With AppGate you can configure SCCM or any similar tools to push update/software via down Entitlement. The key difference here is whether you are using SNAT or NO-SNAT, this article will explain both scenarios.
Before we dive into AppGate configuration, we assume that readers have proper knowledge about SCCM and have configured it correctly.
NO-SNAT Site
In this scenario we have the following configuration
No SNAT is configured in SCCM Site.
IP Pool of 192.168.1.0/24 has been configured and attached to the proper IdP.
Proper route to allow the IP pool (192.168.1.0/24) to communicate with SCCM (192.168.42.3)
Always-On client, Full client or Headless client is installed on the end user machine and has a Policy which contains the below Entitlements.
ALLOW UDP up port 53 towards your DNS
ALLOW TCP down from the SSCM server 192.168.42.3 on port 80
This will basically allow SCCM server to talk back to the remote users.
ALLOW TCP UP to the SCCM server 192.168.42.3 on port 80,10123
So, when client logs in should have something like the following:
Notes
On the SCCM side a boundary group of IP address range 192.168.1.1-192.168.1254 has been created and attached to the proper DP.
The remote machine is domain joined machine; hence the IP tunnel address will be registered in the DNS and SCCM server can resolve the remote machine name correctly.
The SCCM connection uses http hence the required port is 80, if it is HTTPS then port 443 will be required as well.
In the case you are not sure which port needs to be opened, then the best way is to check Kibana Audit log and see if there are any drop packets.
For example, below you can see that the GW was dropping port 10, 123 with UP direction. Once those ports were added, everything started working as it should.
For troubleshooting purposes, you can create an ICMP down Entitlement and attach it to the client Policy to make sure that SCCM server can reach the client. At the end, the remote user client session is looking as below:
