Hi everyone, I'm posting this in the hope that someone will have some experience in connecting Microsoft System Center Configuration Manager (SCCM) through a Squid Reverse Proxy in Internet-Based Client Management mode. Basically, at the moment we use SCCM through an MS TMG server in Reverse Proxy configuration and this works (probably because Microsoft have lots documentation on this on their site), but due to the fact that MS are phasing out TMG, we want another solution for patching our laptops when they are off the network but on the Internet. What should happen is that when a laptop is off the LAN but on the Internet, it communicates back to the SCCM server via HTTPS through port 443. The authentication happens as there is a certificate on the laptop which has a organisational CA in common and once authenticated, all of the patches should roll out. When we try to connect through Squid, the traffic does get through from the laptop to the SCCM server, but we do have issues. The configuration in Squid is as follows (running on Squid 3.4); https_port xx.xx.xx.44:443 accel cert=/usr/newrprgate/CertAuth/ibcm.ourdomain.com/ibcm.crt key=/usr/newrprgate/CertAuth/ibcm.ourdomain.com/ibcm_key.pem cipher=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM options=NO_SSLv2,NO_SSLv3 defaultsite=server_4.btstl.co.uk cache_peer xx.xx.xx.60 parent 443 0 no-query originserver login=PASS connection-auth=on ssl sslcert=/usr/newrprgate/CertAuth/ibcm.ourdomain.com/peer_keys/IBCM.pem sslversion=1 sslflags=DONT_VERIFY_PEER front-end-https name=server_4_https acl sites_server_4 dstdomain ibcm.ourdomain.com cache_peer_access server_4_https allow sites_server_4 cache_peer_access server_4_https deny all And the log looks like this; 81.XX.XX.XX - - [05/Dec/2014:11:43:33 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:11:51:16 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:11:54:44 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:11:57:44 +0000] "CCM_POST https://ibcm.ourdomain.com/bgb/handler.ashx? HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:02:55 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:02:55 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:02:55 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:22:13 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:22:13 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:22:13 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:22:14 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:31:27 +0000] "CCM_POST https://ibcm.ourdomain.com/bgb/handler.ashx? HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:39:37 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:39:38 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:39:38 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:40:48 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:42:28 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:45:39 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT 81.XX.XX.XX - - [05/Dec/2014:12:51:19 +0000] "CCM_POST https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 TCP_MISS:FIRSTUP_PARENT So obviously, we are connecting, but getting a 403 error back. The configuration on the SCCM server does appear to be correct, so we are examining whether we have configured the Squid part correctly... Does anyone have any experience of doing this? Thanks in advance John _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
