topic Re: SCCM management of remote GP Windows clients in General Topics

SCCM management of remote GP Windows clients

pnelson — Wed, 25 Mar 2020 12:15:41 GMT

We just deployed and started using GlobalProtect 5.1.1 to support the work-from-home COVID-19 initiative for thousands of remote workers. Everything is working well but my SCCM guys can't manage any of the remote clients to push patches or software updates. Our internal DNS resolves the host names to the last LAN address of the host, not the IP pool address. The same things happens with Cisco AnyConnect clients. I don't know anything about AD or SCCM. Is SCCM management of remote hosts doable and if so, how are you doing it?

Re: SCCM management of remote GP Windows clients

ZachBiles — Wed, 25 Mar 2020 13:49:32 GMT

Yes, this is completely possible. We are doing this today the same as you. All we had to do was create a policy allowing traffic from our "trusted" zone, to the "global protect" zone. There's lists of ports out on the web for the various SCCM functions. For example, for remote control here's the ports required per-microsoft:

1. Port 135 - TCP

2. Port 3389 - TCP

3. Port 2701 - TCP/UDP

4. Port 2702 - TCP/UDP

I believe patching uses 445 for SMB transfers. So depending on what you want to do there's multiple things you'll have to allow.

A couple of other things to keep in mind with AD/SCCM is 1. DNS will take time to update after clients connect. So your techs might have to ask the user for the IP and use this in the remote control client of SCCM. 2. AD Sites and Services, and SCCM boundary groups need to include your VPN ranges for the SCCM clients to check in properly and be managed. This also helps them control which SCCM distribution point serves the patches/apps to clients so you can know where traffic is coming from.

Re: SCCM management of remote GP Windows clients

pnelson — Wed, 25 Mar 2020 17:04:47 GMT

Thanks, Zach. I've allowed the traffic and will have my SCCM guys test.

Re: SCCM management of remote GP Windows clients

pnelson — Wed, 25 Mar 2020 17:47:39 GMT

Zach, your fix worked! THANKS!

Re: SCCM management of remote GP Windows clients

ZachBiles — Wed, 25 Mar 2020 18:04:07 GMT

Good deal, glad I could help!

Re: SCCM management of remote GP Windows clients

ColonelHawx — Fri, 29 May 2020 10:43:37 GMT

Hi Nelson, apart from the Palo Rules, anything specific you had to do on SCCM? We released patches over a week ago to a test collection, and the devices which are still "on-prem" received the updates, however the devices (users working from home that are connected via Global Protect) are not receiving the updates. All rules and comms to our sccm server are configured and working. Boundary groups within SCCM are also good. Anything I a missing?

Re: SCCM management of remote GP Windows clients

pnelson — Fri, 29 May 2020 14:10:04 GMT

ColonelHawx, I had to go to my SCCM and DNS folks to give you a proper answer. SCCM guys say if your boundaries are good that's all you have to do there. My DNS people sent me this: "Because VCUHS.mcvh-vcu.edu [which is the domain of our user PCs] is also used by servers, we don’t allow every device using that domain to register with DNS. I had to add the Global Protect pool to the list of networks that are allowed to register [with our Infoblox DNS servers]." SCCM could not resolve PCs names to IP addresses until this change was made. That made it all work.

I hope this helps!

Pete

Re: SCCM management of remote GP Windows clients

ColonelHawx — Mon, 01 Jun 2020 12:57:39 GMT

Thanks for the reply. Before I create a new Thread for help... Did you configure your GlobalProtect with pre-logon connection method or user-logon? Someone mentioned on a Palo FB forum, that pre-logon should be set for SCCM to work seamlessly.

Thanks...

PS: Are you by any chance seeing any "aged-out" traffic from your GP Client (Source) to SCCM Server (Destination)?

Re: SCCM management of remote GP Windows clients

ColonelHawx — Wed, 17 Jun 2020 20:25:59 GMT

Bump

Re: SCCM management of remote GP Windows clients

pnelson — Thu, 18 Jun 2020 10:13:56 GMT

Sorry, ColonelHawx, did not see your previous post. Connection Method is "On-demand (Manual user initiated connection)."

Pete

Re: SCCM management of remote GP Windows clients

ColonelHawx — Thu, 18 Jun 2020 10:26:00 GMT

Thanks for this info... It def helps... So we have the EXACT same setting applied. But what really baffles me is that we just tested by deploying a VM within the same subnet as our GP Clients & Primary SCCM server and it worked and received ALL applications and software deployments. But the GP Clients are still not getting it. Can I ask what Version of SCCM you are on? 1910 or 2002? Also, is there anything specific you had done/applied on your Palo GP Config? Our clients are using a /22 range and below is a snapshot of a device using Global Protect.

Re: SCCM management of remote GP Windows clients

pnelson — Thu, 18 Jun 2020 11:23:06 GMT

SCCM version is 1910. Your GP settings look pretty much the same although we're set up so that our users have to be in a particular AD group. In the HIP profile we specify that the clients must be members of the domain. I'm not seeing any material difference.

Pete

Re: SCCM management of remote GP Windows clients

ColonelHawx — Thu, 18 Jun 2020 11:44:14 GMT

Thanks for the help Pete... Yeah we are also using HIP profiles with clients being member of the Domain, having AV etc etc... Will try to figure out whats going on...

Re: SCCM management of remote GP Windows clients

MP18 — Fri, 19 Jun 2020 15:17:23 GMT

Let us know what you find to fix your issue.

Next week we are also doing Global protect always on connection method for few users to Test it and will see how sccm works

Re: SCCM management of remote GP Windows clients

lavanyasreepada — Thu, 16 Jul 2020 21:24:21 GMT

Why we require Group Policy
For various tasks such as communicating with Active Directory Discovery, Remote administration and WMI connectivity, we require these policies.

There are 3 types of settings we require:

- To Ping Client Workstations (By default this communication is blocked if Firewall is enabled)
- To connect to Clients Admin$ Share
- To connect to clients WMI ( as SCCM heavily relies on WMI repository to store all policies, deployments and other tasks)

Default Behavior of client ( before creating Group Policy)
a. By default, we cannot ping the client workstations in case the firewall is enabled. Even though the machine is switched on and connected on the same network, we will not receive the Ping response.

b. We are not able to connect to the admin$ share of the client (ie clients “c:\windows” directory). This is required for various tasks including SCCM client push installation was setup files over the network copies under client’s c:\windows directory.

c. Inbound remote administration is disabled by default, which means we cannot connect to clients WMI repository remotely. This is mandatory to install SCCM client and to download and save several SCCM policies, deployments & tasks. If we try connecting to clients WMI by using wettest (inbuilt tool on Windows), we will get error “0x800706ba“

Thanks in Advance

Lavanya Sreepada

Re: SCCM management of remote GP Windows clients

Jerzystransfer — Tue, 22 Sep 2020 21:41:17 GMT

We had the same issues reported as the others here. We were able to get past most issues with the solution presented from the OP.. additionally we had to move from subnets within the Boundary groups to IP ranges. This was a change for us from how AnyConnect was configured, but this seemed to fix our inability to see updates as well as TS's and packages.

We still however don't have a solution for our techs inability to Remote Control or RDP consistently. I know this has something to do with DNS resolution not happening properly or timely enough.. does anyone have information that might assist with this issue or tips for our server admin team on replication timing?.. Thanks in advance!!