Remote device can not connect to SCCM cloud gateway

Hi All,

We have an issue with our remote devices not talking to the SCCM cloud management gateway. A device that is on the internet will not connect to the gateway. The LocationServices.LOG will return entries like WINHTTP_SECURE_FAILURE. When the device starts up a VPN connection with the company network, it connects properly to the on premise SCCM MP. Oddly enough, when deconnecting the VPN, the device switches over to the cloud gateway without any problem and stays connected. After a reboot, for instance, the same story starts all over again.
Could there be an issue with the SSL certificate on the cloud gateway? I believe it has been configured correctly. Below is included an excerpt of the locationservices.log. Any help would be very much appreciated!!

]LOG]!><time="08:26:06.909-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="event.cpp:840">
<![LOG[Failed to send request to /CCM_Proxy_MutualAuth/72057594037927939/SMS_MP/.sms_aut?SITESIGNCERT at host ABCDEFG.CLOUDAPP.NET, error 0x2f8f]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="10500" file="ccmhttpget.cpp:1599">
<![LOG[[CCMHTTP] ERROR: URL=https://ABCDEFG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927939/SMS_MP/.sms_aut?SITESIGNCERT, Port=443, Options=480, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="ccmhttperror.cpp:291">
<![LOG[Successfully queued event on HTTP/HTTPS failure for server 'ABCDEFG.CLOUDAPP.NET'.]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="ccmhttperror.cpp:357">
<![LOG[2 internet MP errors in the last 10 minutes, threshold is 5.]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="14012" file="lsutils.cpp:2862">
<![LOG[Domain joined client is in Unknown location]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:1183">
<![LOG[Using INF MP ABCDEFG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927939 as lookup MP.]LOG]!><time="08:26:06.911-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:2391">
<![LOG[Assigned MP error threshold reached, moving to next MP.]LOG]!><time="08:26:06.912-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="4432" file="lsutils.cpp:2800">
<![LOG[Retrieved MP [SCCMSERVER.COMPANY.INTERNAL] from Registry]LOG]!><time="08:26:06.912-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:2415">
<![LOG[Attempting to retrieve lookup MP(s) from DNS]LOG]!><time="08:26:06.912-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:2467">
<![LOG[Using default DNS suffix COMPANY.INTERNAL]LOG]!><time="08:26:06.912-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:3556">
<![LOG[Attempting to retrieve default management points from DNS]LOG]!><time="08:26:06.912-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:3565">
<![LOG[Failed to retrieve DNS service record using _mssms_mp_s01._tcp.COMPANY.INTERNAL lookup. DNS returned error 9003]LOG]!><time="08:26:06.944-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="10500" file="lsad.cpp:3591">
<![LOG[No lookup MP(s) from DNS]LOG]!><time="08:26:06.944-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:2496">
<![LOG[Policy prevents failover to WINS for lookup]LOG]!><time="08:26:06.944-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:2520">
<![LOG[Attempting to retrieve default management points from lookup MP(s) via HTTPS]LOG]!><time="08:26:06.959-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:2707">
<![LOG[Unable to retrieve AD forest + domain membership. Error 0x8007054b]LOG]!><time="08:26:06.959-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="10500" file="lsad.cpp:902">
<![LOG[Failed to send request to /SMS_MP/.sms_aut?SITESIGNCERT at host SCCMSERVER.COMPANY.INTERNAL, error 0x2ee7]LOG]!><time="08:26:06.959-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="10500" file="ccmhttpget.cpp:1599">
<![LOG[[CCMHTTP] ERROR: URL=http://SCCMSERVER.COMPANY.INTERNAL/SMS_MP/.sms_aut?SITESIGNCERT, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED]LOG]!><time="08:26:06.959-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="ccmhttperror.cpp:291">
<![LOG[Raising event:

instance of CCM_CcmHttp_Status
{
      ClientID = "GUID:6FE1B6F1-CBE2-4FED-A1AB-2A45787DADDC";
      DateTime = "20180214072606.959000+000";
      HostName = "SCCMSERVER.COMPANY.INTERNAL";
      HRESULT = "0x80072ee7";
      ProcessID = 12892;
      StatusCode = 600;
      ThreadID = 10500;
};
Piet VanbeckbergenInfrastructure engineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle SantosCustomer RelationsCommented:
Hi,

I am following up on your question.  Do you still need help?

If you solved the problem on your own, would you please post the solution here in case others have the same problem?

Regards,

Kyle Santos
Customer Relations
0
Piet VanbeckbergenInfrastructure engineerAuthor Commented:
Hi Kyle,

not solved yet, due to other priorities. I have however found following article and will try that out when I get the time.

https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/setup-cloud-management-gateway#modify-a-cmg
0
Kyle SantosCustomer RelationsCommented:
OK thank you for letting me know.  Would you like me to send more calls out to experts to help solve this?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Piet VanbeckbergenInfrastructure engineerAuthor Commented:
Any suggestion or advice would be more than welcome :)
0
Alexander DaskasCommented:
https://www.anoopcnair.com/cmg-client-communication-failure-error-0x87d0027e/#comment-85851

We tried testing with a device on the corporate network, but modifying registry to force the client to use the CMG.  What happened is we didnt take into account a firewall in place that was breaking the certificate chain.
0
Kyle SantosCustomer RelationsCommented:
Hi Piet-Vanbeckbergen,

Is there anything else we can assist you with?

Regards,

Kyle Santos
Customer Relations
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SCCM

From novice to tech pro — start learning today.