[squid-users] Running SCCM through Squid

Amos Jeffries squid3 at treenet.co.nz
Mon Dec 8 02:14:32 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 8/12/2014 8:32 a.m., John Gardner wrote:
> Hi everyone, I'm posting this in the hope that someone will have
> some experience in connecting Microsoft System Center Configuration
> Manager (SCCM) through a Squid Reverse Proxy in Internet-Based
> Client Management mode.  Basically, at the moment we use SCCM
> through an MS TMG server in Reverse Proxy configuration and this
> works (probably because Microsoft have lots documentation on this
> on their site), but due to the fact that MS are phasing out TMG, we
> want another solution for patching our laptops when they are off
> the network but on the Internet.
> 
> What should happen is that when a laptop is off the LAN but on the 
> Internet, it communicates back to the SCCM server via HTTPS
> through port 443. The authentication happens as there is a
> certificate on the laptop which has a organisational CA in common
> and once authenticated, all of the patches should roll out.
> 
> When we try to connect through Squid, the traffic does get through 
> from the laptop to the SCCM server, but we do have issues.
> 
> The configuration in Squid is as follows (running on Squid 3.4);
> 
> 
> https_port xx.xx.xx.44:443 accel 
> cert=/usr/newrprgate/CertAuth/ibcm.ourdomain.com/ibcm.crt 
> key=/usr/newrprgate/CertAuth/ibcm.ourdomain.com/ibcm_key.pem 
> cipher=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM 
> options=NO_SSLv2,NO_SSLv3 defaultsite=server_4.btstl.co.uk 
> cache_peer xx.xx.xx.60 parent 443 0 no-query originserver
> login=PASS connection-auth=on ssl 
> sslcert=/usr/newrprgate/CertAuth/ibcm.ourdomain.com/peer_keys/IBCM.pem
>
> 
sslversion=1 sslflags=DONT_VERIFY_PEER front-end-https
> name=server_4_https acl sites_server_4 dstdomain
> ibcm.ourdomain.com cache_peer_access server_4_https allow
> sites_server_4 cache_peer_access server_4_https deny all
> 
> And the log looks like this;
> 
> 81.XX.XX.XX - - [05/Dec/2014:11:43:33 +0000] "CCM_POST 
> https://ibcm.ourdomain.com/ccm_system/request HTTP/1.1" 403 1560 
> TCP_MISS:FIRSTUP_PARENT
<snip>

> 
> So obviously, we are connecting, but getting a 403 error back.
> The configuration on the SCCM server does appear to be correct, so
> we are examining whether we have configured the Squid part
> correctly... Does anyone have any experience of doing this?
> 

Assuming Jason is right about it being a not-quite-HTTP protocol can
you please enable debug_options 11,2 to see what messages SCCM is
sending to Squid. I might be able to do something about it.

Also check that you have this at or near the top of your http_access
rules:
  http_access allow sites_server_4

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUhQmHAAoJELJo5wb/XPRj8cAIAIk3BMDvxfCpn+8b0MzIVN8E
61lyU1KesNrvS9irv07LN6iro7Wj79TXqDPRcZ95OHnnHUyvjoBtBUvHJoADQvWQ
2sU0ZU37UjBRP5xLvaoA4uDT2JH/UJbxVdY5k55yiKqzlPw9ma7IF71Tw0xSzcnz
P5f2Mai+w4agkXo1s2p6aVHqf0G0ZkHryYZcE7tT8/ee2gDPelhbB3wShcpcuvOS
Qt5x9MS7pdU3SC6bpam01kf1pOxMaRLVdyk9u3t5pXcKAmPZR8FDAS1K5kpmJuXH
r+277c90PPFQzUIwJrki1T7nn+dGFtYVvs8IntCUUIrfjO+iC1+iKkz1KvelCUM=
=LHwZ
-----END PGP SIGNATURE-----


More information about the squid-users mailing list