locked
Internet based client management RRS feed

  • Question

  • Hi Frenz,

                We have a SCCM Current Branch 1706 version in our Org. Currently it manages 3K client in intranet and we have around 300+ users will switch between Intranet and internet,

               I'm in the process of setting up IBCM solution, we ruled out Cloud Management Gateway due to some Azure Subscription issue, so left out with traditional method.

               I managed to setup the IBCM server in DMZ zone by taking reference from the below article https://www.systemcenterdudes.com/internet-based-client-management/

               IBCM server is listed in when query the MPLIST from intanet machines.

               I modified the control panel applet network settings to IBCM server (Internet facing FQDN) and Network team has confirmed Public IP is assigned and Nated with Local IP of IBCM server

    Issue: I got the control Panel applet changed to PKI and Internet and https URL of IBCM (Internet facing is accessible) from internet clients but client logs are flooded with error.

    Location Services.Log

    ********************************************************************************************

    Domain joined client is in Unknown location LocationServices 07/06/2018 17:22:26 1972 (0x07B4)
    2 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 07/06/2018 17:22:26 6964 (0x1B34)
    Unable to retrieve AD forest + domain membership. Error 0x8007054b LocationServices 07/06/2018 17:22:26 7148 (0x1BEC)
    Failed to send request to /SMS_MP/.sms_aut?SITESIGNCERT at host Intranet Server, error 0x2ee7 LocationServices 07/06/2018 17:22:26 7148 (0x1BEC)
    [CCMHTTP] ERROR: URL=http://Intranet server/SMS_MP/.sms_aut?SITESIGNCERT, Port=80, Options=448, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED LocationServices 07/06/2018 17:22:26 7148 (0x1BEC)
    [CCMHTTP] ERROR INFO: StatusCode=600 StatusText= LocationServices 07/06/2018 17:22:26 7148 (0x1BEC)
    Raising event:
    instance of CCM_CcmHttp_Status
    {
    ClientID = "GUID:4e5b7237-3c24-41df-bb06-58ba14254051";
    DateTime = "20180607162226.290000+000";
    HostName = "Intranet server";
    HRESULT = "0x80072ee7";
    ProcessID = 7016;
    StatusCode = 600;
    ThreadID = 7148;
    };
    LocationServices 07/06/2018 17:22:26 7148 (0x1BEC)
    Successfully queued event on HTTP/HTTPS failure for server 'Intranet Server'. LocationServices 07/06/2018 17:22:26 7148 (0x1BEC)
    3 internet MP errors in the last 10 minutes, threshold is 5. LocationServices 07/06/2018 17:22:35 6720 (0x1A40)
    Failed in WinHttpReceiveResponse API, ErrorCode = 0x2ee2 LocationServices 07/06/2018 17:22:58 7148 (0x1BEC)
    [CCMHTTP] ERROR: URL=https://IBCM server/SMS_MP/.sms_aut?SITESIGNCERT, Port=443, Options=448, Code=12002, Text=ERROR_WINHTTP_TIMEOUT LocationServices 07/06/2018 17:22:58 7148 (0x1BEC)
    [CCMHTTP] ERROR INFO: StatusCode=600 StatusText= LocationServices 07/06/2018 17:22:58 7148 (0x1BEC)
    Raising event:
    instance of CCM_CcmHttp_Status
    {
    ClientID = "GUID:4e5b7237-3c24-41df-bb06-58ba14254051";
    DateTime = "20180607162258.275000+000";
    HostName = "ibcm Server";
    HRESULT = "0x80072ee2";
    ProcessID = 7016;
    StatusCode = 600;
    ThreadID = 7148;
    };
    LocationServices 07/06/2018 17:22:58 7148 (0x1BEC)
    Successfully queued event on HTTP/HTTPS failure for server 'IBCM Server'. LocationServices 07/06/2018 17:22:58 7148 (0x1BEC)
    Domain joined client is in Unknown location LocationServices 07/06/2018 17:22:58 7148 (0x1BEC)

    ***************************************************************************************************


    Thursday, June 7, 2018 5:07 PM

Answers

All replies

  • [CCMHTTP] ERROR: URL=https://IBCM server/SMS_MP/.sms_aut?SITESIGNCERT, Port=443, Options=448, Code=12002, Text=ERROR_WINHTTP_TIMEOUT

    The traffic is not making it to the Internet facing MP and back. You need to troubleshoot the network path between the client and the Internet facing MP.


    Jason | https://home.configmgrftw.com | @jasonsandys

    Thursday, June 7, 2018 6:44 PM
  • Hello Jason,

                  I have verified the Network layer, by triggering the Machine cycle and accessing the URL : https://IBCM.FQDN:443

     We are not getting the ports 80 & 443 blocked between internet client and Internet MP.

    Any suggestion please. 

                 

    • Proposed as answer by nate_B11 Tuesday, March 17, 2020 3:59 PM
    Thursday, June 7, 2018 7:49 PM
  • > "I have verified the Network layer, by triggering the Machine cycle and accessing the URL : https://IBCM.FQDN:443"

    That doesn't really verify that all communication will make it.

    Have you reviewed ccmmessaging.log?


    Jason | https://home.configmgrftw.com | @jasonsandys

    • Marked as answer by Juliesmiley Monday, June 11, 2018 11:48 AM
    Thursday, June 7, 2018 7:53 PM
  • Thanks for your Response.

