locked
Deploying SCCM client do machines in different subnet RRS feed

  • Question

  • Hi,

    this could be the noobiest question of all times regarding networking but I have to ask.

    So, first of all, I am am a networking noob, so bare with me.We are deploying SCCM 2012 client to all machines in our domain. "Main" network is 192.168.16.1 - 192.168.31.254. (255.255.240.0) In here everything is nice and dandy but ofcourse we have other clients in 192.168.10.0 (255.255.255.0) subnet, but there I cannot deploy the client or EP protection, I understand why but i dont understand what should I do to make it work.

    I have enabled network discovery (besides AD discovery):

    In boundaries i have it setup like this:

    CCMsetup.log from machine:

    The machines in this subnet cannot ping my sccm server and DC's (ofcourse).

    Would somebody be so kind and explain it to me in more DETAIL what is going on? Do i need to configure a firewall rule on our network or can I just make it work from sccm?

    Thanks,



    • Edited by Tonito Dux Wednesday, July 22, 2015 12:07 PM
    Wednesday, July 22, 2015 11:42 AM

Answers

  • So you mean to say that we should enable a firewall rule for clients from xy subnet to be able to communicate to our main subnet? 

    Yes, if clients are located in "xy subnet" and ConfigMgr in the "main subnet" and if there's a firewall in between. See https://technet.microsoft.com/en-us/hh427328.aspx for ports needed. 

    Torsten Meringer | http://www.mssccmfaq.de

    • Proposed as answer by Joyce L Thursday, July 23, 2015 5:07 AM
    • Marked as answer by Joyce L Thursday, August 6, 2015 7:13 AM
    Wednesday, July 22, 2015 1:13 PM
  • Tonito,

    They are boundaries not boundary groups.

    You need to create a boundary group and if you want these boundaries to use the same DP's all them to the group. Then add in the server hosting the DP in for Content Location.

    https://technet.microsoft.com/en-us/gg712679.aspx


    Cheers Paul | http://sccmentor.wordpress.com

    • Proposed as answer by Joyce L Thursday, July 23, 2015 5:07 AM
    • Marked as answer by Joyce L Thursday, August 6, 2015 7:13 AM
    Wednesday, July 22, 2015 1:13 PM
  • Don't know. As mentioned, you need to troubleshoot why the client is not getting a reply. It could be many different things as I pointed out and listed just a few possibilities. There simply is no way for me to magically know what is preventing a reply to the traffic in your unique environment.

    The client must be able to communicate with the MP and DP. Does that require firewalls rules? Don't know, that totally depends upon your environment and if there even is a firewall between the clients and the site roles and how its configured.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Thursday, July 23, 2015 5:07 AM
    • Marked as answer by Joyce L Thursday, August 6, 2015 7:13 AM
    Wednesday, July 22, 2015 1:25 PM

All replies

  • Pings could be disabled via a firewall so not always the best test. 

    First I would disable Network Discovery. It's not needed. Also change the IP subnets to IP ranges as a preferred boundary. Jason Sandys has some information on this at his blog that you may wish to read http://blog.configmgrftw.com/ip-subnet-boundaries-still-evil/

    If a firewall is in place you will need to enable certain ports from client to server. Take a look here

    https://technet.microsoft.com/en-us/hh427328.aspx

    I'm assuming you have a single site server with MP & DP installed. If so do a simple check to ensure see if the clients in the 192.168.10.0 can connect via port 80 to the site server. If not then they will not get policy or content. 

    The main thing is establish if a firewall exists between the two subnets.


    Cheers Paul | http://sccmentor.wordpress.com

    Wednesday, July 22, 2015 12:13 PM
  • Sorry my net connection slow here. Just seen the log image. 

    Have you created a boundary group and added in both boundaries? Once you have done that assign a DP for content location


    Cheers Paul | http://sccmentor.wordpress.com

    Wednesday, July 22, 2015 12:18 PM
  • Hi Paul,

    thank you for your answer, reading your first suggestion link.

    You net is fine, i just added the 3rd screenshot couple of minutes ago.

    Boundary group is my 2nd screenshot, so I think i have them included.

    Wednesday, July 22, 2015 12:24 PM
  • 0x80072ee2 = "The operation timed out"

    This can be caused by many different things but basically means the client tried to communicate but never got a reply. There is no way to know from the client's end why it didn't get a reply. You'll probably need someone that knows about your network to get involved to help troubleshoot this. Some (by no means all though) possibilities include firewall blocking, port filtering, proxy server, security filtering, and routing issues.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, July 22, 2015 1:05 PM
  • Hi Jason,

    thank you for your reply. Problem is that we are currently operating without a network engineer but that is a different topic. So you mean to say that we should enable a firewall rule for clients from xy subnet to be able to communicate to our main subnet? I just want to know if the theory is right.

    Cheers,

    Wednesday, July 22, 2015 1:11 PM
  • Tonito,

    They are boundaries not boundary groups.

    You need to create a boundary group and if you want these boundaries to use the same DP's all them to the group. Then add in the server hosting the DP in for Content Location.

    https://technet.microsoft.com/en-us/gg712679.aspx


    Cheers Paul | http://sccmentor.wordpress.com

    • Proposed as answer by Joyce L Thursday, July 23, 2015 5:07 AM
    • Marked as answer by Joyce L Thursday, August 6, 2015 7:13 AM
    Wednesday, July 22, 2015 1:13 PM
  • So you mean to say that we should enable a firewall rule for clients from xy subnet to be able to communicate to our main subnet? 

    Yes, if clients are located in "xy subnet" and ConfigMgr in the "main subnet" and if there's a firewall in between. See https://technet.microsoft.com/en-us/hh427328.aspx for ports needed. 

    Torsten Meringer | http://www.mssccmfaq.de

    • Proposed as answer by Joyce L Thursday, July 23, 2015 5:07 AM
    • Marked as answer by Joyce L Thursday, August 6, 2015 7:13 AM
    Wednesday, July 22, 2015 1:13 PM
  • Hi,

    I understand you and i have this in place but forum wont upload my screenshot.

    Here you go:

    http://i58.tinypic.com/2s1xgyf.jpg


    • Edited by Tonito Dux Wednesday, July 22, 2015 1:21 PM
    Wednesday, July 22, 2015 1:21 PM
  • Don't know. As mentioned, you need to troubleshoot why the client is not getting a reply. It could be many different things as I pointed out and listed just a few possibilities. There simply is no way for me to magically know what is preventing a reply to the traffic in your unique environment.

    The client must be able to communicate with the MP and DP. Does that require firewalls rules? Don't know, that totally depends upon your environment and if there even is a firewall between the clients and the site roles and how its configured.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Proposed as answer by Joyce L Thursday, July 23, 2015 5:07 AM
    • Marked as answer by Joyce L Thursday, August 6, 2015 7:13 AM
    Wednesday, July 22, 2015 1:25 PM
  • All clear!

    Thank you ALL the guys for quick help, I appreciate it so much!

    Cheers,

    Wednesday, July 22, 2015 1:27 PM