Share via

Primaey site server port 80 for secondary site client

Wally Hua 21 Reputation points
2020-08-31T16:42:01.337+00:00

Hi There:

I had a question regards SCCM Primary Site Server port 80.

Our SCCM environment is:

  1. Has a SCCM 1902 Primary site server, PRIMGMT01, and site code is PRI
  2. Has a SCCM 1902 Secondary site server, SECMGMT01, and site code is SEC
  3. In SCCM console---Administration---Hierarchy Configuration---Boundary Group, we had two boundary groups, one for PRI site, and one for SEC site.
  4. In the properties of PRI Boundary Group, References---Site assignment is set to PRI, and Reference---Site system servers is set to PRIMGMT01. All PRI client are in PRI Boundary Group.
  5. In the properties of SEC Boundary Group, References---Site assignment is set to SEC, and Reference---Site system servers is set to SECMGMT01. All SEC client are in PRI Boundary Group.
  6. SCCM agent of client in PRI site is working fine.
  7. SEC site is a new site just adds in recently.
  8. Network had different VLNAN and there are firewalls in between.

We found out a problem on SCCM agent of SEC client. When we install SCCM agent on computer in SEC site, all client computers try to access PRIMGMT01 port 80 to get information.

  1. In SCCM Configuration Manager on client machine, we only see two cycles in action.
  2. In c:\windows\CCM\Logs\CCMmessaging.log, we see
    Post to http---PRIMGMT01.prod.local---ccm_system_windowsauth---request failed with 0x87d00231
  3. We cannot telnet port 80 of PRIMGMT01.prod.local
    Bur if we open the port 80 of PRIMGMT01 on the firewall, the message will gone and 11 cycles will show up in actions and SCCM agent start to working fine.
    In Microsoft SCCM port document, they did not mention we have to open port 80 on Primary site server for the secondary site client to access

My question is do we have to open the primary site server port 80 for the secondary site client? As our production network are high secure environment and every pot open need to fill out complicate report. We want to confirm the port 80 opening of Primary site server is necessary.

Thank in advance …………………….

Community Center | Not monitored
0 comments
Accepted answer
  1. AllenLiu-MSFT 49,316 Reputation points Microsoft External Staff
    2020-09-01T02:38:31.207+00:00

    Thank you for posting in Microsoft Q&A forum.
    Even though a secondary site extends the primary site, the primary site manages all of the clients.
    Like Jason said, the clients must be able to communicate with the Primary Site Servers management Point as the clients will Contact that for registration, after that the clients will Contact the Proxy Management Point on the Secondary site. So you would have to open port 80 from the clients to the Management Point.

    If the response is helpful, please click "Accept Answer" and upvote it.

    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Sandys 31,406 Reputation points Microsoft Employee Moderator
    2020-08-31T17:09:28.047+00:00

    My question is do we have to open the primary site server port 80 for the secondary site client?

    Yes. Secondary sites are not gateways or autonomous. Clients must be able to reach an MP that is part of the primary site that they are assigned to.

    If you are attempting to manage systems in a segregated/screened network, secondary sites are not the solution for this (secondary sites are for remote locations where bandwidth is a concern). For segregated/screened subnets, you need to add a site system that hosts the MP, SUP, and DP roles and use affinity to ensure the clients choose the roles on these site systems for use.

    0 comments
  2. Wally Hua 21 Reputation points
    2020-08-31T17:20:28.75+00:00

    Hi Jason:

    thanks for your answer.

    Our Secondary site server SECMGMT01.PROD.Local had MP, SUP and DP. And secondary site is a remote location which is 500 KM away from primary site. We had a slow connection in between.

    But secondary site client still try to access primary site server port 80. i want to know why this happened.

    When manually install sccm agent on secondary site client. i used command:

    ccmsetup.exe /mp:SECMGMT01.prod.local SMSSITECODE=SEC
    ccmsetup.exe /mp:SECMGMT01.prod.local SMSSITECODE=PRI

    Both command are access PRIMGMT01 port 80 to get information.

    I remove and reinstall secondary site several times, and remove and reinstall MP and SUP/DP several times.

    Regards,

    0 comments
  3. Jason Sandys 31,406 Reputation points Microsoft Employee Moderator
    2020-08-31T19:22:52.25+00:00

    i want to know why this happened.

    Because that's how it is designed to work exactly as I called out. As noted, clients require connectivity to an MP that is part of the primary site that they are assigned to.

    500 KM away

    Physical distance is completely irrelevant as that is in no way related to connectivity or available bandwidth.

    ccmsetup.exe /mp:SECMGMT01.prod.local SMSSITECODE=SEC

    You can't assign clients to a secondary site so this isn't valid.

    Aside from opening the necessary ports, the only solution is "to add a site system that hosts the MP, SUP, and DP roles and use affinity to ensure the clients choose the roles on these site systems for use."

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.