locked
SCCM with IPsec NAP RRS feed

  • Question

  • We have an IPsec NAP deployment which we're trying to integrate with SCCM 2012 SP1 CU2. Everything works fine, as long as clients are compliant.

    I'm testing what happens when they're non-compliant and am having some problems. As soon as I make a client non-compliant (by turning off AV) it is unable to install software through System Center.

    For applications I get: The software change returned error code 0x87D00607(-2016410105).
    For packages: The software could not be found on any servers at this time.

    I've been going through the logs but can't find anything useful (perhaps I'm not looking at the correct one). It appears that the client can't find the DP (we have a single one).

    I might add that the IP of the client doesn't change when it goes from compliant to non-compliant. Clients communicate with the DP through HTTP, Allow clients to connect anonymously is checked. The DP Boundary Group consists of Boundaries for AD sites and the entire IP range for our clients. Allow fallback source location for content is checked.

    I can easily ping, go to all shares and access SCCM through Internet Explorer on port 80 (IIS shows up). The same is also true in reverse, I can access the client from the SCCM server. I can also access all DC's which are acting as NPS HRA's in our case.

    SCCM is always compliant (I even tested so it's not even part of NAP) and it's also in the remediation servers group.

    Please help me out.

     

    Friday, October 18, 2013 11:48 AM

Answers

  • The "solution" was removing NAP, since it doesn't seem to have a place in MS's future. The post can easily be closed.
    • Proposed as answer by Garth JonesMVP Monday, February 2, 2015 11:11 AM
    • Marked as answer by CypherMike Monday, February 2, 2015 12:21 PM
    Monday, February 2, 2015 8:34 AM

All replies

  • When you say you can access "SCCM", is that when the client non-compliant?

    Also, which roles are on that site system/server that you are generically referring to as "SCCM"?


    Jason | http://blog.configmgrftw.com

    Friday, October 18, 2013 2:30 PM
  • Yes, that's what I meant connectivity seems fine.

    Our System Center Configuration Manager infrastructure consists of:

    - a remote SQL,
    - two DC's that are acting as NPS HRA's and
    - a SCCM server with the following roles: Application Catalog web service point,  Application Catalog website point, Component server, Distribution point, Endpoint Protection point, Fallback status point, Management point, Site server, Site system and Software update point.

    Friday, October 18, 2013 5:58 PM
  • Hi Jason, is additional information needed to better troubeshoot the problems? Perhaps logs, configuration...?

    Please let me know.

    Tuesday, October 29, 2013 5:53 AM
  • I know NAP is deprecated in Windows Server 2012 R2, but could someone please assist me with this.
    Sunday, November 17, 2013 8:31 AM
  • Yes, I know this is an old post, but I’m trying to clean them up. Did you solve this problem, if so what was the solution?

    Since no one has answer this post, I recommend opening  a support case with CSS as they can work with you to solve this problem.


    Garth Jones | My blogs: Enhansoft and Old Blog site | Twitter: @GarthMJ

    Sunday, February 1, 2015 5:44 PM
  • The "solution" was removing NAP, since it doesn't seem to have a place in MS's future. The post can easily be closed.
    • Proposed as answer by Garth JonesMVP Monday, February 2, 2015 11:11 AM
    • Marked as answer by CypherMike Monday, February 2, 2015 12:21 PM
    Monday, February 2, 2015 8:34 AM