully completes the enrollment and appears in the device management list. Once i get pass that section it pretty much stops there where i cannot apply any policies on to the emulator device . Last connected time stay as the first original time of enrollment.
I also downloaded Connect now tool . I am having errors with the connect now tool as it keeps on failing with this error code on the emulator: (Failed -2147467259).
I have a snaky suspicion its something to do with the certificates. Can someone please point me in the right direction?
By the way BPA is reporting this post deployment issue with the enrollment server, i believe its related to not having gateway server setup as yet.
Server Name: SYDWMDMMS01.xxx.xxxxxx.xxxx Status:Critical Issues Found in MDM Deployment RescanErrors Result
Not able to connect to the Enrollment Web service.
Refer to 'Troubleshooting MDM Enrollment Issues ' in Operations Guide for System Center Mobile Device Manager 2008 Service Pack 1 for more information.
Details
Exception calling "ShouldEnroll" with "3" argument(s): "The remote server returned an error: (504) Gateway Timeout."
Best Regards,
Ras
Answers
Have you configured the enrollment settings to point to a gateway server yet? (Even if the server is not deployed.)
You will be able to perform the enrollment of a device through ActiveSync, but establishing the VPN tunnel isn't possible as IPSec is not able to bind to the cradled connection. You need to hook up a virtual network card, and connect through that to establish the tunnel properly. (Made there is a hack for making it work through EAS, but I wouldn't recommend that approach.)- Proposed As Answer byWayne Phillips.MVP, ModeratorThursday, October 22, 2009 11:54 PM
- Marked As Answer byWayne Phillips.MVP, ModeratorSunday, October 25, 2009 11:51 PM
All Replies
- Hi, Ras11m
"...also managed to install MDM device management server roles but before i deploy the ateway server i wanted to do some testing... "
When you enrolling your device, it connect to Enrollment server only once - during enrollment. After that (if enrollment was successful) it connect directly to gateway server. So you need gateway server anyway. If you have errors after all roles were installed than you need to use Connect Now & MDM VPN Diagnostics tools for troubleshooting. MDM VPN Diagnostics tool can help you to diagnose IPSec issues. Also you can use Windows Mobile IP Utility for troubleshooting.
Умение пользоваться поиском экономит не только время, но и нервы Have you configured the enrollment settings to point to a gateway server yet? (Even if the server is not deployed.)
You will be able to perform the enrollment of a device through ActiveSync, but establishing the VPN tunnel isn't possible as IPSec is not able to bind to the cradled connection. You need to hook up a virtual network card, and connect through that to establish the tunnel properly. (Made there is a hack for making it work through EAS, but I wouldn't recommend that approach.)- Proposed As Answer byWayne Phillips.MVP, ModeratorThursday, October 22, 2009 11:54 PM
- Marked As Answer byWayne Phillips.MVP, ModeratorSunday, October 25, 2009 11:51 PM
- Thanks andreas that's done the trick! virtual network card on the emulator ...
By the way i have got some other questions:
Firstly how do i go about to removing a device from the scmdm console? I managed to run removedevice powershell cmdlet it successfully removes the device from the domain and adds it to block list i then run clean up of blocked devices powershell cmdlet but the device still appears in the all devices section. Is there a way of removing them from the console completely?
Secondly once I put the scmdm gateway server in the dmz, can i configure it to assign ips from the dmz range. i.e my gateway dmz ip is 192.168.10.1 , is it ok if i configure the virtual managed device ips as 192.168.10.2 - say 192.168.10.100 (i will not be using this ip range on anything else in the dmz zone). If that cant be done and say i assign 192.168.11.x for the managed devices VPN, how do i ensure they have the right routes to the DM server from this range ? how does the firewall/router in the DMZ zone know what 192.168.11.x range is ? does the routes actually sit on the gateway server or on the firewall/router itself ? and correct me if i am wrong but lets say i need mobile devices to be able to access exchange active sync from this range , do i just allow https (443) from this private range (192.168.11.x) to the internal exchange server on the firewall?
Thirdly I created a package on wsus for software distribution and now would like to remove it, its not allowed as its prompting me that its in use! How do i go about removing it from software distribution console? Also some cab files are having problems with software packaging is that a common issue?
Cheers
Ras Ras,
To help people searching the forum, could you please post these as individual questions.Cheers Wayne
Airloom
- Not a problem Wayne will do :)
