Issues with site system communication in DMZ (Network Steve Forum)

Issues with site system communication in DMZ

I have just set up an MP/SUP and a DP in our DMZ and am having issues with it. The DMZ servers are in AD domain in the DMZ that is not trusted by the internal domain. I'm using HTTPS and intranet/internet settings on the DMZ systems, with certificates from the internal CA. The following ports are open in the firewall:

Internal MP/SUP/SQL ---> DMZ MP/SUP (TCP & UDP 135, TCP 49152 to 65535, TCP 445, TCP 8531)

Internal MP/SUP/SQL ---> DMZ DP (TCP & UDP 135, TCP 49152 to 65535, TCP 445)

Internal MP/SUP/SQL <--- DMZ MP/SUP (TCP 8531, TCP 1433)

The DMZ DP appears to be working successfully, but I've been having major issues with the DMZ MP. I was seeing the following error in SMS_MP_CONTROL_MANAGER for the DMZ MP - "MP Control Manager detected MP is not responding to HTTP requests. The http error is 2147500037." I also couldn't get the test client I installed in the DMZ to set it's site code, even though I specified it from the ccmsetup command-line.

I tried uninstalling MP & SUP from the DMZ system and, after a few hours and a bunch of errors about not being able to read the registry, it finally uninstalled.

Before I try installing again, am I missing anything?

April 16th, 2015 2:28pm

What does mpcontrol.log tell? (I guess that 2147500037 is taken from the site status only and not from the log?)
Also examine client-side logs.

Free Windows Admin Tool Kit Click here and download it now

April 17th, 2015 2:06am

After re-installing the MP, I found that I didn't have a valid client cert from my internal CA on the server. I fixed that, and now I'm seeing this in the mpcontrol.log on the DMZ MP after the certificate validation completes:

Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden

I found this article and implemented the registry changes and rebooted. Seems to have fixed the HTTP issue

http://configmgrblog.com/2014/02/23/configmgr-2012-r2-internet-facing-mp-windows-server-2012-r2-note/

Still trying to figure out my "LSIsSiteCompatible : Failed to get Site Version from all directories" on the client. It finds the MP via DNS, and gets that error right after "Attempting to retrieve site information from lookup MP(s) via HTTP" Also seeing "Unable to verify sitecode 'XX1'. Cannot continue site assignment."

Edited by Eddie Thrace 14 hours 28 minutes ago

April 17th, 2015 12:23pm

Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden

I found this article and implemented the registry changes and rebooted. Seems to have fixed the HTTP issue

http://configmgrblog.com/2014/02/23/configmgr-2012-r2-internet-facing-mp-windows-server-2012-r2-note/

Edited by Eddie Thrace 14 hours 30 minutes ago

Free Windows Admin Tool Kit Click here and download it now

April 17th, 2015 12:23pm

That still looks like a client certificate issue. It looks like the management point is up-and-running, but that the management point can't validate it. Check the IIS log file for more information about the 403 error, as it will provide you with the required details about the error.

April 17th, 2015 2:25pm

It's strange. I looked in the IIS logs on the MP and there is no indication that the client is even hitting the MP. CCMMessaging.log file on the client shows that it's trying to communicate with the MP, and the FQDN is correct. There is no firewall between the boxes (and Windows FW is off). The Configuration Manager applet on the client does show Client Certificate: None. I'm not sure why, as it does have a valid client auth cert.

Edited by Eddie Thrace 11 hours 42 minutes ago

Free Windows Admin Tool Kit Click here and download it now

April 17th, 2015 3:55pm

Edited by Eddie Thrace 11 hours 44 minutes ago

April 17th, 2015 3:55pm

Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden

I found this article and implemented the registry changes and rebooted. Seems to have fixed the HTTP issue

http://configmgrblog.com/2014/02/23/configmgr-2012-r2-internet-facing-mp-windows-server-2012-r2-note/

Edited by Eddie Thrace Friday, April 17, 2015 5:15 PM

Free Windows Admin Tool Kit Click here and download it now

April 17th, 2015 4:22pm

Call to HttpSendRequestSync failed for port 443 with status code 403, text: Forbidden

I found this article and implemented the registry changes and rebooted. Seems to have fixed the HTTP issue

http://configmgrblog.com/2014/02/23/configmgr-2012-r2-internet-facing-mp-windows-server-2012-r2-note/

Edited by Eddie Thrace Friday, April 17, 2015 5:15 PM

April 17th, 2015 4:22pm

Edited by Eddie Thrace Friday, April 17, 2015 8:01 PM

Free Windows Admin Tool Kit Click here and download it now

April 17th, 2015 7:54pm

Edited by Eddie Thrace Friday, April 17, 2015 8:01 PM

April 17th, 2015 7:54pm

Are you absolutely sure it's a valid certificate that also can be validated via a CRL? If it can't connect to a CRL make sure that you use the /NoCRLCheck installation parameter. Do keep in mind that it's of course less secure.

