question

ThomasFaherty-0316 avatar image
0 Votes"
ThomasFaherty-0316 asked ThomasFaherty-0316 commented

Getting a DMZ Server to talk to internal MP so it can be managed. I am close but seems I am missing something.

Hello,

recently I have been asked to bring a machine in our DMZ under patch control of our SCCM system. We've given it our main CA cert, along with a client auth cert from our SCCM server. I can hit the mp list URL and SMS_MP/.sms_aut?SITESIGNCERT from a browser but I seem to be getting some errors in my ClientLocation log which I will attach that lead me to think it's unable to talk. I added our site server info to the lmhost file along with the host file which allows me to ping our management point. Then I ran a client install specifying the site server FQDN and what not. The client installs, says it is on internet, but then wont talk. Logs seem to recognize the site server but I am missing something. I am hoping some one can catch what I have missed here.

SCCM version 2010 running on Windows Server 2016

135607-clientidmanagerstartup.log
135675-clientlocation.log


mem-cm-generalmem-cm-site-deployment
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

Amandayou-MSFT avatar image
0 Votes"
Amandayou-MSFT answered ThomasFaherty-0316 commented

Hi @ThomasFaherty-0316,

Could we know that there is the MP or SUP role in the DMZ? In our environment, it is recommended to install a new site server that has MP/DP/SUP roles for your test servers to take more flexible management.
Here is the article about the best practice of deploying updates patch in DMZ server:
https://social.technet.microsoft.com/Forums/office/en-US/921bc8c2-e8b6-4f78-af1a-b589edd8b163/the-best-practice-of-deploying-updates-patch-in-dmz-server-quotsccm-wsus-quot?forum=configmanagergeneral

If it exists already, we could try to connect the DMZ MP to check if it is normal and there is any error in these logs.



If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, nothing in the DMZ. I suggested that we set some stuff up in the DMZ but was told they don't want to go that far just yet so I am trying to get things to talk inward for the time. I will read the best practices and see if there is anything in there that can help.

0 Votes 0 ·

So it looks like this led me down the right path. I think I was just missing the use PKI command switch when I installed the client and because I didn't have that it wasn't using it. Thank you again for your help!

ccmsetup.exe /UsePKICert /NoCRLCheck SMSSITECODE=<SITENAME> SMSMP=<MP-FQDN>

0 Votes 0 ·

I wanted to add more info if anyone else ran into the same situation of trying to pull a client from a DMZ Workgroup into SCCM

I added our Root CA cert, and our SCCM client auth cert onto the machine then followed this guide.

https://www.windows-noob.com/forums/topic/8977-how-can-i-remotely-control-workgroup-computers-in-system-center-2012-configuration-manager/

with the one exception being I used the command line to install the client in this format

ccmsetup.exe /UsePKICert /NoCRLCheck SMSSITECODE=<SITENAME> SMSMP=<MP-FQDN>

To use the ccmsetup.exe you should be able to browse at this point to your client location as long as it is network hosted so something like

\\SCCM-Server.company.com\ClientFolder\

From here you can either copy the client over or modify the command to run from the network location.

0 Votes 0 ·