Remote device can not connect to SCCM cloud gateway

Hi All,

We have an issue with our remote devices not talking to the SCCM cloud management gateway. A device that is on the internet will not connect to the gateway. The LocationServices.LOG will return entries like WINHTTP_SECURE_FAILURE. When the device starts up a VPN connection with the company network, it connects properly to the on premise SCCM MP. Oddly enough, when deconnecting the VPN, the device switches over to the cloud gateway without any problem and stays connected. After a reboot, for instance, the same story starts all over again.
Could there be an issue with the SSL certificate on the cloud gateway? I believe it has been configured correctly. Below is included an excerpt of the locationservices.log. Any help would be very much appreciated!!

]LOG]!><time="08:26:06.909-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="event.cpp:840">
<![LOG[Failed to send request to /CCM_Proxy_MutualAuth/72057594037927939/SMS_MP/.sms_aut?SITESIGNCERT at host ABCDEFG.CLOUDAPP.NET, error 0x2f8f]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="10500" file="ccmhttpget.cpp:1599">
<![LOG[[CCMHTTP] ERROR: URL=https://ABCDEFG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927939/SMS_MP/.sms_aut?SITESIGNCERT, Port=443, Options=480, Code=12175, Text=ERROR_WINHTTP_SECURE_FAILURE]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="ccmhttperror.cpp:291">
<![LOG[Successfully queued event on HTTP/HTTPS failure for server 'ABCDEFG.CLOUDAPP.NET'.]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="ccmhttperror.cpp:357">
<![LOG[2 internet MP errors in the last 10 minutes, threshold is 5.]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="14012" file="lsutils.cpp:2862">
<![LOG[Domain joined client is in Unknown location]LOG]!><time="08:26:06.910-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:1183">
<![LOG[Using INF MP ABCDEFG.CLOUDAPP.NET/CCM_Proxy_MutualAuth/72057594037927939 as lookup MP.]LOG]!><time="08:26:06.911-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:2391">
<![LOG[Assigned MP error threshold reached, moving to next MP.]LOG]!><time="08:26:06.912-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="4432" file="lsutils.cpp:2800">
<![LOG[Retrieved MP [SCCMSERVER.COMPANY.INTERNAL] from Registry]LOG]!><time="08:26:06.912-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:2415">
<![LOG[Attempting to retrieve lookup MP(s) from DNS]LOG]!><time="08:26:06.912-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:2467">
<![LOG[Using default DNS suffix COMPANY.INTERNAL]LOG]!><time="08:26:06.912-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:3556">
<![LOG[Attempting to retrieve default management points from DNS]LOG]!><time="08:26:06.912-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:3565">
<![LOG[Failed to retrieve DNS service record using _mssms_mp_s01._tcp.COMPANY.INTERNAL lookup. DNS returned error 9003]LOG]!><time="08:26:06.944-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="10500" file="lsad.cpp:3591">
<![LOG[No lookup MP(s) from DNS]LOG]!><time="08:26:06.944-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:2496">
<![LOG[Policy prevents failover to WINS for lookup]LOG]!><time="08:26:06.944-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:2520">
<![LOG[Attempting to retrieve default management points from lookup MP(s) via HTTPS]LOG]!><time="08:26:06.959-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="lsad.cpp:2707">
<![LOG[Unable to retrieve AD forest + domain membership. Error 0x8007054b]LOG]!><time="08:26:06.959-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="10500" file="lsad.cpp:902">
<![LOG[Failed to send request to /SMS_MP/.sms_aut?SITESIGNCERT at host SCCMSERVER.COMPANY.INTERNAL, error 0x2ee7]LOG]!><time="08:26:06.959-60" date="02-14-2018" component="LocationServices" context="" type="2" thread="10500" file="ccmhttpget.cpp:1599">
<![LOG[[CCMHTTP] ERROR: URL=http://SCCMSERVER.COMPANY.INTERNAL/SMS_MP/.sms_aut?SITESIGNCERT, Port=80, Options=480, Code=12007, Text=ERROR_WINHTTP_NAME_NOT_RESOLVED]LOG]!><time="08:26:06.959-60" date="02-14-2018" component="LocationServices" context="" type="1" thread="10500" file="ccmhttperror.cpp:291">
<![LOG[Raising event:

instance of CCM_CcmHttp_Status
{
      ClientID = "GUID:6FE1B6F1-CBE2-4FED-A1AB-2A45787DADDC";
      DateTime = "20180214072606.959000+000";
      HostName = "SCCMSERVER.COMPANY.INTERNAL";
      HRESULT = "0x80072ee7";
      ProcessID = 12892;
      StatusCode = 600;
      ThreadID = 10500;
};
Piet VanbeckbergenInfrastructure engineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle SantosQuality AssuranceCommented:
Hi,

I am following up on your question.  Do you still need help?

If you solved the problem on your own, would you please post the solution here in case others have the same problem?

Regards,

Kyle Santos
Customer Relations
Piet VanbeckbergenInfrastructure engineerAuthor Commented:
Hi Kyle,

not solved yet, due to other priorities. I have however found following article and will try that out when I get the time.

https://docs.microsoft.com/en-us/sccm/core/clients/manage/cmg/setup-cloud-management-gateway#modify-a-cmg
Kyle SantosQuality AssuranceCommented:
OK thank you for letting me know.  Would you like me to send more calls out to experts to help solve this?
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

Piet VanbeckbergenInfrastructure engineerAuthor Commented:
Any suggestion or advice would be more than welcome :)
Alexander DaskasCommented:
https://www.anoopcnair.com/cmg-client-communication-failure-error-0x87d0027e/#comment-85851

We tried testing with a device on the corporate network, but modifying registry to force the client to use the CMG.  What happened is we didnt take into account a firewall in place that was breaking the certificate chain.
Kyle SantosQuality AssuranceCommented:
Hi Piet-Vanbeckbergen,

Is there anything else we can assist you with?

Regards,

Kyle Santos
Customer Relations
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SCCM

From novice to tech pro — start learning today.