Also, verify the ClientIDManagerStartup.log for more information about the certificate selection.

Free Windows Admin Tool Kit Click here and download it now

April 18th, 2015 1:55am

I uninstalled the client, rebooted, then re-ran the install with the /NoCRLCheck parameter, as we don't have a CRL in the DMZ yet. Appears to the be same problem. As far as I can tell the client cert is selected correctly. The ClientIDManagerStartup.log is below:

[----- STARTUP -----] ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Machine: xxxxxxx ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
OS Version: 6.2 ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
SCCM Client Version: 5.00.7958.1000 ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Retrieved Certificate ID from registry successfully ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Client is set to use HTTPS when available. The current state is 448. ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
'RDV' Identity store does not support backup. ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
CCM Identity is in sync with Identity stores ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Deleted Certificate ID from registry successfully ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Begin searching client certificates based on Certificate Issuers ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Completed searching client certificates based on Certificate Issuers ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Begin to select client certificate ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Begin validation of Certificate [Thumbprint FF5BE829FC018C07DC2DAAD8B69B0AB2558597ED] issued to 'xxxxx' ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Completed validation of Certificate [Thumbprint FF5BE829FC018C07DC2DAAD8B69B0AB2558597ED] issued to 'xxxxx' ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
>>> Client selected the PKI Certificate [Thumbprint FF5BE829FC018C07DC2DAAD8B69B0AB2558597ED] issued to 'xxxxxx' ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Raising event:
instance of CCM_ServiceHost_CertRetrieval_Status
{
DateTime = "20150420135253.768000+000";
HRESULT = "0x00000000";
ProcessID = 3112;
ThreadID = 3404;
};
ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Failed to submit event to the Status Agent. Attempting to create pending event. ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Raising pending event:
instance of CCM_ServiceHost_CertRetrieval_Status
{
DateTime = "20150420135253.768000+000";
HRESULT = "0x00000000";
ProcessID = 3112;
ThreadID = 3404;
};
ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Client PKI cert is available. ClientIDManagerStartup 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Initializing registration renewal for potential PKI issued certificate changes. ClientIDManagerStartup 4/20/2015 9:53:02 AM 2192 (0x0890)
Succesfully intialized registration renewal. ClientIDManagerStartup 4/20/2015 9:53:02 AM 2192 (0x0890)
[RegTask] - Executing registration task synchronously. ClientIDManagerStartup 4/20/2015 9:53:02 AM 2192 (0x0890)
Read SMBIOS (encoded): 56004D0077006100720065002D00340032002000300062002000640035002000320064002000340039002000370037002000320039002000620030002D0035003200200061003000200033006100200065003800200038006300200032006300200034006600200035003500 ClientIDManagerStartup 4/20/2015 9:53:02 AM 2192 (0x0890)
Evaluated SMBIOS (encoded): 56004D0077006100720065002D00340032002000300062002000640035002000320064002000340039002000370037002000320039002000620030002D0035003200200061003000200033006100200065003800200038006300200032006300200034006600200035003500 ClientIDManagerStartup 4/20/2015 9:53:02 AM 2192 (0x0890)
No SMBIOS Changed ClientIDManagerStartup 4/20/2015 9:53:02 AM 2192 (0x0890)
SMBIOS unchanged ClientIDManagerStartup 4/20/2015 9:53:02 AM 2192 (0x0890)
SID unchanged ClientIDManagerStartup 4/20/2015 9:53:02 AM 2192 (0x0890)
HWID unchanged ClientIDManagerStartup 4/20/2015 9:53:04 AM 2192 (0x0890)
RegTask: Failed to refresh site code. Error: 0x8000ffff ClientIDManagerStartup 4/20/2015 9:53:21 AM 2192 (0x0890)
Sleeping for 281 seconds before refreshing location services. ClientIDManagerStartup 4/20/2015 9:53:23 AM 2192 (0x0890)

Edited by Eddie Thrace 17 hours 48 minutes ago

April 20th, 2015 10:00am

Edited by Eddie Thrace Monday, April 20, 2015 2:00 PM

Free Windows Admin Tool Kit Click here and download it now

April 20th, 2015 1:59pm

It seems to select a certificate. You need to dig deeper in your client log files.

