-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 8/12/2014 8:32 a.m., John Gardner wrote: > Hi everyone, I'm posting this in the hope that someone will have > some experience in connecting Microsoft System Center Configuration > Manager (SCCM) through a Squid Reverse Proxy in Internet-Based > Client Management mode. Basically, at the moment we use SCCM > through an MS TMG server in Reverse Proxy configuration and this > works (probably because Microsoft have lots documentation on this > on their site), but due to the fact that MS are phasing out TMG, we > want another solution for patching our laptops when they are off > the network but on the Internet. > > What should happen is that when a laptop is off the LAN but on the > Internet, it communicates back to the SCCM server via HTTPS > through port 443. The authentication happens as there is a > certificate on the laptop which has a organisational CA in common > and once authenticated, all of the patches should roll out. > > When we try to connect through Squid, the traffic does get through > from the laptop to the SCCM server, but we do have issues. > > The configuration in Squid is as follows (running on Squid 3.4); > > > https_port xx.xx.xx.44:443 accel > cert=/usr/newrprgate/CertAuth/ibcm.ourdomain.com/ibcm.crt > key=/usr/newrprgate/CertAuth/ibcm.ourdomain.com/ibcm_key.pem > cipher=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM > options=NO_SSLv2,NO_SSLv3 defaultsite=server_4.btstl.co.uk > cache_peer xx.xx.xx.60 parent 443 0 no-query originserver > login=PASS connection-auth=on ssl > sslcert=/usr/newrprgate/CertAuth/ibcm.ourdomain.com/peer_keys/IBCM.pem > > sslversion=1 sslflags=DONT_VERIFY_PEER front-end-https > name=server_4_https acl sites_server_4 dstdomain > ibcm.ourdomain.com cache_peer_access server_4_https allow > sites_server_4 cache_peer_access server_4_https deny all > > And the log looks like this; > > 81.XX.XX.XX - - [05/Dec/2014:11:43:33 +0000] "CCM_POST > https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 > TCP_MISS:FIRSTUP_PARENT <snip> > > So obviously, we are connecting, but getting a 403 error back. > The configuration on the SCCM server does appear to be correct, so > we are examining whether we have configured the Squid part > correctly... Does anyone have any experience of doing this? > Assuming Jason is right about it being a not-quite-HTTP protocol can you please enable debug_options 11,2 to see what messages SCCM is sending to Squid. I might be able to do something about it. Also check that you have this at or near the top of your http_access rules: http_access allow sites_server_4 Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUhQmHAAoJELJo5wb/XPRj8cAIAIk3BMDvxfCpn+8b0MzIVN8E 61lyU1KesNrvS9irv07LN6iro7Wj79TXqDPRcZ95OHnnHUyvjoBtBUvHJoADQvWQ 2sU0ZU37UjBRP5xLvaoA4uDT2JH/UJbxVdY5k55yiKqzlPw9ma7IF71Tw0xSzcnz P5f2Mai+w4agkXo1s2p6aVHqf0G0ZkHryYZcE7tT8/ee2gDPelhbB3wShcpcuvOS Qt5x9MS7pdU3SC6bpam01kf1pOxMaRLVdyk9u3t5pXcKAmPZR8FDAS1K5kpmJuXH r+277c90PPFQzUIwJrki1T7nn+dGFtYVvs8IntCUUIrfjO+iC1+iKkz1KvelCUM= =LHwZ -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
