locked
Internet MP Step-by-Step Document. RRS feed

  • Question

  • Is there a step by step for start to finish for making a Internet MP on SCCM 2012 R2 ??
    Monday, January 19, 2015 5:42 PM

Answers

  • I have tried that and got nothing blocked. I am thinking the CRL check might have something to do with it. the NETWORK team will not open port 10123 for the time being. I have the /noCRLcheck I am also wondering if the certificate for the Workgroup\other domain pc might be the issue. I also am wondering if the certificate for the server might be wrong. I looked at this and put both the Intranet and Internet FQDN in the Subject Alternative Name fields.

    http://technet.microsoft.com/en-us/library/gg699362.aspx

    When the software update point accepts client connections from the Internet only, the certificate must contain both the Internet FQDN and the intranet FQDN.

    I can use all the help I can get to get this up and running. Does anyone have an idea what to do for workgroup\untrusted PC computers for client certificates? I tried this:

    http://www.petervanderwoude.nl/post/how-to-install-a-configmgr-client-on-a-workgroup-computer-when-the-configmgr-site-is-in-native-mode/

    I had massive problems getting clients to work, until I published an internet CRL. I had specified the /nocrlcheck option and ticked the box on the site properties. Once I had published the CRL following an excellent TechNet article, everything just kicked in.

    • Edited by Rashmika Thursday, January 22, 2015 10:32 AM add "internet". We had an internal CRL xD
    • Proposed as answer by Joyce L Monday, January 26, 2015 9:05 AM
    • Marked as answer by Garth JonesMVP Saturday, January 31, 2015 6:38 PM
    Thursday, January 22, 2015 10:28 AM

All replies

  • Monday, January 19, 2015 5:58 PM
  • The system center dudes one, is the one o followed and it didn't worked. I have struggled for better part of 4-6 weeks on something that should be simple to deploy and isn't.
    Monday, January 19, 2015 6:00 PM
  • The system center dudes one, is the one o followed and it didn't worked. I have struggled for better part of 4-6 weeks on something that should be simple to deploy and isn't.

    I used that exact walkthrough and had no problems...

    What are your issues?


    Don't retire TechNet! - (Don't give up yet - 13,085+ strong and growing)

    Monday, January 19, 2015 6:05 PM
  • I will be happy to help of you give details about your problem. :)

    Benoit Lecours | Blog: System Center Dudes

    Monday, January 19, 2015 7:32 PM
  • I will be happy to help of you give details about your problem. :)

    Benoit Lecours | Blog: System Center Dudes

    I had been meaning to thank you for the great writeup. Made my life much easier.

    Don't retire TechNet! - (Don't give up yet - 13,085+ strong and growing)

    Monday, January 19, 2015 7:39 PM
  • If you check out that link it has all the details that has transpired with it. basically, I cant get WSUS to sync and clients don't want to join to the Internet MP. the cant seem to do the site assignment. currently I am uninstalling the client and clean it out. the machines are in an untrusted forest or workgroup.
    Monday, January 19, 2015 7:57 PM
  • Taken from the wsyncmgr.log

    Wakeup for a polling cycle
    Starting Sync
    Performing sync on retry schedule
    Read SUPs from SCF for NWICCM01.nwtraders.msft
    Found 1 SUPs
    Found active SUP NWICCM01.nwtraders.msft from SCF File.
    DB Server not detected for SUP NWICCM01.nwtraders.msft from SCF File. skipping.
    STATMSG: ID=6701 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=NWICCM01.nwtraders.msft SITE=IMP PID=2436 TID=696 GMTDATE=Mon Jan 19 19:25:32.304 2015 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
    Sync failed: WSUS server not configured. Please refer to WCM.log for configuration error details.. Source: CWSyncMgr::DoSync
    STATMSG: ID=6703 SEV=E LEV=M SOURCE="SMS Server" COMP="SMS_WSUS_SYNC_MANAGER" SYS=NWICCM01.nwtraders.msft SITE=IMP PID=2436 TID=696 GMTDATE=Mon Jan 19 19:30:32.364 2015 ISTR0="CWSyncMgr::DoSync" ISTR1="WSUS server not configured. Please refer to WCM.log for configuration error details." ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
    Sync failed. Will retry in 60 minutes
    Setting sync alert to active state on site IMP
    Sync time: 0d00h05m00s
    Thread terminated by service request.
    SMS_EXECUTIVE started SMS_WSUS_SYNC_MANAGER as thread ID 4888 (0x1318).