Are you specifying the initial management point (SMSMP) during the installation? Also, is the client able to find somewhere that it has to use HTTPS (like DNS, or AD)?

April 20th, 2015 2:17pm

I am not specifying the MP during the install, but the _mssms_mp_xx1 DNS entry is set (and appears to work). My command line for the install is (from a batch file): %SERVERPATH%\Ccmsetup.exe /UsePKICert /NoCRLCheck SMSSITECODE=XX1 DNSSUFFIX=xxxx.xxxPATCH=%SERVERPATH%\%ARCH%\hotfix\KB2994331\configmgr2012ac-r2-kb2994331-%ARCH%.msp;%SERVERPATH%\%ARCH%\hotfix\KB3007095\configmgr2012ac-r2-kb3007095-%ARCH%.msp

Here are all the client log file errors. I'll keep looking.

CCMMESSAGING.LOG every 5 minutes

[CCMHTTP] ERROR: URL=https://xxxx.xxxx.xxx/ccm_system/request, Port=443, Options=448, Code=0, Text=CCM_E_BAD_HTTP_STATUS_CODE CcmMessaging 4/20/2015 9:58:20 AM 2192 (0x0890)
Raising event:
instance of CCM_CcmHttp_Status
{
DateTime = "20150420135820.267000+000";
HostName = "xxxx.xxxx.xxx";
HRESULT = "0x87d0027e";
ProcessID = 3112;
StatusCode = 403;
ThreadID = 2192;
};
CcmMessaging 4/20/2015 9:58:20 AM 2192 (0x0890)
Successfully sent security settings refresh message. CcmMessaging 4/20/2015 9:58:20 AM 2192 (0x0890)
Successfully sent location services HTTPS failure message. CcmMessaging 4/20/2015 9:58:20 AM 2192 (0x0890)
Post to https://xxxx.xxxx.xxx/ccm_system/request failed with 0x87d00231. CcmMessaging 4/20/2015 9:58:20 AM 2192 (0x0890)

CLIENTLOCATION.LOG

Current AD forest name is xxxx.xxx, domain name is xxxx.xxx ClientLocation 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Domain joined client is in Intranet ClientLocation 4/20/2015 9:52:53 AM 3404 (0x0D4C)
Getting Assigned Site ClientLocation 4/20/2015 9:53:58 AM 3456 (0x0D80)
Getting Assigned Site ClientLocation 4/20/2015 9:54:00 AM 3696 (0x0E70)
Assigning client to site 'XX1' ClientLocation 4/20/2015 9:54:05 AM 3696 (0x0E70)
Unable to verify sitecode 'XX1'. Cannot continue site assignment. ClientLocation 4/20/2015 9:54:20 AM 3696 (0x0E70)

LOCATIONSERVICES.LOG

Won't send client assignment fallback status point message because last assignment message was sent too recently. LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Processing pending site assignment. LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Assigning to site 'XX1' LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
LSIsSiteCompatible : Verifying Site Compatibility for <XX1> LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Attempting to retrieve lookup MP(s) from AD LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
No lookup MP(s) from AD LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Attempting to retrieve lookup MP(s) from DNS LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Attempting to retrieve default management points from DNS LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Found DNS record of xxxx.xxxx.xxx port 443 LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Lookup Management Points from DNS: LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Name: 'xxxx.xxxx.xxx' HTTPS: 'Y' ForestTrust: 'N' LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Retrieved lookup MP(s) from DNS LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Attempting to retrieve site information from lookup MP(s) via HTTPS LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Failed to send site information Location Request Message to xxxx.xxxx.xxx LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
LSGetSiteVersionFromAD : Failed to retrieve version for the site 'XL1' (0x80004005) LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Attempting to retrieve lookup MP(s) from AD LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
No lookup MP(s) from AD LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Attempting to retrieve lookup MP(s) from DNS LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Attempting to retrieve default management points from DNS LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Found DNS record of xxxx.xxxx.xxx port 443 LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Lookup Management Points from DNS: LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Name: 'xxxx.xxxx.xxx' HTTPS: 'Y' ForestTrust: 'N' LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Retrieved lookup MP(s) from DNS LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Attempting to retrieve site information from lookup MP(s) via HTTP LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
LSIsSiteCompatible : Failed to get Site Version from all directories LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)
Won't send a client assignment fallback status point message because the last assignment error matches this one. LocationServices 4/20/2015 2:18:05 PM 2192 (0x0890)f

