Fast Channel for System Management - Client Notification in System Center 2012 Configuration Manager SP1

Fast Channel for System Management - Client Notification in System Center 2012 Configuration Manager SP1

  • Comments 22
  • Likes

Overview

Historically, a pull-based client communication mechanism is employed in the System Center Configuration Manager line of products. As a result, in large scale enterprise environments, when an administrator initiates a task, it would take minutes or even hours for each client to receive that task, run it and then report the result back to the server.  For common scenarios it is an appropriate trade off, however it is problematic if such tasks are mission-critical and time sensitive (e.g., anti-malware operations). The latency is also more obvious in data center environments where servers only have a limited amount of time reserved for management tasks. How useful would it be to push IT administration tasks much faster ? Configuration Manager 2012 SP1 provides this capability by providing a fast “client notification” channel between server and the managed clients.

What is “Client Notification”?

Client notification is, by popular demand, a new and exciting infrastructure component introduced in Configuration Manager 2012 SP1, which can provide a fast channel that a Configuration Manager administrator can use to notify clients to initiate time-sensitive tasks as soon as possible.  The communication channel is push-based instead of dependent on the client policy polling interval. By using client notification, clients can establish a persistent connection with a management point. Subsequently, the server can notify the client of time-sensitive or urgent tasks over the channel and the client can perform an action in response to the message. In SP1, all System Center Endpoint Protection operations and the “Download Computer Policy” client action are implemented by using this channel.

How “Client Notification” works

Client notification is an end-to-end infrastructure composed of notification manager on the site server, notification server on the management point and notification agent on the client.

1)  Notification Manager

Notification manager is a component of the site server. Its responsibility is to generate push messages for client notification-enabled actions, update the client online presence status and client notification push results in the site database.

2)  Notification Server

Notification server is the server component on the management point. It is automatically deployed and installed on management points, including on secondary sites. Notification server performs the following functions:

  • Hosts both TCP and HTTP listeners in order to support client communications over either protocol.
  • Listens on the notification service broker queue in the site database to detect when push messages are generated.
  • Pushes the messages to online clients over the channel and periodically generates a file containing results  which will be stored in the site database. These results can be monitored from the Client Operations node of the Configuration Manager console.
  • Maintains a list of online clients and periodically generates online info into a file which is sent to the site server.

3)  Notification Agent

Notification agent is a client component hosted in CCMEXEC.exe. As a part of client initialization, it will establish a persistent connection with notification server. For those clients that communicate via a secondary site, they will establish connection with the notification server on the proxy management point. It will try TCP mode first, then fallback to HTTP mode if it fails (due to firewalls or Internet proxies that do not allow TCP traffic).  If the connection is dropped (e.g. because of a network issue), notification agent will attempt to reconnect.

 

Client notification supports both the TCP and HTTP communication protocols. TCP is the primary mode used, which requires an extra port to be opened in firewalls, and HTTP is the fallback option and doesn’t need any prerequisite configuration. The respective workflow is nearly the same. Take TCP mode as an example.

1)  Client notification Infrastructure is by default enabled end-to-end. During client initialization, notification agent will first attempt to establish a persistent TCP Connection to notification server on the current management point. Once successful, notification agent will periodically send a keep-alive message every 15 minutes to maintain the connection.  If the client fails to establish a TCP Connection, notification agent will try the HTTP protocol.

2)  Notification server on the management point computer will accept the client’s connection request   after TLS (Transport Layer Security) authentication is passed.  Thus notification server will manage all active connections and generate online status data every 5 minutes to be placed in <Site Server Install Dir>\inboxes\bgb.box\.

3)  Notification manager will read the Online files (*.BOS) from bgb.box, and update the online presence info in the site database.

4)  When an administrator initiates a supported client operation from the Configuration Manager console, that action will be translated into a client notification message and placed into the database service broker queue.

5)  Notification server will detect the message request and get the message from the service broker queue and then push the message to online clients over the persistent channel.

6)  Upon receiving the message over the channel, notification agent will perform the corresponding action based on the message content: either notify the Endpoint Protection client to perform an action (e.g. quick scan), or notify the client to request machine policy as soon as possible. The notification result will be sent back to notification server.

7)  Notification server summarizes the task push results periodically and exports them into files to be placed in <Site Server Install Dir>\inboxes\bgb.box\.

8)  Notification manager processes the task push result files (*.BTS) and updates the site database.

Note: While this has been an attempt to provide interested administrators with more information about how the client notification channel works, this article contains many implementation details (like timeout lengths) that are subject to change in future releases of System Center Configuration Manager.

