Share via

SCCM CB issues with client on Citrix VPN Gateway

Untitled-1234 26 Reputation points
2020-10-23T09:56:52.68+00:00

Hi all,
I am having an issue with SCCM clients on the Citrix VPN Gateway. They are not receiving policies or new applications\updates. This is only on the Citrix Gateway. I can connect a client and ping\telenet to all MP’s and DP’s. However they will not pull down any new policy changes.

Subnets are in the correct boundary group.

I have contacted the networks team and they have confirmed that all the same firewall rules are in place on the VPN subnets that are on the existing on premise subnets.

I am getting the below errors in the CcmMessaging.log

<![LOG[Post to http://Xxxxxxx/ccm_system_windowsauth/request failed with 0x87d00231.]LOG]!><time="10:14:42.638-60" date="10-23-2020" component="CcmMessaging" context="" type="2" thread="58996" file="messagequeueproc_outgoing.cpp:452">
<![LOG[Client is not on internet]LOG]!><time="10:14:43.607-60" date="10-23-2020" component="CcmMessaging" context="" type="0" thread="58996" file="requestresponse.cpp:228">
<![LOG[Client is not set to use any webproxy.]LOG]!><time="10:14:43.609-60" date="10-23-2020" component="CcmMessaging" context="" type="0" thread="58996" file="requestresponse.cpp:246">
<![LOG[ccmhttp: Host=Xxxxxxx, Path=/ccm_system/request, Port=80, Protocol=http, CcmTokenAuth=0, Flags=0x4201, Options=0x4c0]LOG]!><time="10:14:43.609-60" date="10-23-2020" component="CcmMessaging" context="" type="0" thread="58996" file="utils.cpp:160">
<![LOG[Created connection on port 80]LOG]!><time="10:14:43.611-60" date="10-23-2020" component="CcmMessaging" context="" type="0" thread="58996" file="requestresponse.cpp:401">
<![LOG[Failed in WinHttpReceiveResponse API, ErrorCode = 0x2f78]LOG]!><time="10:14:43.790-60" date="10-23-2020" component="CcmMessaging" context="" type="2" thread="58996" file="requestresponse.cpp:774">
<![LOG[[CCMHTTP] ERROR: URL=http://Xxxxxxx/ccm_system/request, Port=80, Options=1216, Code=12152, Text=ERROR_WINHTTP_INVALID_SERVER_RESPONSE]LOG]!><time="10:14:43.790-60" date="10-23-2020" component="CcmMessaging" context="" type="1" thread="58996" file="ccmhttperror.cpp:306">
<![LOG[[CCMHTTP] ERROR INFO: StatusCode=<unknown> StatusText=]LOG]!><time="10:14:43.790-60" date="10-23-2020" component="CcmMessaging" context="" type="1" thread="58996" file="ccmhttperror.cpp:317">
<![LOG[Raising event:
instance of CCM_CcmHttp_Status
{
ClientID = "GUID:95c232d8-bf09-4a65-8816-125d568a037e";
DateTime = "20201023091443.792000+000";
HostName = "Xxxxxxx";
HRESULT = "0x80072f78";
ProcessID = 92776;
StatusCode = 0;
ThreadID = 58996;
};
]LOG]!><time="10:14:43.792-60" date="10-23-2020" component="CcmMessaging" context="" type="1" thread="58996" file="Event.cpp:840">
<![LOG[Successfully submitted event to the Status Agent.]LOG]!><time="10:14:43.794-60" date="10-23-2020" component="CcmMessaging" context="" type="0" thread="58996" file="Event.cpp:862">
<![LOG[Successfully queued event on HTTP/HTTPS failure for server 'Xxxxxxx'.]LOG]!><time="10:14:43.794-60" date="10-23-2020" component="CcmMessaging" context="" type="1" thread="58996" file="ccmhttperror.cpp:374">
<![LOG[Post to http://Xxxxxxx/ccm_system/request failed with 0x87d00231.]LOG]!><time="10:14:43.796-60" date="10-23-2020" component="CcmMessaging" context="" type="2" thread="58996" file="messagequeueproc_outgoing.cpp:452">

I have spoken with the Citrix team and they have informed me that the VPN traffic is all tunneled through the VPN as intranet traffic.

Any ideas? Is it something to do with how SCCM is interpreting the traffic? Internet or Intranet.

I’m not sure what the issue is.

Regards
Kevin

Microsoft Security | Intune | Configuration Manager | Application
Microsoft Security | Intune | Configuration Manager | Other
0 comments
Accepted answer
  1. IsTra-9015 101 Reputation points
    2020-11-12T13:40:47.807+00:00

    Roma, can you confirm that what you said works with new version ADC VPN and SCCM?

    If so then it's most likely due to one of these restrictions in the strict profile as those were enhancements due to some new vulnerabilities, which means SCCM is non-compliant with new industry standard vulnerability rules and an issue should be filed with MS.

    "Mark HTTP Header with Extra White Space as Invalid"
    "Mark RFC7230 Non-Compliant Transaction as Invalid"

    Can someone please confirm?

    1 person found this answer helpful.

12 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ROMA 1 Reputation point
    2020-11-12T13:29:26.98+00:00

    hi
    in Citrix Gateway VPN , unbind HTTP profile restrict and bind the Default HTTP profile , because after update automatically Netscaler bind the HTTP strict profile

    0 comments
  2. Ariff 16 Reputation points
    2020-11-12T14:15:28.623+00:00

    Thanks Roma, I can confirm enabling HTTP default profile resolves issue on version 13.

    0 comments
  3. IsTra-9015 101 Reputation points
    2020-11-12T14:53:48.933+00:00

    Roma. this confirms this is a MS issue of SCCM not conforming to new standards of security compliance requirements. Certainly noone can reasonably say enforcing higher security requirements constitutes a bug.

    0 comments
  4. ROMA 1 Reputation point
    2020-11-12T21:26:54.647+00:00

    TravIs-9015 you Right MS issue , i unbind the HTTP restrict profile for NetScaler Gateway Version 13.0.47 and bind the default HTTP profile , its working and can trigger the application without error .

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.