Forum Discussion
Issue setting up the cmg connection point role
Hi!
I deployed the cmg connection point role (only) to a new site server (MECM 1910 (5.0.8913.1000)), but the connection point just stayed disconnected from a functioning cmg. The log file sms_cloud_proxyconnector.log showed: "missing role certificate. reload in next cycle" every 60s. I ended up installing the mp role as well on the same server, and the cmg cp started working as intended. The certificate store on the site server has now a "cloud proxy connector" certificate under SMS\Certificates, which wasn't there before I installed the mp role. I've removed the mp role and its prerequisites and the cmg cp is still working. We're using "enhanced http" mode for client communication.
Anybody else seen this behavior?
Is it not supported to install the cmg cp role independently?
Thanks!
3 Replies
Marcel Biebricher were you able to find the fix for this? i'm having cloud proxy issues w/ CMG as well for port 443.
"Error sending request to service: The underlying connection was closed: An unexpected error occurred on a receive"
"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure."
When visiting the CMG via browser it resolves fine and comes back w/ a 403 error.
- We fixed the CMG problem "The underlying connection was closed" with startup type change to "Automatic (Delayed Start)" at the service SMS_EXECUTIVE.
Marcel Biebricher Some things to check - IIS Server for MP must have Server Certificate. Then IIS Web Site Bindings for 443 should allow selecting that server certificate. ensure IIS Default Web Site where MP is located has SSL Settings that REQUIRE Certificates, and the ACCEPT radio button is selected. if you have an internal Root/Sub PKI environment, make sure both your root trusted certs as well as your sub trusted certs are imported for the server as well as the ConfigMgr Site Hierarchy Settings. Your MP Should be set to HTTP or HTTPS so that it can negotiate the best possible secure route for server to server communications. After synchronizing the CMG service again from the console, run Connection Analyzer only after the console shows "updated" in the status. Hope this helps.
