SCCM 2012 R2 IBCM - Certificates

Thanks,

I am re-issuing the iis cert now.  What do I need to put in?

subject name

common name : sccmagent.contoso.com

alternate

dns: sccmagent.contoso.com

is that right?  I'm just worried that the primary site will stop communicating with it if I get this part wrong lol

Thanks for helping out

July 21st, 2014 7:41am

Don't forget to also specify the intranet FQDN (if this site system is used for Internet AND intranet clients).

For al lot more information see the following links:

Free Windows Admin Tool Kit Click here and download it now
July 21st, 2014 7:48am

Thanks

I only want internet clients to talk to this server.  The internal machines can use the primary site, and the other two if needed.

July 21st, 2014 8:03am

One small addition. If you are also going to install a software update point on this site system, you would still require to also add the intranet FQDN. If it's not in the certificate the configuration of the software update point will fail.
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2014 8:06am

The primary server has the update point installed.  That does all the software groups and packages them up.

My understanding is that once the software update deployments are sent to the dps, that's the end of it?

The icmb server will have the update packages on for the internet clients

July 21st, 2014 8:10am

How are the Internet clients going to scan for applicable updates? They would require a software update point to provide them with that information.
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2014 8:16am

ah ok

I thought that updates worked in the same way as regular package deployments (ie, if the internet client is a member of say the windows 7 2014 updates collection it would automatically get them).

 I'm using two auto deployment rules which run once a month.  The first runs on the second wednesday of the month, and the second runs on the fourth wednesday of the month.  The first one is targeted to the software update testing collection, the second is targeted to the windows 7 2014 updates collection.

are you saying I just need to add the software role to the icbm server, and then put both the icbm and sccmagent fqdn in the cert?

Appreciate your help very much!

July 21st, 2014 8:57am

That would be my preferred solution in this case.

Please don't forget to configure WSUS for SSL and that it runs on port 8531, which probably requires a firewall adjustment.

Free Windows Admin Tool Kit Click here and download it now
July 21st, 2014 9:01am

The update packages have already been deployed to the ibcm server, assume that is ok
July 21st, 2014 9:03am

That's fine, as it's just content.
Free Windows Admin Tool Kit Click here and download it now
July 21st, 2014 9:04am

Hi all,

I am trying to get internet based client management working but struggling with a few things.

Here's what I have achieved so far:

Single AD, Single Forest (2008 R2)

1 x Primary Server (primary.contoso.com)

2 x Distribution Points (newark.contoso.com & boston.contoso.com)

1 x IBCM Server (ibcm.contoso.com)

1 x Enterprise Certificate Server

Domain name created with external DNS provider (sccmagent.contoso.com)

Firewall NAT Rule forwards port 443 from sccmagent.contoso.com to ibcm.contoso.com

Firewall Access Rule allows port 443 inbound from any WAN to LAN ibcm.contoso.com

==========

There are no domain controllers within the DMZ and due to various internal issues, DMZ will not be used for this solution.  Therefore the IBCM server has been installed directly onto the LAN and will be secured with a sonicwall firewall (microsofts third best practice option).

Certificates have been created and deployed.  Client agents have the certificates already installed and display PKI infrastructure.  The network settings tab on the agent have been updated to include the external FQDN of the IBCM server (sccmagent.contoso.com).

Primary sites components all look to be in good health, management point and distribution point roles for IBCM look good.

My problem is that when I take my test laptop home and connect to the internet, I do not believe it's communicating with the IBCM server.  I've checked the port 443 is open which it is.  When I visit https://sccmagent.contoso.com//sms_mp/.sms_aut?mplist I get the following error page:

"The site's security certificate is not trusted!  You attempted to reach sccmagent.contoso.com, but the server presented a certificate issued by an entity that is not trusted by your computer's operating system."

Every guide I have read tells me that I have done everything correctly, so what am I missing?  The certificates I created were all set to ibcm.contoso.com as the guides suggest and not sccmagent.contoso.com

Thanks!!!!!



July 21st, 2014 2:02pm

Every guide I have read tells me that I have done everything correctly, so what am I missing?  The certificates I created were all set to ibcm.contoso.com as the guides suggest and not sccmagent.contoso.com

This is the key. I don't know which guides you've read, but when you're clients are connecting from, both the Internet and the intranet, both names should be in the certificate (SAN).

When the client is on the Internet it will verify the Internet FQDN with the certificate to identify the server. For some key configurations, see also: http://www.petervanderwoude.nl/post/five-key-configuration-steps-for-implementing-internet-based-clients-in-configmgr-2012/

Free Windows Admin Tool Kit Click here and download it now
July 21st, 2014 2:18pm

sorry, i'm afraid the above solution didn't work

Certificate was changed to the internet fqdn but still unable to manage or deploy anything to the client.  However, now when I browse to the url mentioned above the cert error is gone, but i do get a 403 forbidden message.  I think this is ok though?

Here's a few things I have noticed

primary server

------------------

site server > monitoring > system status > component status > sms_mp_control manager (ibcm.contoso.com)

mp control manager detected dmp proxy is not responding to http requests

This was working about two hours ago and no changes have been made since (i wasnt even at work lol)

internet client machine

-----------------------------

clientlocation.log

domain joined client is in internet

current internet management point is the only internet management point

locationservices.log

4 internet mp errors in the last 10 minutes

ccmmessaging.log

post to https://sccmagent.contoso.com/ccm_system/request, port=443..........ERROR_WINHTTP_SECURE_FAILURE

I have tried turning off crlchecking on the site server as someone suggested in another forum, but made no difference.  They also said to edit some registry keys so the client thinks it was installed with the /nocrlcheck switch...again, no difference.



