Hello,
Just trying to get a little clarification here on publishing management points, selection, and the new feature for MP affinity in CU3. Background on the setup: SCCM 2012 R2 with CU3 2 HTTPS MPs on the intranet 1 HTTPS MP in the DMZ Since I have all the management points published to DNS clients will randomly try to reach out to the MP in the DMZ, but since the ports aren't open on 443 for the clients they don't connect. No big deal they just move on and connect to one of the MPs on the intranet, but the network team doesn't want to see all the blocked attempts. As a fix I decided to not publish the MP that sits in the DMZ so that none of the clients would know about it and set the "AllowedMPs" registry field for all the clients in the DMZ to use the MP in the DMZ. However when I install a new client (domain joined or workgroup) in the DMZ with CU3, the SMSMP switch, and set the registry value the client will fail to communicate and never use the DMZ MP. The client keeps trying to use a MP on the intranet and the ports are not opened to the intranet. In the locationservice.log it shows the MP list is forced and to ignore the intranet MP so it looks like the registry value is working properly, but it will never try to use the DMZ MP. Once I turn publishing back on for the DMZ MP within minutes the client connects automatically and sends the record info in so I can see it in the console and manage the device. Spoke with Microsoft support and they said the MP had to be published in DNS for a client to use it (which I didn't think was true) and that if I wanted my clients to not use the DMZ MP I would have to set the "AllowedMPs" registry key for all my intranet clients and just leave out the DMZ MP. Now I know that wouldn't be too hard with a GPO or Compliance Settings, but it just seems like a lot of extra effort to hit all my intranet clients rather than hitting the 30 or so DMZ clients. Is what they are recommending the correct use of MP Affinity? And does the MP really need to be published in DNS before a client will use it? What's the point in using SMSMP for the initial MP selection if the client won't use it when the MP isn't published? And why do they give you the option not to publish a MP in DNS if the client can't use it, unless it's only for a WINS setup?
