A closer look at Internet Based Client Management in ConfigMgr 2012

A closer look at Internet Based Client Management in ConfigMgr 2012

  • Comments 9
  • Likes

~ Prabhat Joshi

Prabhat JoshiHello Everyone, Prabhat Joshi here with another Configuration Manager support tip for you, this time for Internet Based Client Management (IBCM) in System Center 2012 Configuration Manager (ConfigMgr 2012).

Internet Based Client Management allows you to manage Configuration Manager clients when they are not connected to your company network but still have a standard Internet connection. This arrangement has a number of advantages, including the reduced costs of not having to run virtual private networks (VPNs) and being able to deploy software updates in a timely manner.

Because of the higher security requirements of managing client computers on a public network, Internet Based Client Management requires that the site is using certificates. This ensures that connections to the management point, software update point and distribution points are authenticated by an independent authority, and that data to and from these site systems is encrypted using Secure Sockets Layer (SSL).

New supported scenarios

1. User policies are supported when the Internet based MP can authenticate the user by using Windows authentication.

2. Task Sequences are supported for simple scripts, however just like ConfigMgr 2007, deploying an OS over the Internet is still not supported.

3. Using Microsoft Update to download required software updates rather than from an Internet based DP in their assigned site is supported.

Unsupported scenarios

Not all client management functionality is appropriate for the Internet; therefore they are not supported when clients are managed on the Internet. The features that are not supported for Internet management typically rely on Active Directory Domain Services or are not appropriate for a public network, such as network discovery and Wake-on-LAN (WOL).

The following features are not supported when clients are managed on the Internet:

Ø Client deployment over the Internet, such as client push and software update-based client deployment. Instead, use manual client installation.

Ø Automatic site assignment.

Ø Network Access Protection (NAP).

Ø Wake-on-LAN.

Ø Operating system deployment. However, you can deploy task sequences that do not deploy an operating system; for example, task sequences that run scripts and maintenance tasks on clients.

Ø Remote control.

Ø Out of band management.

Ø Software deployment to users, unless the Internet-based management point can authenticate the user in Active Directory Domain Services by using Windows authentication (Kerberos or NTLM). This is possible when the Internet-based management point trusts the forest where the user account resides.

Additionally, Internet-based client management does not support roaming. Roaming enables clients to always find the closest distribution points to download content. Clients that are managed on the Internet communicate with site systems from their assigned site when these site systems are configured to use an Internet FQDN and the site system roles allow client connections from the Internet. Clients non-deterministically select one of the Internet-based site systems, regardless of bandwidth or physical location.

Prerequisites for IBCM

- Clients and Site Systems supporting IBCM should have Internet Connectivity.

- Site systems that will support Internet-based client management must be in an Active Directory domain, but can be in a different Active Directory forest from the forest that contains the site server.

- You must have a supporting public key infrastructure (PKI) that can deploy and manage the certificates that the clients require and that are managed on the Internet and the Internet-based site system servers.

For more information see Planning for Communications in Configuration Manager at http://technet.microsoft.com/en-us/library/gg712701.aspx#BKMK_PrerequisitsForInternetClientMgmt.

The links below can help you in planning & configuring IBCM in your environment:

- Planning for IBCM: http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients

- Planning for Communications in Configuration Manager: http://technet.microsoft.com/en-us/library/gg712701.aspx

- Planning for Certificates: http://technet.microsoft.com/en-us/library/gg712284.aspx#BKMK_PlanningForCertificates

- PKI Certificate Requirements for Configuration Manager: http://technet.microsoft.com/en-us/library/gg699362.aspx

- Step by step deployment of certificates: http://technet.microsoft.com/en-us/library/gg682023.aspx

ConfigMgr client install scenarios for IBCM

Internet-only management : Such clients will always contact the FQDN of the Internet Management Point (MP). Below is an example command line used to install a client in this manner.

Ccmsetup.exe /usepkicert ccmhostname=”FQDN of Internet MP” smssitecode=”Site code” CCMALWAYSINF=1

Internet or Intranet management : Clients configured for this scenario will be able contact the FQDN of both Internet and Intranet MPs depending on the network it is on (e.g. LAN or Internet). Note that workgroup clients do not support this scenario. Here’s a command line for this type of install:

Ccmsetup.exe /usepkicert smsmp=”FQDN of Intranet MP” ccmhostname=”FQDN of Internet MP” smssitecode=”Site code”

See the article below to understand the purpose of switches used in both cases. You may add more of them depending upon your requirements.

How to Install Clients on Windows-Based Computers in Configuration Manager : http://technet.microsoft.com/en-us/library/gg712298.aspx

Basic things to check when troubleshooting IBCM client install & registration scenarios

- There should be a site system that will be used as an Internet Management Point. It should be published via public DNS. If there is only one site system that is a site server itself then you can still use it as an Internet MP.

- Under site properties, verify “Client computer communication -> client computer settings” and make sure that “Use PKI client certificate when available” is checked.

- For the site system that will act as an Internet MP, please make sure that correct URL has been specified under the Site System property “Specify an FQDN for this site system for use on the Internet”.

- In the Internet MP properties, make sure that HTTPS is enabled (checked), and depending upon your requirement, that either “Allow Internet-only connections” or “Allow Internet and Intranet connections” is checked.

- After the above is done, make sure that the web server certificate has the name of the Internet MP in the Subject Alternative Name. After you have done this, then bind this certificate in IIS and check MPcontrol.log to confirm the health of the MP.

