locked
Internet Facing MP (ICMP) client(s) not reporting/running assignments. RRS feed

  • Question

  • Greetings,

    I am a SCCM 2007 shop here in the process of installing and configuring SCCM 2012 for https only communication. Primary intranet site is installed with (currently) limited boundaries to our test systems. Another primary site is up in the DMZ replicating back to the intranet site.

    A client installed on the intranet will check in and report, push software and do everything expected from it. When that client is then moved to an outside segment on the internet it correctly realizes it's now "internet" and points to our internet facing management point.

    Problem is, it doesn't report in or run any programs assigned. I've been banging my head on this for a few days without any luck.

    (Names have been changed to protect the innocent. My internet facing is now internetfacing.fqdn.com and my site code is XYZ.)

    ClientEvaluation.log gives me this:

    <![LOG[Failed to send request to /SMS_MP/.sms_aut?MPLIST2&XYZ at host internetfacing.fqdn.com, error 0x2f8f]LOG]!><time="09:47:07.695+300" date="07-30-2012" component="LocationServices" context="" type="2" thread="4588" file="ccmhttpget.cpp:879">
    <![LOG[[CCMHTTP] ERROR: URL=https://internetfacing.fqdn.com/SMS_MP/.sms_aut?MPLIST2&XYZ, Port=443, Options=63, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE]LOG]!><time="09:47:07.695+300" date="07-30-2012" component="LocationServices" context="" type="1" thread="4588" file="ccmhttperror.cpp:291">
    <![LOG[Successfully sent location services HTTPS failure message.]LOG]!><time="09:47:07.695+300" date="07-30-2012" component="LocationServices" context="" type="1" thread="4588" file="ccmhttperror.cpp:395">

    Furthermore, visiting https://internetfacing.fqdn.com/sms_mp/.sms_aut?mplist gives me a "403 - Forbidden: Access is denied" screen. Interestingly enough when this same client is on the intranet pointing to the intranet MP, I get the same 403 - Forbidden Access message (but client location doesn't spam the same error above.)

    IIS logs register the visit, but don't show anything obvious (unless I'm looking in the wrong place.)

    Does anyone have any insight as to what might be the problem? I will freely track down any and all logs in order to assist.

    My thanks in advance to everyone that takes the time to read (and respond).

    JMHahn



    • Edited by JMHahn Tuesday, July 31, 2012 3:52 PM
    Monday, July 30, 2012 6:59 PM

Answers

  • Firstly, NO Boundaries needed for Internet clients.

    please revisit the process of :

    CCMSetup.exe /UsePKICert /CCMHTTPSPORT=443 SMSSITECODE=XZY SMSMP=smsmp01.contoso.com CCMHOSTNAME=SERVER3.CONTOSO.COM SMSSIGNCERT=<Full path and file name>(Copy the Clientsign.cer to C:\,

    Once that the client actions and the policies are downloaded, and the client knows where the https management point, the advertisements should work,  please also provide the logs CCMEXEC and ClientIDManagerStartUp logs, I think you still need to work in isolation before attempting to go over the internet and focus on the client policies first.

    Please reassure you have followed the PKI certification requirements, if they are not in place , the HTTPS management point will not work. This link will also assist Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authorit you:http://technet.microsoft.com/en-us/library/gg682023.aspx 

    Also confirm the Application distribution works on the LAN.

    All the best.

    • Marked as answer by JMHahn Tuesday, August 7, 2012 2:35 PM
    Wednesday, August 1, 2012 11:07 AM
  • This is all resolved now, with everything working as expected.

    It was a combination of problems, the first of which being incorrect work done via the issued certificates.

    After that it was discovered that there was some issue with the SQL replica (nothing specific to add here other than a configuration problem was made.)

    and lastly the actual configuration of the management point for the internet facing point of the site was set to a different DNS name than was published via DNS for internet-MP usage.

    After it was all corrected, and clients reinstalled everything worked correctly.


    JMHahn

    • Marked as answer by JMHahn Thursday, August 2, 2012 6:00 PM
    Thursday, August 2, 2012 6:00 PM

All replies

  • The below may be of assistance:

    Please verify:

    1. PKI certificate Requirements for Configuration Manager, Is the PKI environment setup correctly,please review and confirm on as per article: http://technet.microsoft.com/en-us/library/gg699362.aspx

    2. Public DNS servers: The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers.

    3. Intervening firewalls or proxy servers: These network devices must allow the client communication that is associated with Internet-based site systems.

    If you are confident with the PKI environment,You need to isolate isolate the issue ("For Internet clients to work,the PKI, DNS , Firewalls need to work in synergy hence the issue  could be anywhere),and gain confidence that the requirements and prerequisites  have been met. try using the command line below to install a client on a domain computer for the first time which is on the LAN, monitor other client logs, they may reveal another underlying issue:

    CCMSetup.exe /UsePKICert /CCMHTTPSPORT=443 SMSSITECODE=XZY SMSMP=smsmp01.contoso.com CCMHOSTNAME=SERVER3.CONTOSO.COM SMSSIGNCERT=<Full path and file name>(Copy the Clientsign.cer to C:\,

    Monitor the CCMEXEC and ClientIDManagerStartUp logs, if all is well , actions should appear., after this focus on the other two points.

    All the Best.

    • Proposed as answer by DoitRight39 Monday, August 6, 2012 11:47 PM
    • Unproposed as answer by JMHahn Tuesday, August 7, 2012 1:25 PM
    Tuesday, July 31, 2012 11:48 AM
  • An update based on your helpful post:

    As per the link I did not have a workstation authentication certificate in place. Once I added this (manually for now) to the local personal computer certificate store on both of my MPs as well as my test-client my world improved.