 

How to use “Client Notification”

  1. Configure the client notification port.
    By default, client notification communication uses TCP port 10123. In the Configuration Manager console, click Administration, Expand Site Configuration, click Sites, open Properties dialog, from here you can configure the TCP port value in the Ports
    tab. You might have to configure the firewall on the management point, clients, and any intervening firewalls to allow communication over this new port. However, client notification can fall back to using HTTP and HTTPS.




  2. Notify Endpoint Protection Agent to perform action as soon as possible.
    Among Endpoint Protection operations, Full Scan and Quick Scan are one-time operations, and therefore only depend on the client notification channel. Other operations will go through both the client notification channel as well as the traditional normal policy channel. From a client notification perspective, the validity period for a task is one hour. For example, if the clients are offline after task gets triggered, the initial push will fail. If the client gets online within one hour of the task push, then notification server will re-push the task to clients. If client gets online in more than 1 hour, the task will not be pushed as it will have expired.




  3. Notify clients to download computer policy right now.
    Download Computer Policy is a newly added client operation in Configuration Manager SP1. It can notify the selected clients or collection to download computer policy as soon as possible outside the configured client policy polling interval. In the Configuration Manager console, click Assets and Compliance, in the Assets and Compliance workspace, click in the Collections group, select the device collection containing the computers that you want to download, in the Home tab, in the Collections group, click Client Notification and then click Download Computer Policy.  When you perform this client operation on a collection, all online clients within the hierarchy belonging to this collection will be notified. You can also notify multiple computers specifically instead of the whole collection to download policy as soon as possible.






    There is also a confirmation dialog that pops up to inform you of the estimated number of online clients.





    The client will request policy from the management point as soon as possible as shown in the figure below:




  4. Monitor Client Operation Status.
    You can monitor the client operation status in the Client Operations node in the Monitoring workspace. If the task is successfully delivered to clients, it will be counted in the Success column.


Troubleshooting Tips

  1. Notification manager and notification server provide rich status messages that can help you monitor client notification tasks. In the Configuration Manager console, click Monitoring, expand System Status, click Component Status, select SMS_NOTIFICATION_SERVER or SMS_NOTIFICATION_MANAGER, and then click Show Messages to see status messages for this component.





  2. You can also use the following log files to help you  troubleshoot client notification problems.

Component

Log

Notification Manager

<smssiteserver setup dir>\logs\bgbmgr.log

Notification Server

<mp setup dir>\logs\BGBServer.log

<sms_ccm dir or client setup dir>\logs\BgbHttpProxy.log

For installation issues:

<mp setup dir>\logs\BgbSetup.log

<mp setup dir>\logs\bgbisapiMSI.log

Notification Agent

<client setup dir>\logs\CcmNotificationAgent.log

 

Frequently Asked Questions


Question
:
Does client notification work with mobile device or Mac computers?

Answer: Client notification only supports Windows computer clients and embedded clients.

Question: How does client notification load balancing work?

Answer: Notification agent will identify the notification server based on the client’s assigned management point. If the assigned management point gets changed, notification agent will close the current connection and connect to the notification server located on the newly assigned management point. This helps to ensure that the connection load is balanced.

Question: Can I see the online status of clients from the Configuration Manager console?

Answer: Not currently. We are considering this for a future release.

Question: Which Windows Management Instrumentation (WMI) class will include the client computer online status?

Answer: SMS_CN_ClientStatus is an SMS Provider class that defines the client computer online status information. Property OnlineStatus stands for the online status of the client computers. Value 1 means online and 0 represents offline. Property ChannelType is used to differentiate the protocol type client notification channel leverages. ChannelType = 0 stands for TCP Protocol and 1 is HTTP protocol.

Note: the class name is a prerelease class name and is subject to change.

Question: How long is each task re-pushed once it has been created?

Answer: 1 hour

Question: Which processes contain notification server code?

Answer: Notification server code runs in smsexec.exe, dllhost.exe(Managed Code TCP listener) and w3wp.exe(HTTP ISAPI).

Question: Why can’t the client notification agent establish TCP connection?

Answer: The most COMMON reason is the configured TCP port (10123 by default) is still prohibited by firewall policy.

Question: Will an MP be overloaded by triggering download machine policy?

Answer: Notification server implements the push throttling mechanism. Default value is notifying 42 clients per second.  So the load added on MP is controlled. You can configure the value thru registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\NotificationServer\Task Throttle Param. However, it is still not recommended to target this action to large collections(ex. All Systems) except under extreme circumstances that warrant it.

Question: How do I determine how many clients are connected to each management point?

