SCCM management of remote GP Windows clients

Reply
Highlighted
L1 Bithead

SCCM management of remote GP Windows clients

We just deployed and started using GlobalProtect 5.1.1 to support the work-from-home COVID-19 initiative for thousands of remote workers.  Everything is working well but my SCCM guys can't manage any of the remote clients to push patches or software updates.  Our internal DNS resolves the host names to the last LAN address of the host, not the IP pool address.  The same things happens with Cisco AnyConnect clients.  I don't know anything about AD or SCCM.  Is SCCM management of remote hosts doable and if so, how are you doing it?


Accepted Solutions
Highlighted
L1 Bithead

Re: SCCM management of remote GP Windows clients

Yes, this is completely possible. We are doing this today the same as you. All we had to do was create a policy allowing traffic from our "trusted" zone, to the "global protect" zone. There's lists of ports out on the web for the various SCCM functions. For example, for remote control here's the ports required per-microsoft:

1. Port 135 - TCP

2. Port 3389 - TCP

3. Port 2701 - TCP/UDP

4. Port 2702 - TCP/UDP

 

I believe patching uses 445 for SMB transfers. So depending on what you want to do there's multiple things you'll have to allow.

 

A couple of other things to keep in mind with AD/SCCM is 1. DNS will take time to update after clients connect. So your techs might have to ask the user for the IP and use this in the remote control client of SCCM. 2. AD Sites and Services, and SCCM boundary groups need to include your VPN ranges for the SCCM clients to check in properly and be managed. This also helps them control which SCCM distribution point serves the patches/apps to clients so you can know where traffic is coming from.

 

Zach Biles -
https://www.linkedin.com/in/zachary-biles-a5097532/

View solution in original post


All Replies
Highlighted
L1 Bithead

Re: SCCM management of remote GP Windows clients

Yes, this is completely possible. We are doing this today the same as you. All we had to do was create a policy allowing traffic from our "trusted" zone, to the "global protect" zone. There's lists of ports out on the web for the various SCCM functions. For example, for remote control here's the ports required per-microsoft:

1. Port 135 - TCP

2. Port 3389 - TCP

3. Port 2701 - TCP/UDP

4. Port 2702 - TCP/UDP

 

I believe patching uses 445 for SMB transfers. So depending on what you want to do there's multiple things you'll have to allow.

 

A couple of other things to keep in mind with AD/SCCM is 1. DNS will take time to update after clients connect. So your techs might have to ask the user for the IP and use this in the remote control client of SCCM. 2. AD Sites and Services, and SCCM boundary groups need to include your VPN ranges for the SCCM clients to check in properly and be managed. This also helps them control which SCCM distribution point serves the patches/apps to clients so you can know where traffic is coming from.

 

Zach Biles -
https://www.linkedin.com/in/zachary-biles-a5097532/

View solution in original post

Highlighted
L1 Bithead

Re: SCCM management of remote GP Windows clients

Thanks, Zach.  I've allowed the traffic and will have my SCCM guys test.

Highlighted
L1 Bithead

Re: SCCM management of remote GP Windows clients

Zach, your fix worked!  THANKS!

Highlighted
L1 Bithead

Re: SCCM management of remote GP Windows clients

Good deal, glad I could help!

 

Zach Biles -
https://www.linkedin.com/in/zachary-biles-a5097532/
Highlighted
L2 Linker

Re: SCCM management of remote GP Windows clients

Hi Nelson, apart from the Palo Rules, anything specific you had to do on SCCM? We released patches over a week ago to a test collection, and the devices which are still "on-prem" received the updates, however the devices (users working from home that are connected via Global Protect) are not receiving the updates. All rules and comms to our sccm server are configured and working. Boundary groups within SCCM are also good. Anything I a missing?

Highlighted
L1 Bithead

Re: SCCM management of remote GP Windows clients

ColonelHawx, I had to go to my SCCM and DNS folks to give you a proper answer.  SCCM guys say if your boundaries are good that's all you have to do there.  My DNS people sent me this:  "Because VCUHS.mcvh-vcu.edu [which is the domain of our user PCs] is also used by servers, we don’t allow every device using that domain to register with DNS.  I had to add the Global Protect pool to the list of networks that are allowed to register [with our Infoblox DNS servers]."  SCCM could not resolve PCs names to IP addresses until this change was made.  That made it all work.

 

I hope this helps!

 

Pete

Highlighted
L2 Linker

Re: SCCM management of remote GP Windows clients

Thanks for the reply. Before I create a new Thread for help... Did you configure your GlobalProtect with pre-logon connection method or user-logon? Someone mentioned on a Palo FB forum, that pre-logon should be set for SCCM to work seamlessly.

 

Thanks...

 

PS: Are you by any chance seeing any "aged-out" traffic from your GP Client (Source) to SCCM Server (Destination)? 

 

ColonelHawx_0-1591016150266.png

Highlighted
L2 Linker

Re: SCCM management of remote GP Windows clients

Bump 

Highlighted
L1 Bithead

Re: SCCM management of remote GP Windows clients

Sorry, ColonelHawx, did not see your previous post.  Connection Method is "On-demand (Manual user initiated connection)."

 

Pete

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!