SCCM and secure secondary site

This had us scratching our collective heads for a while.

We just updated our SMS 2003 Advanced Clients to SCCM 2007 Clients and "everything" just stopped working on a secondary site, and CCMEXEC.LOG on the client systems contained multiple messages like
[CCMHTTP] HTTP ERROR: URL=http://PRIMARY_SITE_SERVER/ccm_system_windowsauth/request, Port=80, Protocol=http, SSLOptions=0, Code=12029, Text=ERROR_WINHTTP_CANNOT_CONNECT CCMEXEC 10/13/2009 11:31:20 AM 2440 (0x0988)

The key point here is that a firewall controls traffic between the secondary and primary site, and we *thought* all necessary ports were already open. Being of a simple and trusting nature we thought our main concern would be the traffic between site systems, and that by defining a Proxy Management Point we need not concern ourselves with traffic from clients to the primary site. We were wrong. It turns out that every client system needs to talk on http (tcp port 80) to the primary site server - (or, more precisely to the SLP) - at least once to find its MP.

The first clue to this solution was this post: Clients in Secondary secured zone problem
In hindsight, all should have been clear if we had really really really RTFM: Ports Used by Configuration Manager

Anyway, port 80 is now open and all is well.

No comments: