Blog Post

Security, Compliance, and Identity Blog
9 MIN READ

Fast Channel for System Management - Client Notification in System Center 2012 Configuration Manager SP1

yvetteomeally's avatar
yvetteomeally
Icon for Microsoft rankMicrosoft
Sep 08, 2018
First published on CloudBlogs on Sep, 27 2012

Overview

Historically, a pull-based client communication mechanism is employed in the System Center Configuration Manager line of products. As a result, in large scale enterprise environments, when an administrator initiates a task, it would take minutes or even hours for each client to receive that task, run it and then report the result back to the server.  For common scenarios it is an appropriate trade off, however it is problematic if such tasks are mission-critical and time sensitive (e.g., anti-malware operations). The latency is also more obvious in data center environments where servers only have a limited amount of time reserved for management tasks. How useful would it be to push IT administration tasks much faster ? Configuration Manager 2012 SP1 provides this capability by providing a fast “client notification” channel between server and the managed clients.

What is “Client Notification”?

Client notification is, by popular demand, a new and exciting infrastructure component introduced in Configuration Manager 2012 SP1, which can provide a fast channel that a Configuration Manager administrator can use to notify clients to initiate time-sensitive tasks as soon as possible.  The communication channel is push-based instead of dependent on the client policy polling interval. By using client notification, clients can establish a persistent connection with a management point. Subsequently, the server can notify the client of time-sensitive or urgent tasks over the channel and the client can perform an action in response to the message. In SP1, all System Center Endpoint Protection operations and the “Download Computer Policy” client action are implemented by using this channel.

How “Client Notification” works

Client notification is an end-to-end infrastructure composed of notification manager on the site server, notification server on the management point and notification agent on the client.

1) Notification Manager

Notification manager is a component of the site server. Its responsibility is to generate push messages for client notification-enabled actions, update the client online presence status and client notification push results in the site database.

2) Notification Server

Notification server is the server component on the management point. It is automatically deployed and installed on management points, including on secondary sites. Notification server performs the following functions:

  • Hosts both TCP and HTTP listeners in order to support client communications over either protocol.
  • Listens on the notification service broker queue in the site database to detect when push messages are generated.
  • Pushes the messages to online clients over the channel and periodically generates a file containing results  which will be stored in the site database. These results can be monitored from the Client Operations node of the Configuration Manager console.
  • Maintains a list of online clients and periodically generates online info into a file which is sent to the site server.

3) Notification Agent

Notification agent is a client component hosted in CCMEXEC.exe. As a part of client initialization, it will establish a persistent connection with notification server. For those clients that communicate via a secondary site, they will establish connection with the notification server on the proxy management point. It will try TCP mode first, then fallback to HTTP mode if it fails (due to firewalls or Internet proxies that do not allow TCP traffic).  If the connection is dropped (e.g. because of a network issue), notification agent will attempt to reconnect.

Client notification supports both the TCP and HTTP communication protocols. TCP is the primary mode used, which requires an extra port to be opened in firewalls, and HTTP is the fallback option and doesn’t need any prerequisite configuration. The respective workflow is nearly the same. Take TCP mode as an example.

1)  Client notification Infrastructure is by default enabled end-to-end. During client initialization, notification agent will first attempt to establish a persistent TCP Connection to notification server on the current management point. Once successful, notification agent will periodically send a keep-alive message every 15 minutes to maintain the connection.  If the client fails to establish a TCP Connection, notification agent will try the HTTP protocol.

2)  Notification server on the management point computer will accept the client’s connection request   after TLS (Transport Layer Security) authentication is passed.  Thus notification server will manage all active connections and generate online status data every 5 minutes to be placed in <Site Server Install Dir>inboxesbgb.box.

3)  Notification manager will read the Online files (*.BOS) from bgb.box, and update the online presence info in the site database.

4)  When an administrator initiates a supported client operation from the Configuration Manager console, that action will be translated into a client notification message and placed into the database service broker queue.

5)  Notification server will detect the message request and get the message from the service broker queue and then push the message to online clients over the persistent channel.

6)  Upon receiving the message over the channel, notification agent will perform the corresponding action based on the message content: either notify the Endpoint Protection client to perform an action (e.g. quick scan), or notify the client to request machine policy as soon as possible. The notification result will be sent back to notification server.

7)  Notification server summarizes the task push results periodically and exports them into files to be placed in <Site Server Install Dir>inboxesbgb.box.

8)  Notification manager processes the task push result files (*.BTS) and updates the site database.

Note: While this has been an attempt to provide interested administrators with more information about how the client notification channel works, this article contains many implementation details (like timeout lengths) that are subject to change in future releases of System Center Configuration Manager.

How to use “Client Notification”

  1. Configure the client notification port.
    By default, client notification communication uses TCP port 10123. In the Configuration Manager console, click Administration , Expand Site Configuration , click Sites , open Properties dialog, from here you can configure the TCP port value in the Ports tab. You might have to configure the firewall on the management point, clients, and any intervening firewalls to allow communication over this new port. However, client notification can fall back to using HTTP and HTTPS.




  2. Notify Endpoint Protection Agent to perform action as soon as possible.
    Among Endpoint Protection operations, Full Scan and Quick Scan are one-time operations, and therefore only depend on the client notification channel. Other operations will go through both the client notification channel as well as the traditional normal policy channel. From a client notification perspective, the validity period for a task is one hour. For example, if the clients are offline after task gets triggered, the initial push will fail. If the client gets online within one hour of the task push, then notification server will re-push the task to clients. If client gets online in more than 1 hour, the task will not be pushed as it will have expired.




  3. Notify clients to download computer policy right now.
    Download Computer Policy is a newly added client operation in Configuration Manager SP1. It can notify the selected clients or collection to download computer policy as soon as possible outside the configured client policy polling interval. In the Configuration Manager console, click Assets and Compliance , in the Assets and Compliance workspace, click in the Collections group, select the device collection containing the computers that you want to download, in the Home tab, in the Collections group, click Client Notification and then click Download Computer Policy. When you perform this client operation on a collection, all online clients within the hierarchy belonging to this collection will be notified. You can also notify multiple computers specifically instead of the whole collection to download policy as soon as possible.






    There is also a confirmation dialog that pops up to inform you of the estimated number of online clients.





    The client will request policy from the management point as soon as possible as shown in the figure below:




  4. Monitor Client Operation Status.
    You can monitor the client operation status in the Client Operations node in the Monitoring workspace. If the task is successfully delivered to clients, it will be counted in the Success column.


Troubleshooting Tips

  1. Notification manager and notification server provide rich status messages that can help you monitor client notification tasks. In the Configuration Manager console, click Monitoring , expand System Status , click Component Status , select SMS_NOTIFICATION_SERVER or SMS_NOTIFICATION_MANAGER, and then click Show Messages to see status messages for this component.





  2. You can also use the following log files to help you  troubleshoot client notification problems.

Component

Log

Notification Manager

<smssiteserver setup dir>logsbgbmgr.log

Notification Server

<mp setup dir>logsBGBServer.log

<sms_ccm dir or client setup dir>logsBgbHttpProxy.log

For installation issues:

<mp setup dir>logsBgbSetup.log

<mp setup dir>logsbgbisapiMSI.log

Notification Agent

<client setup dir>logsCcmNotificationAgent.log

Frequently Asked Questions


Question:
Does client notification work with mobile device or Mac computers?

Answer: Client notification only supports Windows computer clients and embedded clients.

Question: How does client notification load balancing work?

Answer: Notification agent will identify the notification server based on the client’s assigned management point. If the assigned management point gets changed, notification agent will close the current connection and connect to the notification server located on the newly assigned management point. This helps to ensure that the connection load is balanced.

Question: Can I see the online status of clients from the Configuration Manager console?

Answer: Not currently. We are considering this for a future release.

Question: Which Windows Management Instrumentation (WMI) class will include the client computer online status?

Answer: SMS_CN_ClientStatus is an SMS Provider class that defines the client computer online status information. Property OnlineStatus stands for the online status of the client computers. Value 1 means online and 0 represents offline. Property ChannelType is used to differentiate the protocol type client notification channel leverages. ChannelType = 0 stands for TCP Protocol and 1 is HTTP protocol.

Note: the class name is a prerelease class name and is subject to change.

Question: How long is each task re-pushed once it has been created?

Answer: 1 hour

Question: Which processes contain notification server code?

Answer: Notification server code runs in smsexec.exe, dllhost.exe(Managed Code TCP listener) and w3wp.exe(HTTP ISAPI).

Question: Why can’t the client notification agent establish TCP connection?

Answer: The most COMMON reason is the configured TCP port (10123 by default) is still prohibited by firewall policy.

Question: Will an MP be overloaded by triggering download machine policy?

Answer: Notification server implements the push throttling mechanism. Default value is notifying 42 clients per second.  So the load added on MP is controlled. You can configure the value thru registry HKEY_LOCAL_MACHINESOFTWAREMicrosoftSMSNotificationServerTask Throttle Param. However, it is still not recommended to target this action to large collections(ex. All Systems) except under extreme circumstances that warrant it.

Question: How do I determine how many clients are connected to each management point?

Answer: The following  SQL query can tell you the number.

select B.ServerName, A.OnlineClients as 'Online Clients' from Bgb_Server B left join dbo.v_BgbServerCurrent A on A.ServerID=B.ServerID order by 2

Question: When the client service is started, will it connect to notification server immediately?

Answer: Notification agent will sleep a random number of seconds between 0 and 10 minutes before it contacts the notification server in order to avoid excessive network bandwidth usage if multiple computers are powered on simultaneously (for example at the start of the business day).

Question: When a client computer enters sleep mode or leaves the network, will Notification Server know that?

Answer: Yes. If notification server receives nothing from notification agent for 20 minutes, it will drop the connection if it’s there and set the client’s online status to Offline.

Question: If the client is offline and online later, will it be able to receive the missed task through the client notification server?

Answer: When client gets online again, if the task assigned to it is expired, notification server will not notify it again. If the task is still valid, notification server re-pushes the task to the client.

Question: If the client communicates with a management point in a secondary site, which notification server it will connect to?

Answer: The client will connect to the notification server in the proxy management point.

Question: Will Internet facing clients able to go through client notification Channel?

Answer: Yes. While it is likely that due to firewalls and proxies in the path of the communication that the TCP connection will fail, clients should still be able to use HTTPS to connect to the notification server.

Question: Will notification server work with clustered SQL Server?

Answer: Yes.

Question: Does notification server support management point in a site database replica?

Answer: Yes. notification server supports management point in a site databse replica.

Question: For roaming clients, will it connect to the notification server in local management point?

Answer: No. While a client will make use of a proxy management point, globally roaming clients will still establish connection to the notification server in the assigned management point.

Summary

I hope that this blog post helps you to gain a better understanding of the newly introduced client notification infrastructure in Configuration Manager 2012 SP1 and provides you with information about some typical troubleshooting problems with solutions.

-- Randy Xu

This posting is provided "AS IS" with no warranties and confers no rights.

Published Sep 08, 2018
Version 1.0
No CommentsBe the first to comment