    Clientevaluation.log doesn't post the same error as it had above (once I kick it off) and by and large I'm seeing lots of evidence in the logs that it is communicating with my internet facing MP. Client activity detail shows that it's requested policy since it's been on the internet facing server, so communication is definitely working.

    However after some additional testing I see that it's still not running any assigned programs/adverisements.

    I scanned through the logs and didn't find much except in CertificateMaintenance.log, which seems to hint that something still isn't right:

    MP server3.contoso.com does not allow client connections matching the client connection type CertificateMaintenance 7/31/2012 9:31:59 AM 4428 (0x114C)

    When visiting my internet facing management and trying /sms_mp/.sms_aut?mplist I'm still getting the 403 - Forbidden: Access is Denied message. However, I can't seem to verify if this trick still works with SCCM 2012 anymore.

    So just to cover my bases:

    I currently have a web server certificate residing on both MPs, and a workstation authentication certificate that resides on both MPs and the test clients in my environment. Am I missing additional certificates? We're not yet interested in mobile device management, so I'm safely ignoring that for now. I've used the assistance of this site to create the certificates: http://www.mycloud-tr.com/2012/05/18/step-by-step-example-deployment-of-the-pki-certificates-for-configuration-manager-2012-windows-server-2008/

    My public DNS appears to be working correctly. I can navigate to the root site and get the IIS7 welcome screen via https. I don't receive a unknown certificate error, so it seems everything is good there.

    All the same firewall rules applied to our existing (and working) SCCM 2007 internet facing MP/DP are applied to our new server. Were there additional ports needed for a SCCM 2012 implimentation?

    I also don't have any boundaries set beyond the intranet. Do boundaries need to be set for internet clients?

    Any other advice would be much welcome.


    JMHahn

    Tuesday, July 31, 2012 4:05 PM
  • Firstly, NO Boundaries needed for Internet clients.

    please revisit the process of :

    CCMSetup.exe /UsePKICert /CCMHTTPSPORT=443 SMSSITECODE=XZY SMSMP=smsmp01.contoso.com CCMHOSTNAME=SERVER3.CONTOSO.COM SMSSIGNCERT=<Full path and file name>(Copy the Clientsign.cer to C:\,

    Once that the client actions and the policies are downloaded, and the client knows where the https management point, the advertisements should work,  please also provide the logs CCMEXEC and ClientIDManagerStartUp logs, I think you still need to work in isolation before attempting to go over the internet and focus on the client policies first.

    Please reassure you have followed the PKI certification requirements, if they are not in place , the HTTPS management point will not work. This link will also assist Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authorit you:http://technet.microsoft.com/en-us/library/gg682023.aspx 

    Also confirm the Application distribution works on the LAN.

    All the best.

    • Marked as answer by JMHahn Tuesday, August 7, 2012 2:35 PM
    Wednesday, August 1, 2012 11:07 AM
  • I redid all the certificates to match the step-by-step deployment of certificates as per your link and restarted my enviornments to make sure everything was communicating correctly. In the process I found a few ports blocked on our corporate firewall that was preventing 443 communication from the DMZ to the LAN-- this has been fixed.

    I then uninstalled the client and used the installation properties you have provided minus the path to the smssigncert-- the instructions state not to allow the client certificate to be exportable, so how would I be able to export and direct the client to that certificate? Regardless, the client installed: It's set to PKI, and it was able to pull a list of MPs. Preliminary scans ran and seem to be reporting in to SCCM 2012 correctly. ClientIDManagerStartUp log shows that the client successfully registered and looks clean. CCMEXEC is clean as well.

    While on the Intranet I've pushed two applications to my test client which has received them in a timely manner. So thus far I can confirm application distribution if functioning over the lan while connected to my intranet MP.

    I am going to move the test client to the internet then head out for lunch. Upon return I'll try application distribution once more once it's found the internet MP.

    I will respond back with my results. Thanks thus far for the assistance.


    JMHahn

    Wednesday, August 1, 2012 4:29 PM
  • I ended up finding some configuration errors in place that I had not expected, and corrected those as well. These related to the FQDN of the internet facing management point. Since then I have been retesting application deployment over the LAN before returning to the internet-facing portion.

    Right now I've been able to push software through my primary server, and it reports back a success. Software has also been assigned through while the client which assigned to my second site server (which is intranet/internet) and the software has downloaded and installed, but has not reported back it's status to the MP (or has reported it and the MP hasn't handled it yet.)

    What log would I be able to check to see if the complete event for software distribution is back at the MP from the Client? I can see in exemgr on the client that the installation completed and was raised:

    Raising client SDK event for class CCM_Program, instance CCM_Program.PackageID="XY200005",ProgramID="Upgrade Adobe Acrobat Reader", actionType 1l, value , user NULL, session 4294967295l, level 0l, verbosity 30l execmgr 8/1/2012 4:22:53 PM 3776 (0x0EC0)

    At this point I'm trying to figure out where the message was lost in the mix. 

    My thanks again for the assistance.


    JMHahn

    Wednesday, August 1, 2012 9:47 PM
  • This is all resolved now, with everything working as expected.

    It was a combination of problems, the first of which being incorrect work done via the issued certificates.

    After that it was discovered that there was some issue with the SQL replica (nothing specific to add here other than a configuration problem was made.)

    and lastly the actual configuration of the management point for the internet facing point of the site was set to a different DNS name than was published via DNS for internet-MP usage.

    After it was all corrected, and clients reinstalled everything worked correctly.


    JMHahn

    • Marked as answer by JMHahn Thursday, August 2, 2012 6:00 PM
    Thursday, August 2, 2012 6:00 PM