![]() However, if you are using A-record for assinging the domain name to your cloud service (Which is the IP address) you might want to reserve the IP address for the cloud service, you can refer to the link below for information on reserved IPs: You can verify your Public IP from the dashboard in the Azure portal. I have checked your deployment and see that the virtual machine went down during service interruption but, there is no evidence of Public IP being changed. The VIP will only change when you Stop and deallocate the virtual machine, in this case the IP address is sent back to to the pool to be assigned to new deployments. Everything else is working, like application deployment, baseline configurations and so on.In the entire lifetime of the cloud service the Pubic IP (VIP) assigned to the cloud service will not changed even in the event of updates or service interruptions. I installed a new fresh client and it also has the issue. Is there a way that I can check if the CMG is listed somewhere? I looked at but only the local MP is listed. The issue still is that clients doesn't seem to get the policy that there is a CMG and that it can be used. Now when I run the analyzer with a certificate everything is green! I recreated all certificates again, did a good cleanup of old certificates and everything. This may be harmless,īut it's certainly not required so could be throwing things off. I don't know of any web servers that use the DNS attribute. The subject name for the MP's cert needs to be MP's FQDN and nothing more e.g., CN = .Īlso, in general, none of the certs in a CMG scenario should have more than a single subject name specified using the CN attribute and specifying the FQDN of the system it is for. This is definitely incorrect and may or may not be the source of the issue. I treid running the connection analyzer again with both user and certificate and got the following ![]() The CRL is not public so these checks have been removed both from the CMG and MP, but also set in the registry on the MP. Local MP certificate has "" as CN and the DNS names are to the local MP-server (When I did this, the connection-point started to work)Īll clients have a computer certificate with their DNS-nameĪll clients and servers have the RootCA + SubCA certificates When I tried to access the site by clicking on browse in the IIS-console, I get the following ĬMG Certificate has "" as both CN and DNS-name I tried to browse to the site on the instance and got the same error, 403 - Access denied. I looked at the certificates on the instance and all three certificates are in place, RootCA, SubCA and the cloudapp-cert. I enabled Remote desktop on the instance and checked the IIS logs, no errors what I can find or anything at all. Looking at the certificate, everything seems to be in place, all certificates are trusted If I try and browse to "" I am greeted with the 403 - Access denied error It seems to be an issue with the certificates, but I can figure out where the problem lies. I did some more testing yesterday, tracing back all steps, recreating certificates and everything. Jason | | feels like it is time to make the call. If not, it's definitely support case time as there's something unobvious going on, a bad assumption being made, or possibly a code defect - all of which are nearly impossible to uncover in a forum. You can try also un-enabling the MP for use by the CMG, waiting 15 minutes or so, re-enabling it, waiting 15 minutes, and then refreshing the policy on a test client connect to the intranet to see if it changes. It's clearly not getting the policy but assuming you've configured everything correctly per the docs, which you've confirmed, it's time to open a support case. Will be migrating to a new home on Microsoft For more information, see: This MECM Forum To troubleshoot CMG client traffic, use CMGHttpHandler.log, CMGService.log, and SMS_Cloud_Prox圜onnector.log. To Currently Internet, and uses the location of the CMG service to communicate with the site. If the client can contact a domain controller or an on-premises management point, it sets its connection type to Currently intranet. The Configuration Manager client automatically determines whether it's on the intranet or the internet. Control this behavior with the client setting,Įnable clients to use a cloud management gateway. ![]() ![]() To force the request, restart the SMS Agent Host service (ccmexec.exe)īy default all clients receive CMG policy. If you don't want to wait for the normally scheduled location request, you can force the request. The polling cycle for location requests is every 24 hours. Clients must be on the intranet to receive the location of the CMG service, unless you install and assign Windows 10 clients Once the CMG and site system roles are running, clients get the location of the CMG service automatically on the next location request. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |