locked
Install DP to server with ISA\TMG installed RRS feed

  • Question

  • Hi!

    I ran into a problem installing SCCM 2012 roles (currently DP's) to servers with ISA 2006\TMG 2010 firewalls installed.

    Error in distmgr.log is:

    CWmi::Connect() failed to connect to \\<server>\root\CIMv2. Error = 0x800706BA	SMS_DISTRIBUTION_MANAGER	23.11.2012 8:41:31	2300 (0x08FC)

    Same errors appear when I try to install SCCM clients here, but after manual install via ccmsetup.exe it's work fine. 

    In SCCM 2007 I had the same deployment problem, there it was solved by manual client installation and then adding needed site roles. But in SCCM 2012 this roles seems installed regardless from the client.

    In firewall logs all connection from primary SCCM server are allowed, test rule allow all traffic to\from SCCM server.

    Can I manually install Site Server and Distribution Point roles on server? I think this would get around the problem with RPC installation.

    Thanks in advance for your advice.

    Friday, November 23, 2012 6:29 AM

Answers

  • Problem fixed for me by some ISA config, used idea from http://forums.isaserver.org/m_410001100/mpage_1/key_/tm.htm#2002110974

    In my case this is one firewall allow rule for SCCM server->ISA server with 3 protocols:

    Custom DCOM (1024-50000 TCP Outbound)

    RPC Client (All interfaces)

    RPC Server (All interfaces)

    In the last 2 protocols RPC filter is disabled.

    We use ISA in "single network adapter" template, as proxy only, and allow rule for all traffic localhost<->internal network already exist. So additional config is not needed (NetBIOS, SMB etc.) for DP to work. Also it is no need to limit DCOM ports range.

    • Marked as answer by DmitriyZ Tuesday, December 4, 2012 4:11 AM
    Tuesday, December 4, 2012 4:10 AM

All replies

  • Hi,

    the error you are getting translates to "The RPC server is unavailable." you need to make sure that you allow RPC traffic, otherwise the installation will not be succesful.

    there is no other way to install the role but from the console. All firewall ports needed are listed here: http://technet.microsoft.com/en-us/library/hh427328.aspx

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Friday, November 23, 2012 6:46 AM
  • Thank you for answer, Jörgen.

    All traffic open, bi-directional primary site server<->target system with ISA\TMG, strict RPC compliance is off. No effect.

    I can't see any denials in firewall logs to traffic from\to SCCM server.

    Friday, November 23, 2012 7:21 AM
  • It's got to be due to the ISA\TMG configuration blocking access by the Primary, without being there couldn't tell you what ...

    Monday, November 26, 2012 2:12 PM
  • Problem fixed for me by some ISA config, used idea from http://forums.isaserver.org/m_410001100/mpage_1/key_/tm.htm#2002110974

    In my case this is one firewall allow rule for SCCM server->ISA server with 3 protocols:

    Custom DCOM (1024-50000 TCP Outbound)

    RPC Client (All interfaces)

    RPC Server (All interfaces)

    In the last 2 protocols RPC filter is disabled.

    We use ISA in "single network adapter" template, as proxy only, and allow rule for all traffic localhost<->internal network already exist. So additional config is not needed (NetBIOS, SMB etc.) for DP to work. Also it is no need to limit DCOM ports range.

    • Marked as answer by DmitriyZ Tuesday, December 4, 2012 4:11 AM
    Tuesday, December 4, 2012 4:10 AM
  • Great thanks for letting us know!
    Friday, December 7, 2012 4:14 PM