This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(147.20000000000002, 8%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECJ%3C/text%3E%3C/svg%3E)
hello,
we have SCCM v2010 and I am trying to provide updates at the clients which are connected through VPN but it doenst seem to work.
I have the boundaries defined and specifically the IP range of the VPN which is 192.168.150.5 - 192.168.150.254.
when I look at my computer (connected through VPN) at the locationservices.log I see the below:
Updating portal certificates LocationServices 12/17/2020 9:13:55 AM 3892 (0x0F34)*
There are no certificates available to install LocationServices 12/17/2020 9:13:55 AM 3892 (0x0F34)
1 assigned MP errors in the last 10 minutes, threshold is 5. LocationServices 12/17/2020 9:15:44 AM 16572 (0x40BC)
Unable to retrieve AD site membership LocationServices 12/17/2020 9:28:56 AM 5092 (0x13E4)
Unable to retrieve AD site membership LocationServices 12/17/2020 9:28:56 AM 5092 (0x13E4)
Reset assigned MP error count LocationServices 12/17/2020 9:28:56 AM 6408 (0x1908)
Received reply of type PortalCertificateReply LocationServices 12/17/2020 9:28:56 AM 9964 (0x26EC)
The reply from location manager contains 0 certificates LocationServices 12/17/2020 9:28:56 AM 9964 (0x26EC)
Updating portal certificates LocationServices 12/17/2020 9:28:56 AM 9964 (0x26EC)
There are no certificates available to install LocationServices 12/17/2020 9:28:56 AM 9964 (0x26EC)*
Worth to say that when on corporate network then it works like a charm.
any ideas of what I need to check/ do?
thank you
Hi,
Are you using PKI certificate to communicate with the MP?
Make sure that all necessary ports are allowed on your network firewall between your VPN Clients <> Domain controller / Site server / DP / SUP etc.
Regards,
Youssef Saad | New blog: https://youssef-saad.blogspot.com
Please remember to ** “Accept answer” ** for useful answers, thank you!
@Youssef Saad hello,
your direction of adding the VPN IP Subnet under Active Directory Sites & Services resolved the issue of the unable to retrieve AD site membership over VPN, thank you very much,
I now have a question if you could answer, by having a site over VPN i should be able to receive the updates which i deplay to the machines over VPN. it doesnt seem to work as i dont see the updated edge for example... any ideas as to which .log file i should look or any other recommendation?
Glad to hear that the issue was solved.
For the software updates deployment, you can configure split tuning to allow the VPN clients to download the content from Internet instead of local DP. You will find more details in the following link: https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444
thank you @Youssef Saad I will read the article but I am a bit confused.
So now the way that is configured the clients wont get the updates or any package I push over VPN? how can I verify that?
the thing is that I noticed that some windows updates are coming but I don't know if all and I have tried to push a package over VPN but not successfully.
the "SCCMC client" communicates and I even did the upgrade of the "SCCM client" and that was successful.
let me know your thoughts pls.
thank you in advance.
If you have already setup a boundary/boundary groups and assigned a DP for VPN clients, you can push applications/package to them.
I suggest to you to create a new post then provide us more details with all necessary logs in order to diagnose this new software update deployment issue.
Regards,
Youssef Saad | New blog: https://youssef-saad.blogspot.com
Please remember to ** “Accept answer” ** for useful answers, thank you!
Hello @Youssef Saad
no we don't use PKI certificates to communicate...
about the ports I tried to look for that but it would help if I would know which ports should be allowed... do you know?
Below the port list:
80/443 - VPN Client >> MP/DP
3268 - VPN Clients >> Gobal catalog domain controller
80/8530 - VPN Clients >> Software Update point // If you are using Secure SUP, add 443/8531.
More details: Ports used in Configuration Manager
Regards,
Youssef Saad | New blog: https://youssef-saad.blogspot.com
Please remember to ** “Accept answer” ** for useful answers, thank you!
thanks @Youssef Saad
I checked at my Firewall Palo Alto and all the ports are allowed so that is not the issue...
any other ideas?
Can you share with us the whole log files? Adding also ClientLocation.log.
Regards,
Youssef Saad | New blog: https://youssef-saad.blogspot.com
Please remember to ** “Accept answer” ** for useful answers, thank you!