locked
SCCM DMZ ports used by IBCM client RRS feed

  • Question

  • We have a functional single site server SCCM 1710 environment and need to add a DMZ to serve windows updates to our internet based SCCM clients.

    Internally our clients use TCP 8530 to hit our SUP to read the windows update catalog.  Once they are on the internet we want them to use TCP 8531 SSL.  We have configued the SUP on the DMZ for the client to user TCP 8531.  But when testing a internet based client I see in the Locationservices.log that it trying to use SSL 443 to hit the SUP instead of TCP 8531. 

    We also have a F5 with a URL that a internet based client would hit.   When on the internet the config mgr client does show the connection type as currently internet and client cert is PKI ..  When I run a software updates deployment evaluation cycle the locationservices.log show the client trying to use tcp 443 instead of 8531.  Under the network tab is am seeing the URL that I am using for the internet based management port (FQDN).

    Can any one give me a clue how the F5 should be configured for a SCCM DMZ?  Thanks

     

    Wednesday, March 21, 2018 9:35 PM

Answers

  • Opened a Microsoft Case and they were able to create Self-signed certificates from our AD CA for the SCCM client, DP & IIS.  We are now able to support IBCM devices with windows updates and deployment packages.
    • Marked as answer by BRCS Thursday, April 12, 2018 2:36 PM
    Thursday, April 12, 2018 2:36 PM

All replies

  • First, I'm assuming that you also have an MP (and possibly a DP) in the DMZ as well configured for Internet clients.

    Have you checked the ports that the SUP is configured for in the console? From memory, they default to 80 and 443. This is what the clients use to communicate with the SUP (the WSUS instance on the SUP really).


    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, March 21, 2018 10:17 PM
  • The DMZ has DP, MP & SUP roles installed on it.  SUP is configured to use TCP 8530 & TCP 8531 in our environment.  Which  the workstation config mgr client should be using when hitting the SUP to read the windows update catalog from the internet. 

    also since I have a F5 in the mix.. internet based clients hit that first...  the question has come up about what certs to have on the F5.  We have created our own self-signed certs .. for the DMZ MP, DP, & SUP.  but since the workstations will have our sccm client before it every is used from the internet. I am wondering why i need to worry about a cert on the F5 at all since the DMZ IIS, DP & MP will be checking if the config mgr client is one of ours trying to gain access.

    I welcome any comments on all of this since i have never had to stand up a SCCM DMZ before...

      
    Thursday, March 22, 2018 1:40 PM
  • > "I am wondering why i need to worry about a cert on the F5 at all since the DMZ IIS, DP & MP will be checking if the config mgr client is one of ours trying to gain access."

    Because your F5 is bridging the SSL connection meaning that it is actually the terminating the SSL connection between the client and itself and initiating a new SSL connection to the MP, DP, or SUP. That's a better question for your F5 folks though as it really has nothing to do with ConfigMgr.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, March 22, 2018 4:06 PM
  • I have had this discussion and the F5 folks insist they need a cert for the F5...
    Thursday, March 22, 2018 5:46 PM
  • Right, no disagreement. I'm just saying that's simply how SSL bridging works which is a function of the F5 and not ConfigMgr so if you want to know more details on why, then asking them is your best path.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, March 22, 2018 6:06 PM
  • My next question is which cert would they need for the F5??

    I have created self-signed certs

    ConfigMgr 2012 Client Cert, ConfigMgr 2012 IIS Cert, ConfigMgr 2012  Client Dist Point Cert

    Thursday, March 22, 2018 6:25 PM
  • Self-signed certs won't work.

    Also, each client must have its own unique client auth cert.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, March 22, 2018 9:41 PM
  • each internet based device would have our self signed sccm client cert on before leaving our location.  Our DMZ would have the MP, DP, and IIS self signed certs installed which should work.
    Friday, March 23, 2018 8:48 PM
  • Same answer. That's not valid and won't work.

    Certs cannot be self-signed and each client must have it's own, unique client auth cert.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Saturday, March 24, 2018 2:24 AM
  • Opened a Microsoft Case and they were able to create Self-signed certificates from our AD CA for the SCCM client, DP & IIS.  We are now able to support IBCM devices with windows updates and deployment packages.
    • Marked as answer by BRCS Thursday, April 12, 2018 2:36 PM
    Thursday, April 12, 2018 2:36 PM
  • If the certs are created from a CA, then they are not self-signed.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, April 12, 2018 2:56 PM