locked
Client Connectivity - DMZ Server to SCCM 2012 R2 Environment RRS feed

  • Question

  • Good afternoon,

    I'm having a problem getting the first server in our DMZ talking to our SCCM 2012 R2 server.

    I've followed this extensive document pretty much to the letter and done some other research to get to this point:

    hxxp://eskonr.com/2013/08/sccm-configmgr-2012-manage-workgroup-computers-for-deploymentremote-tools-etc/

    1. Client installs ok
    CcmSetup is exiting with return code 0 ccmsetup 4/09/2017 1:27:36 PM 3612 (0x0E1C)

    2. Client can talk to server (intranet). However Site settings do not populate and there is apparently no certificate.

    Site tab is empty.

    Client Certificate: None
    Connection Type: Currently Intranet

    Interestingly there is a fully valid certificate on the client that points to the same CA as the SCCM 2012 Primary Site server (no red crosses at any level from Root CA down. CA is an internal ADCS server).

    3. Components are all listed but unsurprisingly only the Machine and User Policy cycles are present.

    4. The LocationServices.log on the client reports (and I've renamed our actual domain with <internal.local> below):

    Failed to retrieve DNS service record using _mssms_mp_tfi._tcp.<internal.local> lookup. DNS returned error 9003 LocationServices 4/09/2017 1:27:42 PM 2676 (0x0A74)

    5. This DNS entry exists within our internal DNS environment.

    6. This DNS entry does NOT exist within our DMZ DNS server environment (which kind of makes sense).

    7. nbtstat -c on the client shows (IP, Site and Server names changed for security purposes)

                      NetBIOS Remote Cache Name Table

            Name              Type       Host Address    Life [sec]
        ------------------------------------------------------------
        PRI-SRV        <03>  UNIQUE          10.10.10.10        -1
        PRI-SRV        <00>  UNIQUE          10.10.10.10        -1
        PRI-SRV        <20>  UNIQUE          10.10.10.10        -1
        MP_TFI         <1A>  UNIQUE          10.10.10.10        -1

    8. All firewall ports between DMZ and internal network necessary are open (80,443 and 8530).

    9. We run an HTTPS only client environment.

    10. IIS returns default page in browser on client.

    11. CCMMessaging.log shows:

    Successfully sent location services HTTP failure message. CcmMessaging 4/09/2017 1:42:42 PM 2676 (0x0A74)
    Post to hxxp://SCCM-01.<INTERNAL.LOCAL>/ccm_system/request failed with 0x87d00231. CcmMessaging 4/09/2017 1:42:42 PM 2676 (0x0A74)

    12. I also note that the Advanced TCP/IP settings for the NIC on this client have a DNS suffix for the connection that matches the external facing domain for our agency rather than the internal one we use on our internal servers. Example: this value is <EXTERNALDOMAIN.COM> rather than the <INTERNAL.LOCAL> value used internally.

    13. Simple one SCCM server environment with all roles on this one server and a separate SQL instance on another server.

    I'm happy to forward more detailed logs and or information to assist with troubleshooting this issue if it helps but I'm stuck at this point






    • Edited by Purple Futon Tuesday, September 5, 2017 10:31 PM
    Monday, September 4, 2017 7:59 AM

Answers

  • Hi Jason,

    After a bit more research and troubleshooting, problem was identified as being the command line parameters being used.

    Original setup command: ccmsetup.exe /Source:C:\Temp\CLIENT SMSSITECODE=TFI SMSMP=sccm-01.internal.local DNSSUFFIX=internal.local

    1. Our environment is set to use HTTPS only. Above string assumes HTTP as there is no protocol prefix for the SMSMP value. Resolved by using HTTPS prefix for SMSMP variable.

    2. We also did not force using a certificate, even though there was a valid one present. Resolved by using /usepkicert switch.

    3. We also saw a WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED message in ccmmessaging.log. Resolved by use of the /nocrlcheck switch.

    New setup command is: ccmsetup.exe /nocrlcheck /Source:<path to client> SMSSITECODE=<site code> SMSMP=https://sccm-01.internal.local DNSSUFFIX=internal.local /usepkicert

    Client installs fine, and even auto approves! Client settings now all fine (all actions, site, etc. etc.)

    Also tested a software update deployment without any issues.

    Cheers, PF.

    • Marked as answer by Purple Futon Monday, September 18, 2017 8:40 AM
    Monday, September 18, 2017 8:40 AM

All replies

  • Single out of context log lines are completely meaningless. Some errors may be expected or at least non-fatal so those you have above have nothing to do with your issue. You need to review the complete logs -- or provide them by posting them on a file sharing service and link to them here (if you post the logs here -- most will completely ignore your post as reading logs in the forum is difficult at best). ccmmessaging.log, clientidmanagerstartup.log, locationservices.log, and clientlocation.log are the ones to start with.

    Also, is your CRL accessible in the DMZ?

    DNS is also irrelevant here in general depending upon how you've installed the client. How exactly did you install the client and (assuming manually) what command-line exactly did you use?


    Jason | https://home.configmgrftw.com | @jasonsandys

    Monday, September 4, 2017 2:41 PM
  • Hi Jason,

    Good point on the log snippets not being useful if pruned; I'll be less stingy next time.

    DMZ client logs can be found here: <redacted>

    CRL is not accessible in the DMZ.

    Client package was copied to the client and run manually with the following command line:

    ccmsetup.exe /Source:C:\Temp\CLIENT SMSSITECODE=TFI SMSMP=sccm-01.internal.local DNSSUFFIX=internal.local

    I also left a copy of the ccmsetup log in the logs folder link above.



    • Edited by Purple Futon Monday, September 18, 2017 8:29 AM
    • Proposed as answer by veera0918 Friday, November 3, 2017 8:20 PM
    Tuesday, September 5, 2017 1:43 AM
  • Hi Jason,

    After a bit more research and troubleshooting, problem was identified as being the command line parameters being used.

    Original setup command: ccmsetup.exe /Source:C:\Temp\CLIENT SMSSITECODE=TFI SMSMP=sccm-01.internal.local DNSSUFFIX=internal.local

    1. Our environment is set to use HTTPS only. Above string assumes HTTP as there is no protocol prefix for the SMSMP value. Resolved by using HTTPS prefix for SMSMP variable.

    2. We also did not force using a certificate, even though there was a valid one present. Resolved by using /usepkicert switch.

    3. We also saw a WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED message in ccmmessaging.log. Resolved by use of the /nocrlcheck switch.

    New setup command is: ccmsetup.exe /nocrlcheck /Source:<path to client> SMSSITECODE=<site code> SMSMP=https://sccm-01.internal.local DNSSUFFIX=internal.local /usepkicert

    Client installs fine, and even auto approves! Client settings now all fine (all actions, site, etc. etc.)

    Also tested a software update deployment without any issues.

    Cheers, PF.

    • Marked as answer by Purple Futon Monday, September 18, 2017 8:40 AM
    Monday, September 18, 2017 8:40 AM