Getting a DMZ Server to talk to internal MP so it can be managed. I am close but seems I am missing something.

Thomas Faherty 151 Reputation points


recently I have been asked to bring a machine in our DMZ under patch control of our SCCM system. We've given it our main CA cert, along with a client auth cert from our SCCM server. I can hit the mp list URL and SMS_MP/.sms_aut?SITESIGNCERT from a browser but I seem to be getting some errors in my ClientLocation log which I will attach that lead me to think it's unable to talk. I added our site server info to the lmhost file along with the host file which allows me to ping our management point. Then I ran a client install specifying the site server FQDN and what not. The client installs, says it is on internet, but then wont talk. Logs seem to recognize the site server but I am missing something. I am hoping some one can catch what I have missed here.

SCCM version 2010 running on Windows Server 2016


Microsoft Configuration Manager
0 comments No comments
{count} votes

Accepted answer
  1. Amandayou-MSFT 11,056 Reputation points

    Hi @Thomas Faherty ,

    Could we know that there is the MP or SUP role in the DMZ? In our environment, it is recommended to install a new site server that has MP/DP/SUP roles for your test servers to take more flexible management.
    Here is the article about the best practice of deploying updates patch in DMZ server:

    If it exists already, we could try to connect the DMZ MP to check if it is normal and there is any error in these logs.

    If the response is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

0 additional answers

Sort by: Most helpful