locked
MP in DMZ RRS feed

  • Question

  • OK, I have my Main Domain and a Web Domain for DMZ servers.  There is a ONE WAY trust from Main to Web but NOT Web to Main.  I have PKI and I have servers configured to trust PKI trusted root.

    Now I have a Single Site server in Main domain and a Server in Web domain that I want to use as a DP MP for Internet based clients.

    DP installed fine.

    MP however is having IBCM issues.  I KNOW I have certs installed and working.  I know the Main SCCM server is an admin on the Web server.  As there is a one way trust I can not add the web server to the SMSSitetoServer permissions group.

    Where do I look now?

    Thursday, June 5, 2014 5:25 PM

Answers

  • 403 is a certificate trust issue. You can look on the IIS server to get a better error code like 403 13.

    Jason | http://blog.configmgrftw.com

    • Proposed as answer by Joyce L Wednesday, June 11, 2014 9:27 AM
    • Marked as answer by Joyce L Monday, June 23, 2014 9:39 AM
    Monday, June 9, 2014 9:58 PM

All replies

  • I'm assuming these are actually separate forests and not just domains? Is that True?

    You need to use a connection account from the DMZ's domain instead of relying on the site server's computer account. Also, you need to ensure all of the correct ports are open both ways as communication between the site server and a system is initiated by both/either at times.

    Also note that clients in the DMZ will prefer using the MP in their own domain/forest, but this is not guaranteed. Just something to be aware of as you may from time to time see clients try to use the internal MP.


    Jason | http://blog.configmgrftw.com

    Thursday, June 5, 2014 6:49 PM
  • Yes all ports are open.  Separate Forests.  Can SEE an account in the non trusted domain to add it to SCCM as the Main domain doesnt trust the Web domain.
    Thursday, June 5, 2014 8:20 PM
  • It doesn't have to trust it, you just have to configure it as the connection account when setting up the site system. There's no need to add it to any groups on the site server.

    Jason | http://blog.configmgrftw.com

    Thursday, June 5, 2014 8:59 PM
  • Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden

    Over and Over and Over.....

    Monday, June 9, 2014 9:33 PM
  • 403 is a certificate trust issue. You can look on the IIS server to get a better error code like 403 13.

    Jason | http://blog.configmgrftw.com

    • Proposed as answer by Joyce L Wednesday, June 11, 2014 9:27 AM
    • Marked as answer by Joyce L Monday, June 23, 2014 9:39 AM
    Monday, June 9, 2014 9:58 PM