Some common client registration issues

Symptoms: After installing a ConfigMgr 2012 agent on an IBCM client, the machine is unable to register with the Internet facing Management Point. The following errors can be seen:

Client machine log:

ClientIDmanagerstartup.log - Server rejected request 3

Server Side log:

MP_Registration.log - Registration hint is expired.
CCMValidateAuthHeaders failed (0x87d0029b) to validate headers for client 'GUID:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
MP Reg: Certificate is not valid, HR = 0x80092012, In-band Cert SubjectName = xxxxxxx.COM (NAME OF THE CLIENT MACHINE)

Cause: Error 0x80092012 reads:

“The revocation function was unable to check revocation for the certificate.
CRL was neither published nor accessible from the client machine.
PORT 10123 was blocked on the hardware firewall in the internal network from the outside network.”

Resolution:

First publish the CRL and verify that it can be accessed from the client. You can verify whether the CRL is accessible by running the following command:

Certutil –verify –urlfetch <cert name>.cer

If this shows that the CRL is not accessible, check the ports. You may notice that port 10123 is blocked.

Port 10123 is used by the Management Point to notify client computers about an action that it must take when an administrative user selects a client action in the Configuration Manager console, such as download computer policy or initiate a malware scan. If this is blocked, add the following as an exception to the Windows Firewall:

Outbound: TCP Port 10123

If this communication does not succeed, Configuration Manager automatically falls back to using the existing client-to-Management Point communication port of HTTP or HTTPS:

Outbound: TCP Port 80 (for HTTP communication)
Outbound: TCP Port 443 (for HTTPS communication)

======

Symptoms: After installing a ConfigMgr 2012 agent on an IBCM client, the machine is unable to register with the Internet facing Management Point. The following errors can be seen:

Locationservices.log

LSRefreshTrustedKeyInfo failed with error '0x87d00306'
Failed to refresh trusted key info with error '0x87d00306'
Failed to validate the certificate
'308205E8308204D0A00302010202….0D99AAFC70BB0999B548CD07' from management point 'abc.test.com'

Raising event:
instance of CCM_LocationServices_ManagementPointCertificate_CrossVerificationFailure

{
DateTime = "20130819094515.860000+000";
ManagementPoint = "abc.test.com";
ProcessID = 1608;
ThreadID = 2192;
};

Refreshed Certificate Information over HTTP
Failed to verify message. Could not retrieve certificate from MPCERT.
MPCERT requests are throttled for 00:04:59
Failed to send site information Location Request Message to abc.test.com
LSIsSiteCompatible : Client is Always on Internet. Unable to check compatibiliy of Site <SITE CODE>
LSRefreshSiteCode failed with error (0x8000ffff)

Cause: This can occur if the trusted root key on the client is incorrect or non-existent. Follow the steps below to verify if the trusted roots key exists:

1. On the Start menu, click Run, and then type Wbemtest.

2. In the Windows Management Instrumentation Tester dialog box, click Connect.

3. In the Connect dialog box, in the Namespace box, type root\ccm\locationservices and then click Connect.

4. In the Windows Management Instrumentation Tester dialog box, in the IWbemServices section click Enum Classes.

5. In the Superclass Info dialog box, select Recursive and then click OK.

6. In the Query Result window, scroll to the end of the list and then double-click TrustedRootKey ().

7. In the Object editor for TrustedRootKey dialog box, click Instances.

8. In the new Query Result window that displays the instances of TrustedRootKey, double-click TrustedRootKey=@

9. In the Object editor for TrustedRootKey=@ dialog box, in the Properties section, scroll down to TrustedRootKey CIM_STRING. The string in the right column is the trusted root key. Verify that it matches the SMSPublicRootKey value in the file <Configuration Manager directory>\bin\mobileclient.tcf.

If the key is not there, complete the resolution steps below.

Resolution:

Uninstall the client using ccmclean utility, then reinstall it by specifying the trusted root key using following command line:

ccmsetup.exe /usePKICert /NOCRLCheck CCMHOSTNAME=abc.test.com CCMALWAYSINF=1 SMSMP=https://abc.test.com SMSSITECODE=001

======

When multiple CA’s are being used to issue required certificates to Internet MP & Client authentication certificate

CA1: Issuer of web server certificate for Internet MP.

CA2: Issuer of client certificate on IBCM clients.

After installing the client with the above mentioned command line, you may see this error on a client machine:

ClientIDManagerStartup.log:

Failed in GetCertificate(…): 0x87d00281

Error code 87d00281 means “No certificate matching criteria specified”

In order to resolve this, navigate to Client Computer Communication under Site Properties and go to Trusted Root Certification Authorities and click on Set. After doing that, specify the self-signed cert of CA2 without its private key and click on OK.

Then, restart ccmexec on the client machine and now it should be able to register.

Prabhat Joshi | Technical Lead | Microsoft

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • That was really Awesome.. I am sure this will really help in troubleshooting IBCM issues..

  • Thanks for the information. Prabhat Joshi ... Please do share me your mail ID. I have some queries on the IBCM client installation.

  • Is there any provision under Windows Azure based Internet Based Client Management (IBCM) hosted/managed from CDNs or DCs across various geographies.

  • cntd..for lower TCO and faster ROI. Thanks

  • It is really going to help others to understand the setup of IBCM. Keep doing the good work sir. :)

  • We have successfully setup a Internet facing MP and DP. Could you pls help us with some idea about Internet facing SUP.

    Thanks In advance

  • Pretty informing blog! I recently just came across Snapforce CRM software in which they did all the configuring for their customers, which I think is very convenient and saves time. Reading off of a blog is great and all, but sometimes handling a business and everything else, I personally would want someone to do that for me.
    check them out at http://www.snapforce.com

  • Nice "plug" for your own business Jillian... Disgraceful.