SMSCLIUI.LOG

WARNING - Client is currently unassigned or an error occurred retrieving the assigned site. GetAssignedSite() returned : 0X0 smscliui 4/20/2015 9:53:58 AM 3872 (0x0F20)
wszMonikerName Elevation:Administrator!new:{9967A433-A640-4A56-8C3D-D8E8F95FF8F3} smscliui 4/20/2015 9:53:59 AM 3872 (0x0F20)
WARNING - Client is currently unassigned or an error occurred retrieving the assigned site. GetAssignedSite() returned : 0X80040002 smscliui 4/20/2015 9:54:00 AM 3872 (0x0F20)
Attempt to update the assigned site has failed. Error: 0X80004005 smscliui 4/20/2015 9:54:20 AM 3872 (0x0F20)

STATUSAGENT.LOG

Raising event (#1 of 1):
instance of CCM_CcmHttp_Status
{
DateTime = "20150420182305.374000+000";
HostName = "xxxx.xxxx.xxx";
HRESULT = "0x87d0027e";
ProcessID = 3112;
StatusCode = 403;
ThreadID = 2192;
};
StatusAgent 4/20/2015 2:23:05 PM 2192 (0x0890)
Successfully raised 1 event(s) StatusAgent 4/20/2015 2:23:05 PM 2192 (0x0890)
Event forwarder SmsClientEventForwarder:Instance0 received 1 events StatusAgent 4/20/2015 2:23:05 PM 3268 (0x0CC4)
[0132EB38] Handling 1 events StatusAgent 4/20/2015 2:23:05 PM 3268 (0x0CC4)
[0132EB38] Handling event class CCM_CcmHttp_Status StatusAgent 4/20/2015 2:23:05 PM 3268 (0x0CC4)
HandleFSPCcmHttpStatus - Failed to retrieve internet, proxy or assigned MP. Assuming 'xxxx.xxxx.xxx' is not a relevant MP. StatusAgent 4/20/2015 2:23:05 PM 3268 (0x0CC4)
Event forwarder SmsClientEventForwarder:Instance0 successfully handled 1 events StatusAgent 4/20/2015 2:23:05 PM 3268 (0x0CC4)

Free Windows Admin Tool Kit Click here and download it now

April 20th, 2015 2:33pm

There are some HTTP failures in the messaging log file, like this CCM_E_BAD_HTTP_STATUS_CODE. Can you resolve and connect to the management point? If so, can you see the client hit the management point in IIS?

April 20th, 2015 2:53pm

Just fixed one issue. We don't have a CRL in the DMZ yet, and I found that in addition to having to disable CRL checking in SCCM and on the client install, it also needs to be disabled in IIS via a reg key. Once I did that on the MP and rebooted, I was finally able to get the client to at least connect to the MP. Still having issues on the client, but at least it's a step in the right direction.

Any idea why the message below would happen? As far as I can tell, the DNS entry is set up correctly. Would it be related to the HTTPS issues?

Attempting to retrieve default management points from DNS LocationServices 4/21/2015 7:48:54 AM 3760 (0x0EB0)
Found DNS record of xxxx.xxxx.xxx port 443 LocationServices 4/21/2015 7:48:54 AM 3760 (0x0EB0)
Skipping DNS record of xxxx.xxxx.xxx port 443 as it is not compatible with Client LocationServices 4/21/2015 7:48:54 AM 3760 (0x0EB0)
Failed to retrieve compatible DNS service record using _mssms_mp_ps1._tcp.xxxx.xxx lookup LocationServices 4/21/2015 7:48:54 AM 3760 (0x0EB0)
Failed to retrieve Default Management Points from DNS LocationServices 4/21/2015 7:48:54 AM 3760 (0x0EB0)

Edited by Eddie Thrace 19 hours 51 minutes ago

Free Windows Admin Tool Kit Click here and download it now

April 21st, 2015 7:56am

It looks like the client found a management point that's running HTTPS and the client is running HTTPS itself.

April 21st, 2015 8:05am

This topic is archived. No further replies will be accepted.