[squid-users] Running SCCM through Squid

John Gardner jeg1972 at gmail.com
Sun Dec 7 19:32:25 UTC 2014 

Hi everyone, I'm posting this in the hope that someone will have some
experience in connecting Microsoft System Center Configuration Manager
(SCCM) through a Squid Reverse Proxy in Internet-Based Client
Management mode.  Basically, at the moment we use SCCM through an MS
TMG server in Reverse Proxy configuration and this works (probably
because Microsoft have lots documentation on this on their site), but
due to the fact that MS are phasing out TMG, we want another solution
for patching our laptops when they are off the network but on the
Internet.

What should happen is that when a laptop is off the LAN but on the
Internet, it communicates back to the SCCM server via HTTPS through
port 443. The authentication happens as there is a certificate on the
laptop which has a organisational CA in common and once authenticated,
all of the patches should roll out.

When we try to connect through Squid, the traffic does get through
from the laptop to the SCCM server, but we do have issues.

The configuration in Squid is as follows (running on Squid 3.4);


https_port xx.xx.xx.44:443 accel
cert=/usr/newrprgate/CertAuth/ibcm.ourdomain.com/ibcm.crt
key=/usr/newrprgate/CertAuth/ibcm.ourdomain.com/ibcm_key.pem
cipher=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
options=NO_SSLv2,NO_SSLv3 defaultsite=server_4.btstl.co.uk
cache_peer xx.xx.xx.60 parent 443 0 no-query originserver login=PASS
connection-auth=on ssl
sslcert=/usr/newrprgate/CertAuth/ibcm.ourdomain.com/peer_keys/IBCM.pem
sslversion=1 sslflags=DONT_VERIFY_PEER front-end-https
name=server_4_https
acl sites_server_4 dstdomain ibcm.ourdomain.com
cache_peer_access server_4_https allow sites_server_4
cache_peer_access server_4_https deny all

And the log looks like this;

81.XX.XX.XX - - [05/Dec/2014:11:43:33 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:11:51:16 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:11:54:44 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:11:57:44 +0000] "CCM_POST
https://ibcm.ourdomain.com/bgb/handler.ashx? HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:02:55 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:02:55 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:02:55 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:22:13 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:22:13 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:22:13 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:22:14 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:31:27 +0000] "CCM_POST
https://ibcm.ourdomain.com/bgb/handler.ashx? HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:39:37 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:39:38 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:39:38 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:40:48 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:42:28 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:45:39 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT
81.XX.XX.XX - - [05/Dec/2014:12:51:19 +0000] "CCM_POST
https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560
TCP_MISS:FIRSTUP_PARENT

So obviously, we are connecting, but getting a 403 error back.  The
configuration on the SCCM server does appear to be correct, so we are
examining whether we have configured the Squid part correctly... Does
anyone have any experience of doing this?

Thanks in advance

John

More information about the squid-users mailing list