none
DMZ client does not communicate with management point

    Question

  • Hi,

    We have two separate forests, one in the LAN and other in DMZ. We have deployed SCCM native mode in the LAN and it works without any problems.

    However we have some issues to get SCCM client working in DMZ. We have deployed IBCM in DMZ and a SQL replica. IBCM communicates with SQL succesfully which I can see in Component status logs in the primary site server.

    The command line to install the client is following:

    ccmsetup.exe /native CCMHOSTNAME=FQDNSMSSIGNCERT=sitesigning.cer SMSSITECODE=XXX CCMALWAYSINF=1

    Client is installed succesfully and I can see that client is assigned to site (from Control panel), but it does not create for example execmgr.log.

    Could You please suggestions to further troublshoot this? Which logs should examine?

    Thanks in advance,

    Peteris

    Sunday, November 20, 2011 7:41 PM

Answers

  • There's no "or" for the server locator point if you install the client like this - it's required for site assignment (not required if you specify the Internet-based management point).  And this means that you'll need unauthenticated HTTP connections from the untrusted network (DMZ) into the trusted network (intranet), which many security admins would not like.

    In addition, not all client-to-server communication on the intranet is restricted to HTTP/HTTPS - unlike communication for clients that are detected to be on the Internet or configured as Internet-only.  For example, if BITS fails to a distribution point, intranet clients automatically fall back to SMB when they are on the intranet.  This doesn't happen when they are detected to be on the Internet or configured as Internet-only.  If you want only HTTPS communication coming into the intranet, configure the clients in the DMZ as Internet-only.

    Friday, January 13, 2012 8:01 PM

All replies

  • Can you check or post the ClientIDManagerStartup.log & ClientLocation.log files?

    I hope you have taken care of the above command with a space...as below...

    ccmsetup.exe /native CCMHOSTNAME=FQDN SMSSIGNCERT=sitesigning.cer SMSSITECODE=XXX CCMALWAYSINF=1


    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Monday, November 21, 2011 3:53 AM
  • Sure, there is space in the command line.

    ClientLocation.log does not show any error, and there are repeatedly posted these two lines:

    GetCurrentManagementPointEx
    Current Management Point is real.management.point.FQDN with version 0 and capabilities:

    However ClientIDManagerStartup.log shows following errors:

     

    RegTask: Client is not registered. Sending registration request...

    RegTask: Failed to send registration request message. Error: 0x80040231
    RegTask: Failed to send registration request. Error: 0x80040231]LOG

     

     

    Thanks,

    Peteris

    Monday, November 21, 2011 6:39 AM
  • can you verify few things

    did you able to ping Management point.

    verify from Client side is it able to resolve your Management point

    MP has the CCM_System_WindowsAuth virtual directory

     


    Syed Kasif | My blogs: http://syedtechblog.wordpress.com | Linkedin: /syedkashif
    Monday, November 21, 2011 8:13 AM
  • I can successfully ping and resolve Management point.

    But there is no such virtual directory (CCM_System_WindowsAuth), there is virtual directory named CCM_System.

    I check the MP which is in the LAN it also doesn't have CCM_System_WindowsAuth virtual directory, it has only  CCM_System_AltAuth.

     

    Thanks,

    Peteris

    Monday, November 21, 2011 2:16 PM
  • This thread is a couple of month's old now - did you resolve it?  I don't think a native mode management point uses the CCM_System_WindowsAuth virtual directory because Windows authentication is replaced with PKI authentication.  I hate error code 0x80040231 because it means "Transient error that could indicate a network problem", which is not very helpful.

    Whenever I see separate forests with native mode, I always suspect CRL issues - because this is tricky to get right.  I can see you're installing the client without CRL checking, but CRL checking is on by default in IIS.  Can the management point in the DMZ access the CRL for the client certificate?  This could stop the management point from successfuly replying to the registration request to the client.  More information: http://blogs.technet.com/b/configmgrteam/archive/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server.aspx

    Wednesday, January 11, 2012 1:57 PM
  • You don't need to use IBCM in DMZ, you can manage your clients in DMZ like in internal zone. All what you need is publish mp on DNS in DMZ, or/and use Service Locator Point.

    ccmsetup.exe /native:FALLBACK SMSSIGNCERT=sitesigning.cer SMSSITECODE=XXX SMSSLP=SLPFQDN FSP=FSPFQDN

    On firewall create rule for http and https ports from DMZ to SCCM Server(s).

    Friday, January 13, 2012 8:36 AM
  • There's no "or" for the server locator point if you install the client like this - it's required for site assignment (not required if you specify the Internet-based management point).  And this means that you'll need unauthenticated HTTP connections from the untrusted network (DMZ) into the trusted network (intranet), which many security admins would not like.

    In addition, not all client-to-server communication on the intranet is restricted to HTTP/HTTPS - unlike communication for clients that are detected to be on the Internet or configured as Internet-only.  For example, if BITS fails to a distribution point, intranet clients automatically fall back to SMB when they are on the intranet.  This doesn't happen when they are detected to be on the Internet or configured as Internet-only.  If you want only HTTPS communication coming into the intranet, configure the clients in the DMZ as Internet-only.

    Friday, January 13, 2012 8:01 PM
  • What IIS Log in MP says.?

    1. Restart the SMS Agent Host on the client machine.

    2. Check the CCMExec.log on the client machine, to verify the Service is Fully Operational or not.

    3. Then Login to the Internet Management Point.

    4. Open IIS Log on the MP and search for the IP address of the client machine.

    5. If you are not seeing the IP address ion the log, the issue will be in network.

    6. If you find the IP address of the client machine there,

    Copy the logs and provide here.


    Thursday, March 15, 2012 10:01 PM