Getting SCCM to talk to Workgroup DMZ servers

[dverbern]

Hi All,

 

I am trying to get SCCM client to install and talk to servers that are Workgroup (non-domain joined) and sitting in a DMZ, i.e. outside our regular domain.

We have a MP installed in the DMZ that is intended to communicate with devices in the DMZ, domain-joined or not.

The DMZ domain-joined machines SCCM clients work fine, its the DMZ workgroup machines that don't.

 

I am installing SCCM client with syntax like: ccmsetup.exe /mp:{MPserver for DMZ FQDN} SMSSITECODE={our site code} FSP={MP for our regular domain}

 

* I have added the IP and hostname of our MP DMZ server into our Hosts file, so the workgroup machine can resolve the hostname of the MP.

* Our networks team has confirmed that there are no ports or firewalling blocking communication between the DMZ workgroup machines and our SCCM infrastructure.

* We have used our Active Directory Certification Services to install a Personal certificate to allow communicate between the host machine and our SCOM infrastructure. SCOM talks to these machines without issue, but SCCM is not.

 

The repeating errors in LocationServices.log of our DMZ Workgroup machines are as follows:

 

Any tips on troubleshooting?

[dverbern]

I'll also add that we have a Boundary and Boundary Group defined for the IP range these DMZ Workgroup servers sit in, so that is another bit that should be fine.

[Peter van der Woude]

An FSP doesn't exist anymore, so that can be removed from your command. Also, I think you should supply the SMSMP parameter to supply the management point for the initial contact.

[dverbern]

Sorry for delay in responding, but thanks Peter for your contribution. I'll remove the SCCM client from my workgroup machine and reinstall with the modified command line you suggest and see how I go.

 

If you know of any specific logs that will shed light on why a connection may not be established, that would also be handy.

[dverbern]

I might also add, I have a certificate in "Personal" folder of the workgroup machine, issued by our Root Certification server for Server communication - can anyone advise whether such a certificate is required for SCCM to talk to servers outside the domain? We originally installed that certificate for SCOM to manage DMZ servers, but I wasn't sure whether SCCM also needed it.

[anyweb]

take a look at my guide on workgroup computers here, it might give you some ideas.

[dverbern]

Thanks very much, Niall! Checking out your guide now.

[dverbern]

Niall, you have saved me! Your documentation spelled out exactly what I was missing - entries in my LMHOSTS file! Once I made the entries, I just had to find an installation command line that worked for our environment.

In my case, I had already copied the CCMsetup installation source files over to the workgroup machine and used the following syntax:

 

ccmsetup.exe /mp:{Our MP Server in the DMZ FQDN} SMSSITECODE={Our SMS Site Code} FSP={Our Primary Site Server}

 

After installation, I went into Devices in SCCM Admin Console and voila! Found the Workgroup server in Unapproved state, right-clicked, chose Approve, YES!

Thank you so very, very much!

[Roysom]

Does anyone know why do I get the following line is ccmsetup.log even though I have used the argument /MP: and also tried with SMSMP=.

Message in log: "No MPs were specified from commandline or the mobileclient.tcf."

The client tried to query MP from AD which obviously does not work as the server is in DMZ. Eventually the client installs with exit code 0 but does not report to MP. 

[Martin Bengtsson]

If you are installing from local source files, then you shouldn't specify /mp -- /mp does _not_ set the MP for the client agent to use. To set the MP for the client to use, you need to specify the SMSMP property.

How do you install the client?