July 21st, 2014 3:58pm

sorry, i'm afraid the above solution didn't work

Certificate was changed to the internet fqdn but still unable to manage or deploy anything to the client.  However, now when I browse to the url mentioned above the cert error is gone, but i do get a 403 forbidden message.  I think this is ok though?

Here's a few things I have noticed

primary server

------------------

site server > monitoring > system status > component status > sms_mp_control manager (ibcm.contoso.com)

mp control manager detected dmp proxy is not responding to http requests

This was working about two hours ago and no changes have been made since (i wasnt even at work lol)

internet client machine

-----------------------------

clientlocation.log

domain joined client is in internet

current internet management point is the only internet management point

locationservices.log

4 internet mp errors in the last 10 minutes

ccmmessaging.log

post to https://sccmagent.contoso.com/ccm_system/request, port=443..........ERROR_WINHTTP_SECURE_FAILURE

I have tried turning off crlchecking on the site server as someone suggested in another forum, but made no difference.  They also said to edit some registry keys so the client thinks it was installed with the /nocrlcheck switch...again, no difference.



Free Windows Admin Tool Kit Click here and download it now
July 21st, 2014 10:55pm

Did you check the IIS log on the server to see if the client can connect? Also, if you see the client on that side already you might get more details about the error from that log.
July 22nd, 2014 1:47am

on the internet client I have visted https://sccmagent.contoso.com/sms_mp/.sms_aut?mplist

The browser displays a 403 error, the iis logs show a connection from the clients ip address.  Looks like firewall/dns connectivity is working correctly.


Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2014 8:37am

Keep in mind that if you're running the browser with your user account, you won't be able to do a valid test, as your certificates are computer-based.

Also, check the (error-)codes in IIS, from that external ip. If they also fail check what's behind the 403, as that will help you to get a more specific error.

July 22nd, 2014 8:44am

The logs only show a connection from my external client.  No errors, just shows the browser type against what looks like the 403 site which is being displayed.

one thing I haven't done is made our crl list available externally......i still think clients are enabled for crl checking.  I have just this minute published a crl to the outside world, and created a new client certificate (dont think i need to create new distribution points and iis certificates do i)

i will have to bring my laptop back to work tomorrow for a gpupdate /force to get the new cert, before taking it home again to test.  My new client cert uses the same name as the old one, assume windows is clever enough to know its actually a new one

does this sound like a sensible plan?

:edit: confirmed my external machine can view the crld folder, containing the crl



Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2014 9:06am

If you have CRL checking enabled, it's indeed a very good idea (and also a requirement) to publish the CRL externally.

About the IIS log, when you're checking the log file there will be something behind the 403. The first piece of numbers behind the 403 are very helpful for your troubleshooting, as this is the complete list of 403.x error messages: http://technet.microsoft.com/en-us/library/cc737788(v=ws.10).aspx

July 22nd, 2014 9:12am

"SITE SERVER IP" GET /sms_mp/.sms_aut mplist 443 - "IP OF EXTERNAL MACHINE" Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 500 0 64 0 62

"SITE SERVER IP" GET /sms_mp/.sms_aut mplist 443 - "IP OF EXTERNAL MACHINE" Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 403 7 5 1429 12

looks like as you suggested, I do not have the browser certificate installed when checking that url
Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2014 10:09am

on the internet client I have visted https://sccmagent.contoso.com/sms_mp/.sms_aut?mplist

The browser displays a 403 error, the iis logs show a connection from the clients ip address.  Looks like firewall/dns connectivity is working correctly.


July 22nd, 2014 3:36pm

The logs only show a connection from my external client.  No errors, just shows the browser type against what looks like the 403 site which is being displayed.

one thing I haven't done is made our crl list available externally......i still think clients are enabled for crl checking.  I have just this minute published a crl to the outside world, and created a new client certificate (dont think i need to create new distribution points and iis certificates do i)

i will have to bring my laptop back to work tomorrow for a gpupdate /force to get the new cert, before taking it home again to test.  My new client cert uses the same name as the old one, assume windows is clever enough to know its actually a new one

does this sound like a sensible plan?

:edit: confirmed my external machine can view the crld folder, containing the crl



Free Windows Admin Tool Kit Click here and download it now
July 22nd, 2014 4:05pm

"SITE SERVER IP" GET /sms_mp/.sms_aut mplist 443 - "IP OF EXTERNAL MACHINE" Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 500 0 64 0 62

"SITE SERVER IP" GET /sms_mp/.sms_aut mplist 443 - "IP OF EXTERNAL MACHINE" Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/36.0.1985.125+Safari/537.36 403 7 5 1429 12

looks like as you suggested, I do not have the browser certificate installed when checking that url
July 22nd, 2014 5:08pm

Sorry to resurrect an old thread

I've been away for a few weeks assigned to another project.  Now back with SCCM :-)

Initially I had everything working great, Internet machines would talk to the IBCM server, and I was able to deploy software updates and packages ok.  The main cause of the problem mentioned above was the lack of an externally accessible crl

Unfortunately something has changed since then.  Windows updates are ok, but I am unable to deploy packages.  I've looked through the client logs and can't see any errors?

The only thing I can see on the site server is the SMS_MP_CONTROL_MANAGER for the IBCM server.  The error is reporting "MP Control Manager detected DMP Proxy is not responding to HTTP requests Error 500"

Looking through the mpcontrol.log on the site server gives no mention of the ibcm server?

There doesn't seem to be any logs on the ibcm server itself apart from iis logs.  The iis logs show internet clients communicating ok, but when the site server tries, 500 error.

almost there!!!  any ideas?

Thanks very much,

Glen. 


Free Windows Admin Tool Kit Click here and download it now
September 4th, 2014 3:59am

looks like all the iis 500 errors are surrounding this address:

/omadm/handler.ashx

September 4th, 2014 7:13am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics