SCCM & Cisco NAC

Posted on

I ran into an interesting issue with a SCCM implementation in an environment that utilizes Cisco NAC to protect their system resources from unauthorized devices.  One of the goals of the implementation was to ensure the SCCM clients could still function when no user was logged into Windows, thus NAC agent not being authenticated with the production VLAN.  In order to accomplish this, ports used by SCCM needed to be opened, allowed, and unrestricted to the SCCM servers.

The issue that we found was when the computer was on the “dirty” VLAN, the SCCM client would switch from being an Intranet client to an Internet client.  Furthermore, the client’s LocationServices log showed that it was failing to locate the MP from AD and the SLP from AD.

Using a network monitoring tool called WireShark, we identified that the client was trying to communicate with AD on TCP port 3268.  This is a normal port used by AD for LDAP.  Checking into the configuration of NAC, it was certainly not allowing communication over that port.  As soon as that was allowed, the SCCM client immediately began functioning to download software updates and SWD packages.  Who knows whatever else was fixed through this discovery…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s