Internet Clients can be particularly difficult to troubleshoot for several reasons. Foremost, they are usually off-site, so that can present logistical challenges.
Also, because the client agent is essentially identical to an “internal” client agent, you have to perform all of the same diagnostic steps as you would for any other client, in addition to the additional layer of issues inherent with managing a computer outside of your internal network environment.
I will freely admit this is not my strongest area within the Configuration Manager realm. For that reason, I reached out to my customers and colleagues to gather their headaches.
Configuration Manager Properties – Internet
- Remote / Off-site devices are not reporting in or showing in the Management console
- Remote devices are not getting policy updates, or software installations
- Remote devices begin falling out of inventory due to aging records
Potential causes ^
Based on my experience and learning from customers, the vast majority of Internet-Based Client Management issues are related to one of three basic problems:
- Corrupted or Missing Client PKI certificate on Client computer
- Improperly configured or faulty PKI environment (also in DMZ)
- DNS configuration or publishing issues (in DMZ as well)
- Network Connectivity or Firewall configuration issues
- The Site Server isn’t joined to an AD domain
- Site Server Shares exist on the Site server system managing Internet Clients
- Missing or Unavailable CRL in perimeter network (DMZ)
- Not testing thoroughly before going to production!
Having a properly-configured, reliable and available PKI environment is essential to both Native Mode operations, as well as Internet Client management. But because PKI is so intertwined with DNS and Active Directory, I would usually start by eliminating the obvious: DNS. The familiar tools like NSLOOKUP and PING, or PATHPING, can be very helpful in diagnosing the most basic DNS configuration or functional issues.
- Verify Internet connectivity from remote clients
- Verify Name Resolution from outside your network (DNS)
- Verify PKI certificates are properly configured, provisioned and installed
Helpful links ^
- Prerequisites for Internet-Based Client Management
- Supported Scenarios for Internet-Based Client Management
- Deploying Configuration Manager Sites to Support Internet-Based Clients
- Certificate Requirements for Native Mode
- Site System Roles that Support Internet-Based Client Management
- Determine Server Placement for Internet-Based Client Management
- Configuring DNS for Configuration Manager Site System Roles
- How to Configure the Internet FQDN of Site Systems that Support Internet-Based Client Management
- List of Log Files in Configuration Manager 2007
- Troubleshooting Configuration Manager Client Issues