Jump to content

Search the Community

Showing results for tags 'dmz'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Cloud
    • Azure
    • Microsoft Intune
    • Office 365
  • General Stuff
    • General Chat
    • Events
    • Site News
    • Windows News
    • Suggestion box
    • Jobs
  • MDT, SMS, SCCM, Current Branch &Technical Preview
    • How do I ?
    • Microsoft Deployment Toolkit (MDT)
    • SMS 2003
    • Configuration Manager 2007
    • Configuration Manager 2012
    • System Center Configuration Manager (Current Branch)
    • Packaging
    • scripting
    • Endpoint Protection
  • Windows Client
    • how do I ?
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows Vista
    • Windows XP
    • windows screenshots
  • Windows Server
    • Active Directory
    • Microsoft SQL Server
    • System Center Operations Manager
    • KMS
    • Windows Deployment Services
    • NAP
    • Failover Clustering
    • PKI
    • Windows Server 2008
    • Windows Server 2012
    • Windows Server 2016
    • Windows Server 2019
    • Hyper V
    • Exchange
    • IIS/apache/web server
    • System Center Data Protection Manager
    • System Center Service Manager
    • System Center App Controller
    • System Center Virtual Machine Manager
    • System Center Orchestrator
    • Lync
    • Application Virtualization
    • Sharepoint
    • WSUS