    ***********************

    Taken from the WSUSCtrl.log

    Checking for supported version of WSUS (min WSUS 3.0 SP2 + KB2720211 + KB2734608)
    Checking runtime v2.0.50727...
    Did not find supported version of assembly Microsoft.UpdateServices.Administration.
    Checking runtime v4.0.30319...
    Found supported assembly Microsoft.UpdateServices.Administration version 4.0.0.0, file version 6.3.9600.16384
    Found supported assembly Microsoft.UpdateServices.BaseApi version 4.0.0.0, file version 6.3.9600.16384
    Supported WSUS version found
    Attempting connection to local WSUS server
    System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)~~   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)~~   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)~~   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)~~   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)~~   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)~~   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)~~   at System.Net.ConnectStream.WriteHeaders(Boolean async)~~   --- End of inner exception stack trace ---~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)
    Failed to set WSUS Local Configuration. Will retry configuration in 1 minutes
    Attempting connection to local WSUS server
    System.Net.WebException: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.~~   at System.Net.Security.SslState.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, Exception exception)~~   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)~~   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)~~   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)~~   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)~~   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)~~   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)~~   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)~~   at System.Net.ConnectStream.WriteHeaders(Boolean async)~~   --- End of inner exception stack trace ---~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)
    Failures reported during periodic health check by the WSUS Server NWICCM01.nwtraders.msft. Will retry check in 1 minutes
    Waiting for changes for 1 minutes

    ********************************

    Taken from mpcontrol.log

    SSL is enabled.
    Client authentication is also enabled.
    Machine name is 'NWICCM01.nwtraders.msft'.
    Begin validation of Certificate [Thumbprint 98542e7bd2343725dda3f14a69cb373274df9a63] issued to 'NWICCM01.nwtraders.msft'
    Completed validation of Certificate [Thumbprint 98542e7bd2343725dda3f14a69cb373274df9a63] issued to 'NWICCM01.nwtraders.msft'
    Skipping this certificate which is not valid for ConfigMgr usage.
    There are no certificate(s) that meet the criteria.
    Performing machine FQDN to SAN2 search.
    Begin validation of Certificate [Thumbprint d6b1f67ee1e5680ab449bbd834e60155f03e3661] issued to 'NWICCM01.nwtraders.msft'
    Certificate has "SSL Client Authentication" capability.
    Completed validation of Certificate [Thumbprint d6b1f67ee1e5680ab449bbd834e60155f03e3661] issued to 'NWICCM01.nwtraders.msft'
    Begin validation of Certificate [Thumbprint 98542e7bd2343725dda3f14a69cb373274df9a63] issued to 'NWICCM01.nwtraders.msft'
    Completed validation of Certificate [Thumbprint 98542e7bd2343725dda3f14a69cb373274df9a63] issued to 'NWICCM01.nwtraders.msft'
    >>> Selected Certificate [Thumbprint d6b1f67ee1e5680ab449bbd834e60155f03e3661] issued to 'NWICCM01.nwtraders.msft' for HTTPS Client Authentication
    Call to HttpSendRequestSync succeeded for port 443 with status code 200, text: OK
    Sent summary record of SMS Management Point on ["Display=\\NWICCM01.nwtraders.msft\"]MSWNET:["SMS_SITE=IMP"]\\NWICCM01.nwtraders.msft\ to \\NWICCM01.nwtraders.msft\SMS_IMP\inboxes\sitestat.box\p0kquibp.SUM, Availability 0, 52425724 KB total disk space , 42849720 KB free disk space, installation state 0.
    Http test request succeeded.
    STATMSG: ID=5460 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_MP_CONTROL_MANAGER" SYS=NWICCM01.nwtraders.msft SITE=IMP PID=2416 TID=4400 GMTDATE=Mon Jan 19 20:12:02.522 2015 ISTR0="" ISTR1="" ISTR2="" ISTR3="" ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0
    Successfully performed Management Point availability check against local computer.

