I recently was challenged by moving to the FSP to a different location and started researching the available documentation which leaves, to be blunt, much room for improvements.
Most of my findings deal with implementation of Internet Based Client Management but could be useful in an Intranet environment also.
This gist is a attempted write-up of all the stuff I could put together before and after this reddit post.
Some ConfigMgr roles can be configured to allow either or both connection types mentioned above. This should be the case for the fsp as well but contrary to Management Point or Distribution Point you cannot select the exact configuration by yourself.
Configuration Manager is supposed to set that value correctly if your specify a Internet FQDN. But it doesn't. It will stick to Intranet Only, no matter what you do.
To configure the fallback status point configuration for Internet-based client connections
FSP for Internet Based Client Management
Only the Intranet Hostname will be published to Active Directory. You can check this for yourself firing up ADSIEdit navigate to the System Management Container, select the appropriate Site Server, click properties, and check the content of mSSMSCapabilities.
I was not able to find out if the Internet FQDN was ever published there, and in conjunction to that, set/updated automatically on the clients.
The FSP role does not roam. You can defiantly install it more than once. If you co-locate the FSP Role with a MP Role I suspect your client will configure the FSP associated with the MP.
On the client side we have the following two registry keys:
HKLM\Software\Microsoft\CCM\FSP\HostNameHKLM\Software\Microsoft\CCM\FSP\IntranetHostName
Contains the intranet fqdn of your FSP. If you move the FSP role to a different site system the clients will change the address by themselves. This is done by querying the ActiveDirectory information published in the System Management Container. You can observe changes in LocationServices.log.
Will contain the internet fqdn of your FSP. This setting will not be changed automatically.
- Adding the
FSP=switch to your client install command line will set this registry value. - This can also be used in the Client Push settings.
- The client push syntax will also be published to ActiveDirectory.
Once the HostName key is set the client will try to send a FSP state message to the internet fqdn by default, if this url is not reachable it will fall back to the intranet fqdn. You can observe this in FSPStateMessage.log.
I was able to verify this with the following method:
- Delete the client certificate.
- Set
HostNameto a server that does not host the FSP role. - Set
IntranetHostNameto my working site system hosting the FSP role. - Running
cmhttpsreadiness.exeinC:\windows\ccm. - Check the
Count of clients capable of HTTPS communicationSRS report.
If you move your FSP to a different site system and also want to use the FSP for IBCM you have to set the registry keys manually. The most obvious way to do that would be a Configuration Item.
What you set andw where depends on you. I have a single primary site and a single IBCM instance, so for simplicity I set HostName to point to my IBCM instance since all my clients have internet access.
You could of course scope this for different systems.
HostnameandIntranetHostnamepointing to the intranet fqdn for computers.Hostnamepointing to your Internet FQDN for Laptops/Tablets.
There is one thing I have not touched until now Microsoft does not recommend hosting the fsp on a site system that excepts https connections only.
I personally think this is up to discussion and depends on your configuration and a lot of factors. I'll leave this up to you if you want to use a dedicated server for your FSP.
Determine If You Should Install a Fallback Status Point for Configuration Manager Clients
The following log file can be of use to see what is going on:
| Location | Name |
|---|---|
| Client | C:\windows\ccm\logs\LocationServices.log |
| Client | C:\windows\ccm\logs\FSPStateMessage.log |
| Site Server | C:\SMS_CCM\Logs\fspisapi.log |
| Site Server | C:\SMS\Logs\fspmgr.log |
There is nothing worse than bad documentation, so if you find errors or have stuff to share please let me known and I will update this gist accordingly.
You can reach me via:
Very interesting! thank you for this contribution, I was really useful for me!