    Will have a look on CCMMESSAGING.LOG and update shortly.

    Actually we are using zscaler for proxy, i donno whether thats causing any issue.

    Based on my current state, can we confirm that IBCM server configuration and certificate configuration are fine?

    May be a silly Question, please correct me  if I''m wrong:

    1. While specify the Root Specified ca option under the site Properties, I have exported the CA certificate from SCCM Site server and and pointed out

    2. For configuring internet client, I have just changed the Network properties from control panel applet to Internet FQDN of IBCM server and manually enrolled the certificate from PKI



    Thursday, June 7, 2018 9:46 PM
  • Hi ,

    0x2ee2 = The operation timed out

    0x80072ee7 = The server name or address could not be resolved

    This looks like a network related issue, Have you checked the prerequisites for IBCM? You need to pay attention to check the firewall/proxy/certificates/DNS/verbs  Reference:

    https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management#prerequisites-for-internet-based-client-management

    Best regards,
    XueZhi Zhou


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, June 8, 2018 9:35 AM
  • Those errors occur when the device is trying to connect to the internal site system and so are expected and not the source of any issues here.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Friday, June 8, 2018 1:23 PM
  • Thanks a lot, Please find the CCMMessaging log

    CCM Messaging.Log:

    [CCMHTTP] ERROR: URL=https://ibcm/ccm_system/request, Port=443, Options=448, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE CcmMessaging 08/06/2018 13:05:49 504 (0x01F8)
    [CCMHTTP] ERROR INFO: StatusCode=600 StatusText= CcmMessaging 08/06/2018 13:05:49 504 (0x01F8)
    Successfully queued event on HTTP/HTTPS failure for server 'ibcm.com'. CcmMessaging 08/06/2018 13:05:49 504 (0x01F8)
    Post to https://ibcm.com/ccm_system/request failed with 0x87d00231. CcmMessaging 08/06/2018 13:05:49 504 (0x01F8)
    [CCMHTTP] AsyncCallback(): ----------------------------------------------------------------- CcmMessaging 08/06/2018 13:07:02 1548 (0x060C)
    [CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered CcmMessaging 08/06/2018 13:07:02 1548 (0x060C)
    [CCMHTTP]                : dwStatusInformationLength is 4
    CcmMessaging 08/06/2018 13:07:02 1548 (0x060C)
    [CCMHTTP]                : *lpvStatusInformation is 0x10
    CcmMessaging 08/06/2018 13:07:02 1548 (0x060C)
    [CCMHTTP]            : WINHTTP_CALLBACK_STATUS_FLAG_CERT_CN_INVALID is set
    CcmMessaging 08/06/2018 13:07:02 1548 (0x060C)
    [CCMHTTP] AsyncCallback(): ----------------------------------------------------------------- CcmMessaging 08/06/2018 13:07:02 1548 (0x060C)
    Raising event:
    instance of CCM_CcmHttp_Status
    {
    ClientID = "GUID:4e5b7237-3c24-41df-bb06-58ba14254051";
    DateTime = "20180608120702.183000+000";
    HostName = "ibcm.com";
    HRESULT = "0x80072f8f";
    ProcessID = 1032;
    StatusCode = 16;
    ThreadID = 1548;
    };

    CcmMessaging 08/06/2018 13:08:42 976 (0x03D0)
    Failed in WinHttpSendRequest API, ErrorCode = 0x2f8f CcmMessaging 08/06/2018 13:08:42 976 (0x03D0)


    Friday, June 8, 2018 1:49 PM
  • Hi Juliesmiley,

    Make sure the clients can access to the CRL if CRL checking is enabled. Try to turn off the CRL checking and reinstall the client by using the MP's FQDN.

    Do you have got a certificate available with client authentication capabilities? Have you successfully deployed the client certificate on your MP?
    Can the clients resolve the Internet FQDN of the MP?

    Best regards,
    XueZhi Zhou


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.





    Friday, June 8, 2018 5:54 PM
  • Thanks for your response Xzh Zhou

    Already I have unchecked the check for CRL option in Site system.

    we have installed 3 certificates in IBCM server (Web certificate, DP certificate and Client certificate)

    Have manually enrolled the Client certificate  on Test PC

    Can able to nslookup the IBCM internet FQDN properly

    will reinstall the certificate & client and update shortly. Seriously its painful to understand the root cause of the issue, since I'm a beginner of IBCM, thanks for your support.

    Friday, June 8, 2018 7:15 PM
  • Hi Juliesmiley,

    Are there any errors in the IIS logs?

    Here is a pretty good summary blog for the implementation of IBCM, I hope it helps:

    https://blogs.technet.microsoft.com/jchalfant/prerequisites-for-internet-based-client-management-ibcm-in-configuration-manager/

    https://blogs.technet.microsoft.com/jchalfant/ports-required-for-a-site-system-in-dmz-in-configuration-manager/

    Best regards,
    XueZhi Zhou


    Please remember to mark the replies as answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, June 8, 2018 9:16 PM
  • Thanks a lot Xzh Zhou and Jason.

    I totally messed with the certificate part and all seems to be working great now.

    Monday, June 11, 2018 11:47 AM
  • Hi Juliesmiley,

    Currently we have the same issue. Could you please let me know how did you solve it

    Best Regards

    Rashad Bakirov

    Monday, July 6, 2020 8:42 PM