Answer: The following  SQL query can tell you the number.

select B.ServerName, A.OnlineClients as 'Online Clients' from Bgb_Server B left join dbo.v_BgbServerCurrent A on A.ServerID=B.ServerID order by 2

Question: When the client service is started, will it connect to notification server immediately?

Answer: Notification agent will sleep a random number of seconds between 0 and 10 minutes before it contacts the notification server in order to avoid excessive network bandwidth usage if multiple computers are powered on simultaneously (for example at the start of the business day).

Question: When a client computer enters sleep mode or leaves the network, will Notification Server know that?

Answer: Yes. If notification server receives nothing from notification agent for 20 minutes, it will drop the connection if it’s there and set the client’s online status to Offline.

Question: If the client is offline and online later, will it be able to receive the missed task through the client notification server?

Answer: When client gets online again, if the task assigned to it is expired, notification server will not notify it again. If the task is still valid, notification server re-pushes the task to the client.

Question: If the client communicates with a management point in a secondary site, which notification server it will connect to?

Answer: The client will connect to the notification server in the proxy management point.

Question: Will Internet facing clients able to go through client notification Channel?

Answer: Yes. While it is likely that due to firewalls and proxies in the path of the communication that the TCP connection will fail, clients should still be able to use HTTPS to connect to the notification server.

Question: Will notification server work with clustered SQL Server?

Answer: Yes.

Question: Does notification server support management point in a site database replica?

Answer: Yes. notification server supports management point in a site databse replica.

Question: For roaming clients, will it connect to the notification server in local management point?

Answer: No. While a client will make use of a proxy management point, globally roaming clients will still establish connection to the notification server in the assigned management point.

Summary

I hope that this blog post helps you to gain a better understanding of the newly introduced client notification infrastructure in Configuration Manager 2012 SP1 and provides you with information about some typical troubleshooting problems with solutions.

--Randy Xu

This posting is provided "AS IS" with no warranties and confers no rights.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Great detailed post and fantastic new feature for SP1

  • Great work. It is very important tools, whom so not enough now

  • Hi Randy thx for this very informative post. Do you plan to make this model extensible via SDK? For example many SCCM admins today use tasks to trigger inventory or sw distribution on demand. Currently these tasks requires a WMI connection to the agent, it would be great to be able to extend the notification channel to implement custom actions. Any plan on it?

  • Nice blog post Randy.

  • Thanks for posting about this.  To do something "Now!!" is something what SMS/SCCM admins have been asking for for some time and it is great to see that it has now been implemented.

  • To: Daniele

    Thanks for your comments. In SP1, Endpoint Protection Operations and Request Machine Policy actions are enabled firstly on notification channel. Your proposal will be definitely considered. With them enabled in notification channel, it will be more reliable, more flexible than creating WMI connections to the agent. Becuase policy request is already available in CM 12 SP1, you can leverage Software Distribution + Download policy now to implement other actions you want, like do inventory, download sw now. Wish it helpful. Welcome more feedback.

  • Awesome feature... We love it :)

  • Hi

    This is great. Not a day too soon :)

    But how about Client push? Why not use that to more than just for the cm client. Client push is quite fast and does not need a cm Client :)

  • This is how posts should look like, very detailed and explained well. Good work Randy and the team!

  • I'm having problem with this... client notification doesn't start although firewall shouldn't be the problem..

    On the client side I'm getting (CCMNotificationAgent.log):

    Failed to receive expected response from the server with error 80090330

    Any ideas?!

  • Hi All,

    Im also seeing the following error message on some cleints, as desribed by 'T'

    Error: DecryptMessage

    Failed to reveive buffer from server with err=0x80090330

    Failed to receive expected response from the server with error 80090330

    any ideas ?

  • Whwn Client Notification is triggered how does Config Manager evaluate whether client is online or not? I keep getting message that client is not online in cases where it certainly is.

  • Great article.  If your console is connect to the CAS and your clients are using the Notification Manger on the secondary site does 10123 need to be open between the CAS and the Primary, and the Primary to Secondary?

  • Hi, I need help. I am using SCCM 2012 with SP1.  All features and components are working (ex. Definition deployments, application packages, manual quick scan, etc.) except when I issue Quick Scan from my SCCM Console.  If I create a scheduled quick scan it works.  Not only Quick Scan, but Full SCan and Download Policy option. It appears that all "one-time" demand is not working.  Here's a thread to this issue social.technet.microsoft.com/.../endpoint-quick-scan-no-status-in-client-operations

  • Great blog post.  Question: Why open port 10123 when communication can fall back to HTTP or HTTPS?  What am I gaining using port 10123?