Could anyone help me see what I am missing? We are trying to test setting up IBCM using the same management point as the intranet clients. We have already successfully implemented PKI for intranet clients because we were bringing in a MacBook Air. We have an external URL coming through reverse proxy and forwarded to our internal server. I can navigate to https://sccmext.domain.com/sms_mp/.sms_aut?MPlist and get 403 access denied I also get that when I am on prem and navigate to the local server

The CcmMessging.log has errors regarding post to https://sccmext.domain.com/ccm_system/request failed with 0x87d00231

I think this has something to do with certificates... I have a SCCM Web certificate for the internal server hostname and another certificate for the external name coming through the reverse proxy.

 I have the internet FQDN on the site system properties, MP and DP are set to allow internet and intranet based clients...

Hi Jaytwill,

Refer to this guide and make sure the certificate and server is well configured.

Based on your information my first guess would be that the reverse proxy rule needs to be configured with a client authentication certificate and that you're seeing 403 7 messages in the IIS log file. To be sure check the IIS log file for more information.

It's pretty normal to see the 403 in the browser when trying to open mplist, this isn't related to your issue but just for info.

https://ramzibot.wordpress.com/2012/10/04/mpcert-mplist-access-denied-error-after-securing-the-management-point-by-a-certificate/

Also, clients must be able to retrieve a CRL from an accessible/available CDP (CRL DP). Having an Internet accessible CDP is rarely part of most standard PKI implementations though.

You should check in IIS to see the exact 403 error code received as this will give additional info.

10.7.29.195 CCM_POST /ccm_system/request - 443 - 10.7.29.9 ccmhttp 403 7 5 1466 15

403.7 just means a client cert was not provided in the request.

What's that in response to?

Here are some entries before and after that entry above:

10.7.29.195 GET / - 443 - 10.7.29.81 - 200 0 0 778 0
10.7.29.195 GET / - 443 - 10.7.29.82 - 200 0 0 778 0
10.7.29.195 GET / - 80 - 10.7.29.82 - 200 0 0 701 0
10.7.29.195 GET / - 80 - 10.7.29.81 - 200 0 0 701 0
10.7.29.195 GET / - 443 - 10.7.29.81 - 200 0 0 778 0
10.7.29.195 GET / - 443 - 10.7.29.82 - 200 0 0 778 0
10.7.29.195 CCM_POST /ccm_system/request - 443 - 10.7.29.9 ccmhttp 403 7 5 1466 15
10.7.29.195 GET / - 80 - 10.7.29.82 - 200 0 0 701 0
10.7.29.195 GET / - 80 - 10.7.29.81 - 200 0 0 701 0
10.7.29.195 GET / - 443 - 10.7.29.81 - 200 0 0 778 0
10.7.29.195 GET / - 443 - 10.7.29.82 - 200 0 0 778 0

These are from the IIS log file .195 is the SCCM site server, 81 and 82 are the reverse proxy servers. Sorry if I am not answering questions accurately, this is getting into parts of SCCM I am not familiar with at all.