Hi,

I have SCCM 2012 Site, and is configured to communicate in HTTP. I can see that SCCM is trying to access below certification authority websites:

crl.microsoft.com

crl.thawte.com

ocsp.thawte.com

evsecure-ocsp.thawte.com

crl.verisign.com

ocsp.verisign.com

clients1.google.com

pki.google.com

www.google-analytics.com

g.symcd.com

tc.symcd.com

crl.geotrust.com

ts-ocsp.ws.symantec.com

Are these websites required to be accessed by SCCM? And what would happen if I blocked access to these websites from SCCM server and kept only the one for Microsoft?

Thanks

Why do you think that it's ConfigMgr that accesses those websites? 

Hi Torsten,

The Network/Security Admin stated that one of the SCCM Service Accounts (account used for client push installation, SUP Proxy Server account, and Network Access account) is trying to access these websites, and was wondering if this behavior is normal, in order otherwise to block access to these sites.

How exactly is you security team determine that those accounts are accessing the internet?

Which account is access the internet?

Are you launching the CM12 console with those account?

Hi Garth,

It's only one account which is attempting to access these sites. It's the account that is configured for client push installation, SUP Proxy Server account, as well as for Network Access account.

No, we are not launching CM12 console with this account

It's only one account which is attempting to access these sites. It's the account that is configured for client push installation, SUP Proxy Server account, as well as for Network Access account.

No, we are not launching CM12 console with this account

So which of those tasks are causing to go to those sites?

BTW, I is not recommend that NAC and Push accounts share the same account.

I always recommend that you use three different accounts.

So which of those tasks are causing to go to those sites?

No Idea which task would be the cause. Should it be logged somewhere in the logs?

So do you think SCCM is not supposed to access these sites for any certificates related task?

Those sites will be accessed by anything that provides SSL public keys to the server as it validates the cert against the published CRL.  That's a function of the RFC for SSL and thus the core OS, not SCCM specifically.

Based on symptoms I'm going to take an educated guess that you probably have some servers in the DMZ in workgroup mode checking into a MP and your Site server is just trying to validate the client certificate as they arn't defaulting to one assigned by your internal PKI ... this causes the site sever to do a reality check to make sure said certs are valid.

Complete shot in the dark of course ... the real answer is:  you should be look at at what is contacting your SCCM server and causing it to do a cert validity lookup.  As to "should I block it" ... I dont know why you ever would want to prevent a server from validating the legitimacy of a certificate.

• Edited by Justin.King 4 hours 12 minutes ago