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Found 6 results

  1. Hi I currently have SCCM 1710 running in out company domain. this we use for patching [amongst other things] we now want to use it to patch Servers in the DMZ. The DMZ is a different domain with no trusts between the 2. We have the SCCM Server and the Server in the DMZ pinging each other, but sccm does not see this server. I have Forest discovery running and also have a boundary for the DMZ IP range what am I missing?
  2. Same procedure for a gateway server in DMZ 1.1 - Generating the certificate RDP to your Operations Manager (it's a good idea to have all the certificates at one server) Start Internet Explorer and navigate to: https://yourCAserver/certsrv If the server in DMZ is in a domain, you need the FQDN (for example servername.domainindmz.local) If the server is in workgroup, the servername is sufficient Export the Company Root Chain Certificate also! You need both installed on the server in workgroup/domain in DMZ in order for it to communicate with our servers. 1.2 - Exporting the certificate to file Start – run – mmc.exe Add snap-in – Certificate – My User Account Find the Certificate we Generated and installed, right click and choose Export Use a password (you will need it later) 2 - Install agent and certificate Log on to the server in DMZ (remember to map local drive for copying files over) 2.1 - Install agent 2.1.1 - Uninstall the SCOM2007 agent if present 2.1.2 - Copy folders/files needed for install to server C:\temp \\tsclient\D\Backup\Setup\System Center 2012\SCOM\SW_DVD5_Sys_Ctr_Ops_Mgr_Svr_2012_English_MLF_X17-95297\ AGENT SUPPORTTOOLS ServerName for scom2012.pfx 2.1.3 - Install SCOM2012 agent Use momagent.msi : (here C:\temp\AGENT\I386\MOMAGENT.MSI) NB! All certificates use FQDN, so your servers in DMZ need to have a reference to YourManagementServer.yourdomain.com in their HOSTS file Using the IP here will not work, you NEED the FQDN! 2.1.4 - Import Certificate Start – Run – cmd C:\temp\SUPPORTTOOLS\I386\MOMCERTIMPORT.EXE "C:\temp\ServerName for scom2012.pfx" Update! Import the Root chain certificate on the server in workgroup/domain in DMZ also. 2.1.5 - Approve the manual agent in SCOM 2012 console Error handling! Common mistakes is network equipment blocking ports for communication. A quick test it to use telnet on port to see if it can connect or not. Don't forget to use the eventlog! -Tor
  3. Hello, I am looking for some design recommendations for my test environment that I would like to apply to one production environment. I am working with 2 domains (2 forests) with no trust relationships. Domain A : internal Domain B : DMZ From a firewall point of view, only the ports from the internal to the DMZ will be opened. From the internet to the DMZ, only HTTPS will be opened. Currently, I only manage the clients connected to the internal domain. I would like to deploy a new management point in DMZ that will allow me to manage my DMZ clients and my Internet clients. Should I use 2 management points : - one for the DMZ clients - one dedicated to my internet clients If I use only one MP, should I allow Intranet and Internet clients ? The only documents I can find on Technet require too many ports to be opened in the firewall (From DMZ to Internal) and can't be applied to my environment. Thanks.
  4. Hello All, I am wondering if anybody has a step-by-step for implementing the IBCM for CM? I've read a lot of different articles, but none of them seemed to have all the pieces? Basic idea is to obtain the ability to manage portable devices (laptops) while those devices are off of the domain. EX. teacher laptops that need to be managed via CM while on summer break. There is NO AD in the DMZ. I can open needed ports on the firewall for communication between Primary site server/MP and MP in DMZ. We've got CM1511 fully functional within the domain. Client checks, dns, OSD, WSUS, etc all work great while on the domain. I am looking to put a MP in the DMZ to manage these portable devices, but I am lacking the knowledge to fully implement this solution. Any pointers to a complete guide would be VERY much appreciated.
  5. We have a small number of servers in our DMZ all are in their own workgroups so no knowledge of each other. They are also not all internet connected so patches must be pushed from internal to DMZ. I noticed this post https://nikifoster.wordpress.com/2011/01/31/installing-configmgr-clients-on-servers-in-a-dmz/ which states as long as I have firewall rules inplace I can manually install the clients and have them talk directly back to my site server internally no certificates required. I was also looking at https://social.technet.microsoft.com/Forums/en-US/f8b1b51e-515e-41f6-bb1e-cdeeabb11f6f/configmgr-2012-design-for-dmz?forum=configmanagergeneral and their option 3 is to build a DP/MP/SUP box still internal and have that configured with SSL to then talk to the DZ boxes. If I were to build this design and enable SSL what effect will this have on my currently working internal environment. will every machine now have to use the new certifcates to talk to SCCM? or will it only be for boxes talking to the new Distribution Point which I can hopefully administer with boundary points.
  6. Having a problem with the WSUS part of SCCM 2012 not working on agents in our DMZ. Internal agents working fine. DMZ agents have PKI certificates from internal PKI, and are appearing in the console as active inventory. Because many parts of the SCCM roles must be configured for HTTP or HTTPS and not both at the same time: 1 - these agents are on a boundary that assign them to a MP that is configured for SSL. Agent control panel shows correct MP. 2 - these agents are also in a collection with different client settings to assign them an 8531 appcat. SDCSCMP23 is the HTTP WSUS/Appcat/MP for internal agents SDCSCMP25 is the SSL WSUS/Appcat/MP with PKI certs for DMZ agents The problem is that SCCM is configuring DMZ agents to use the HTTP parts of the Infrastructure for WSUS, and not the HTTPS parts. Per MS Doc, Client Settings are supposed to auto assign an HTTPS appcat before an HTTP one, but this was not happening, so I made my own client settings to assign the HTTPS appcat. Simply modifying the firewall config to permit 443, 8531 to this other server is NOT an option, because those servers are listening on 80, 8530 (for internal HTTP agents) not 443, 8531. We have a requirement to use only 443, 8531 for the DMZ agents. Have verified that 443, 8531 are open through the firewall to SDCSCMP25 from the agents. This is SCCM 2012 SP1. We are NOT assigning WSUS servers through GPO. How do I get SCCM to assign the correct WSUS servers to these agents? Thanks WUAHandler.log Enabling WUA Managed server policy to use server: HTTP://SDCSCMP23.ACME.COM:8530 m_spSearchJobUpdateSearcher->EndSearch(m_spSearchJob, &spSearchResult), HRESULT=80072ee2 (e:\nts_sccm_release\sms\client\updatesmgmt\wuahandler\cwuahandler.cpp,3064) WUAHandler 4/11/2013 6:09:59 PM 1480 (0x05C8) OnSearchComplete - Failed to end search job. Error = 0x80072ee2. WUAHandler 4/11/2013 6:09:59 PM 1480 (0x05C8) Scan failed with error = 0x80072ee2. WUAHandler 4/11/2013 6:09:59 PM 1480 (0x05C8) WindowsUpdate.log 2013-04-11 18:09:05:376 828 15fc Agent *********** Agent: Refreshing global settings cache *********** 2013-04-11 18:09:05:376 828 15fc Agent * WSUS server: HTTP://SDCSCMP23.ACME.COM:8530 (Changed) 2013-04-11 18:09:05:376 828 15fc Agent * WSUS status server: HTTP://SDCSCMP23.ACME.COM:8530 (Changed) 2013-04-11 18:09:35:641 828 1668 PT +++++++++++ PT: Synchronizing server updates +++++++++++ 2013-04-11 18:09:35:641 828 1668 PT + ServiceId = {3DA21691-E39D-4DA6-8A4B-B43877BCB1B7}, Server URL = HTTP://SDCSCMP23.ACME.COM:8530/ClientWebService/client.asmx 2013-04-11 18:09:59:235 828 1668 Misc WARNING: Send failed with hr = 80072ee2. 2013-04-11 18:09:59:235 828 1668 Misc WARNING: SendRequest failed with hr = 80072ee2. Proxy List used: <(null)> Bypass List used : <(null)> Auth Schemes used : <> 2013-04-11 18:09:59:235 828 1668 PT + Last proxy send request failed with hr = 0x80072EE2, HTTP status code = 0 2013-04-11 18:09:59:235 828 1668 PT + Caller provided credentials = No 2013-04-11 18:09:59:235 828 1668 PT + Impersonate flags = 0 2013-04-11 18:09:59:235 828 1668 PT + Possible authorization schemes used = 2013-04-11 18:09:59:235 828 1668 PT WARNING: GetConfig failure, error = 0x80072EE2, soap client error = 5, soap error code = 0, HTTP status code = 200 2013-04-11 18:09:59:235 828 1668 PT WARNING: PTError: 0x80072ee2 2013-04-11 18:09:59:235 828 1668 PT WARNING: GetConfig_WithRecovery failed: 0x80072ee2 2013-04-11 18:09:59:235 828 1668 PT WARNING: RefreshConfig failed: 0x80072ee2 2013-04-11 18:09:59:235 828 1668 PT WARNING: RefreshPTState failed: 0x80072ee2 2013-04-11 18:09:59:235 828 1668 PT WARNING: Sync of Updates: 0x80072ee2 2013-04-11 18:09:59:235 828 1668 PT WARNING: SyncServerUpdatesInternal failed: 0x80072ee2 2013-04-11 18:09:59:235 828 1668 Agent * WARNING: Failed to synchronize, error = 0x80072EE2 2013-04-11 18:09:59:235 828 1668 Agent * WARNING: Exit code = 0x80072EE2
  • Create New...