    I can telnet to the port and resolve the name fine. I cant get any of the clients to connect.

    Monday, January 19, 2015 8:15 PM
  • Hi,

    >>I got traffic back from IIS after copying the client files to the machine. But if I uninstall the client and reinstall it, I get the same as before.

    You still need to do a traffic trace to check why the client cannot connect to the MP when the error happens.

    Best Regards,

    Joyce

    Tuesday, January 20, 2015 8:39 AM
  • I have tried that and got nothing blocked. I am thinking the CRL check might have something to do with it. the NETWORK team will not open port 10123 for the time being. I have the /noCRLcheck I am also wondering if the certificate for the Workgroup\other domain pc might be the issue. I also am wondering if the certificate for the server might be wrong. I looked at this and put both the Intranet and Internet FQDN in the Subject Alternative Name fields.

    http://technet.microsoft.com/en-us/library/gg699362.aspx

    When the software update point accepts client connections from the Internet only, the certificate must contain both the Internet FQDN and the intranet FQDN.

    I can use all the help I can get to get this up and running. Does anyone have an idea what to do for workgroup\untrusted PC computers for client certificates? I tried this:

    http://www.petervanderwoude.nl/post/how-to-install-a-configmgr-client-on-a-workgroup-computer-when-the-configmgr-site-is-in-native-mode/

    Tuesday, January 20, 2015 12:12 PM
  • Hi,

    >>Does anyone have an idea what to do for workgroup\untrusted PC computers for client certificates?

    You could check the step "Create the ConfigMgr Workgroup Client Certificate" in the blog below.

    http://ittherapist.net/2014/01/16/sccm-2012-r2-os-deployment-with-pki-https/

    Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.

    Best Regards,

    Joyce

    Thursday, January 22, 2015 5:21 AM
  • I have tried that and got nothing blocked. I am thinking the CRL check might have something to do with it. the NETWORK team will not open port 10123 for the time being. I have the /noCRLcheck I am also wondering if the certificate for the Workgroup\other domain pc might be the issue. I also am wondering if the certificate for the server might be wrong. I looked at this and put both the Intranet and Internet FQDN in the Subject Alternative Name fields.

    http://technet.microsoft.com/en-us/library/gg699362.aspx

    When the software update point accepts client connections from the Internet only, the certificate must contain both the Internet FQDN and the intranet FQDN.

    I can use all the help I can get to get this up and running. Does anyone have an idea what to do for workgroup\untrusted PC computers for client certificates? I tried this:

    http://www.petervanderwoude.nl/post/how-to-install-a-configmgr-client-on-a-workgroup-computer-when-the-configmgr-site-is-in-native-mode/

    I had massive problems getting clients to work, until I published an internet CRL. I had specified the /nocrlcheck option and ticked the box on the site properties. Once I had published the CRL following an excellent TechNet article, everything just kicked in.

    • Edited by Rashmika Thursday, January 22, 2015 10:32 AM add "internet". We had an internal CRL xD
    • Proposed as answer by Joyce L Monday, January 26, 2015 9:05 AM
    • Marked as answer by Garth JonesMVP Saturday, January 31, 2015 6:38 PM
    Thursday, January 22, 2015 10:28 AM