SCCM management of remote GP Windows clients

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

SCCM management of remote GP Windows clients

L1 Bithead

We just deployed and started using GlobalProtect 5.1.1 to support the work-from-home COVID-19 initiative for thousands of remote workers.  Everything is working well but my SCCM guys can't manage any of the remote clients to push patches or software updates.  Our internal DNS resolves the host names to the last LAN address of the host, not the IP pool address.  The same things happens with Cisco AnyConnect clients.  I don't know anything about AD or SCCM.  Is SCCM management of remote hosts doable and if so, how are you doing it?

1 accepted solution

Accepted Solutions

L1 Bithead

Yes, this is completely possible. We are doing this today the same as you. All we had to do was create a policy allowing traffic from our "trusted" zone, to the "global protect" zone. There's lists of ports out on the web for the various SCCM functions. For example, for remote control here's the ports required per-microsoft:

1. Port 135 - TCP

2. Port 3389 - TCP

3. Port 2701 - TCP/UDP

4. Port 2702 - TCP/UDP

 

I believe patching uses 445 for SMB transfers. So depending on what you want to do there's multiple things you'll have to allow.

 

A couple of other things to keep in mind with AD/SCCM is 1. DNS will take time to update after clients connect. So your techs might have to ask the user for the IP and use this in the remote control client of SCCM. 2. AD Sites and Services, and SCCM boundary groups need to include your VPN ranges for the SCCM clients to check in properly and be managed. This also helps them control which SCCM distribution point serves the patches/apps to clients so you can know where traffic is coming from.

 

Zach Biles -
https://www.linkedin.com/in/zachary-biles-a5097532/

View solution in original post

15 REPLIES 15

L1 Bithead

Yes, this is completely possible. We are doing this today the same as you. All we had to do was create a policy allowing traffic from our "trusted" zone, to the "global protect" zone. There's lists of ports out on the web for the various SCCM functions. For example, for remote control here's the ports required per-microsoft:

1. Port 135 - TCP

2. Port 3389 - TCP

3. Port 2701 - TCP/UDP

4. Port 2702 - TCP/UDP

 

I believe patching uses 445 for SMB transfers. So depending on what you want to do there's multiple things you'll have to allow.

 

A couple of other things to keep in mind with AD/SCCM is 1. DNS will take time to update after clients connect. So your techs might have to ask the user for the IP and use this in the remote control client of SCCM. 2. AD Sites and Services, and SCCM boundary groups need to include your VPN ranges for the SCCM clients to check in properly and be managed. This also helps them control which SCCM distribution point serves the patches/apps to clients so you can know where traffic is coming from.

 

Zach Biles -
https://www.linkedin.com/in/zachary-biles-a5097532/

Thanks, Zach.  I've allowed the traffic and will have my SCCM guys test.

Zach, your fix worked!  THANKS!

Good deal, glad I could help!

 

Zach Biles -
https://www.linkedin.com/in/zachary-biles-a5097532/

Hi Nelson, apart from the Palo Rules, anything specific you had to do on SCCM? We released patches over a week ago to a test collection, and the devices which are still "on-prem" received the updates, however the devices (users working from home that are connected via Global Protect) are not receiving the updates. All rules and comms to our sccm server are configured and working. Boundary groups within SCCM are also good. Anything I a missing?

ColonelHawx, I had to go to my SCCM and DNS folks to give you a proper answer.  SCCM guys say if your boundaries are good that's all you have to do there.  My DNS people sent me this:  "Because VCUHS.mcvh-vcu.edu [which is the domain of our user PCs] is also used by servers, we don’t allow every device using that domain to register with DNS.  I had to add the Global Protect pool to the list of networks that are allowed to register [with our Infoblox DNS servers]."  SCCM could not resolve PCs names to IP addresses until this change was made.  That made it all work.

 

I hope this helps!

 

Pete

Thanks for the reply. Before I create a new Thread for help... Did you configure your GlobalProtect with pre-logon connection method or user-logon? Someone mentioned on a Palo FB forum, that pre-logon should be set for SCCM to work seamlessly.

 

Thanks...

 

PS: Are you by any chance seeing any "aged-out" traffic from your GP Client (Source) to SCCM Server (Destination)? 

 

ColonelHawx_0-1591016150266.png

Bump 

Sorry, ColonelHawx, did not see your previous post.  Connection Method is "On-demand (Manual user initiated connection)."

 

Pete

Thanks for this info... It def helps... So we have the EXACT same setting applied. But what really baffles me is that we just tested by deploying a VM within the same subnet as our GP Clients & Primary SCCM server and it worked and received ALL applications and software deployments. But the GP Clients are still not getting it. Can I ask what Version of SCCM you are on? 1910 or 2002? Also, is there anything specific you had done/applied on your Palo GP Config? Our clients are using a /22 range and below is a snapshot of a device using Global Protect.

 

ColonelHawx_0-1592475866637.png

ColonelHawx_1-1592475949055.png

 

 

SCCM version is 1910.  Your GP settings look pretty much the same although we're set up so that our users have to be in a particular AD group.  In the HIP profile we specify that the clients must be members of the domain.  I'm not seeing any material difference.

 

Pete

Thanks for the help Pete... Yeah we are also using HIP profiles with clients being member of the Domain, having AV etc etc... Will try to figure out whats going on... 

Let us know what you find to fix your issue.

Next week we are also doing Global protect always on connection method  for few users to Test it and will see how sccm works 

MP

Help the community: Like helpful comments and mark solutions.

L0 Member

Hi 

 

Why we require Group Policy
For various tasks such as communicating with Active Directory Discovery, Remote administration and WMI connectivity, we require these policies.

 

There are 3 types of settings we require:

- To Ping Client Workstations (By default this communication is blocked if Firewall is enabled)
- To connect to Clients Admin$ Share
- To connect to clients WMI ( as SCCM heavily relies on WMI repository to store all policies, deployments and other tasks)

 

Default Behavior of client ( before creating Group Policy)
a. By default, we cannot ping the client workstations in case the firewall is enabled. Even though the machine is switched on and connected on the same network, we will not receive the Ping response.

b. We are not able to connect to the admin$ share of the client (ie clients “c:\windows” directory). This is required for various tasks including SCCM client push installation was setup files over the network copies under client’s c:\windows directory.

c. Inbound remote administration is disabled by default, which means we cannot connect to clients WMI repository remotely. This is mandatory to install SCCM client and to download and save several SCCM policies, deployments & tasks. If we try connecting to clients WMI by using wettest (inbuilt tool on Windows), we will get error “0x800706ba“ 

 

Thanks in Advance 

Lavanya Sreepada 

  • 1 accepted solution
  • 14799 Views
  • 15 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!