Historically, a pull-based client communication mechanism is employed in the System Center Configuration Manager line of products. As a result, in large scale enterprise environments, when an administrator initiates a task, it would take minutes or even hours for each client to receive that task, run it and then report the result back to the server. For common scenarios it is an appropriate trade off, however it is problematic if such tasks are mission-critical and time sensitive (e.g., anti-malware operations). The latency is also more obvious in data center environments where servers only have a limited amount of time reserved for management tasks. How useful would it be to push IT administration tasks much faster ? Configuration Manager 2012 SP1 provides this capability by providing a fast “client notification” channel between server and the managed clients.
What is “Client Notification”?
Client notification is, by popular demand, a new and exciting infrastructure component introduced in Configuration Manager 2012 SP1, which can provide a fast channel that a Configuration Manager administrator can use to notify clients to initiate time-sensitive tasks as soon as possible. The communication channel is push-based instead of dependent on the client policy polling interval. By using client notification, clients can establish a persistent connection with a management point. Subsequently, the server can notify the client of time-sensitive or urgent tasks over the channel and the client can perform an action in response to the message. In SP1, all System Center Endpoint Protection operations and the “Download Computer Policy” client action are implemented by using this channel.
How “Client Notification” works
Client notification is an end-to-end infrastructure composed of notification manager on the site server, notification server on the management point and notification agent on the client.
1) Notification Manager
Notification manager is a component of the site server. Its responsibility is to generate push messages for client notification-enabled actions, update the client online presence status and client notification push results in the site database.
2) Notification Server
Notification server is the server component on the management point. It is automatically deployed and installed on management points, including on secondary sites. Notification server performs the following functions:
Hosts both TCP and HTTP listeners in order to support client communications over either protocol.
Listens on the notification service broker queue in the site database to detect when push messages are generated.
Pushes the messages to online clients over the channel and periodically generates a file containing results which will be stored in the site database. These results can be monitored from the Client Operations node of the Configuration Manager console.
Maintains a list of online clients and periodically generates online info into a file which is sent to the site server.
3) Notification Agent
Notification agent is a client component hosted in CCMEXEC.exe. As a part of client initialization, it will establish a persistent connection with notification server. For those clients that communicate via a secondary site, they will establish connection with the notification server on the proxy management point. It will try TCP mode first, then fallback to HTTP mode if it fails (due to firewalls or Internet proxies that do not allow TCP traffic). If the connection is dropped (e.g. because of a network issue), notification agent will attempt to reconnect.
Client notification supports both the TCP and HTTP communication protocols. TCP is the primary mode used, which requires an extra port to be opened in firewalls, and HTTP is the fallback option and doesn’t need any prerequisite configuration. The respective workflow is nearly the same. Take TCP mode as an example.
1) Client notification Infrastructure is by default enabled end-to-end. During client initialization, notification agent will first attempt to establish a persistent TCP Connection to notification server on the current management point. Once successful, notification agent will periodically send a keep-alive message every 15 minutes to maintain the connection. If the client fails to establish a TCP Connection, notification agent will try the HTTP protocol.
2) Notification server on the management point computer will accept the client’s connection request after TLS (Transport Layer Security) authentication is passed. Thus notification server will manage all active connections and generate online status data every 5 minutes to be placed in <Site Server Install Dir>inboxesbgb.box.
3) Notification manager will read the Online files (*.BOS) from bgb.box, and update the online presence info in the site database.
4) When an administrator initiates a supported client operation from the Configuration Manager console, that action will be translated into a client notification message and placed into the database service broker queue.
5) Notification server will detect the message request and get the message from the service broker queue and then push the message to online clients over the persistent channel.
6) Upon receiving the message over the channel, notification agent will perform the corresponding action based on the message content: either notify the Endpoint Protection client to perform an action (e.g. quick scan), or notify the client to request machine policy as soon as possible. The notification result will be sent back to notification server.
7) Notification server summarizes the task push results periodically and exports them into files to be placed in <Site Server Install Dir>inboxesbgb.box.
8) Notification manager processes the task push result files (*.BTS) and updates the site database.
Note: While this has been an attempt to provide interested administrators with more information about how the client notification channel works, this article contains many implementation details (like timeout lengths) that are subject to change in future releases of System Center Configuration Manager.
How to use “Client Notification”
Configure the client notification port.
By default, client notification communication uses TCP port 10123. In the Configuration Manager console, click Administration, Expand Site Configuration, click Sites, open Properties dialog, from here you can configure the TCP port value in the Ports tab. You might have to configure the firewall on the management point, clients, and any intervening firewalls to allow communication over this new port. However, client notification can fall back to using HTTP and HTTPS.
Notify Endpoint Protection Agent to perform action as soon as possible.
Among Endpoint Protection operations, Full Scan and Quick Scan are one-time operations, and therefore only depend on the client notification channel. Other operations will go through both the client notification channel as well as the traditional normal policy channel. From a client notification perspective, the validity period for a task is one hour. For example, if the clients are offline after task gets triggered, the initial push will fail. If the client gets online within one hour of the task push, then notification server will re-push the task to clients. If client gets online in more than 1 hour, the task will not be pushed as it will have expired.
Notify clients to download computer policy right now.
Download Computer Policy is a newly added client operation in Configuration Manager SP1. It can notify the selected clients or collection to download computer policy as soon as possible outside the configured client policy polling interval. In the Configuration Manager console, click Assets and Compliance, in the Assets and Compliance workspace, click in the Collections group, select the device collection containing the computers that you want to download, in the Home tab, in the Collections group, click Client Notification and then click Download Computer Policy. When you perform this client operation on a collection, all online clients within the hierarchy belonging to this collection will be notified. You can also notify multiple computers specifically instead of the whole collection to download policy as soon as possible.
There is also a confirmation dialog that pops up to inform you of the estimated number of online clients.
The client will request policy from the management point as soon as possible as shown in the figure below:
Monitor Client Operation Status.
You can monitor the client operation status in the Client Operations node in the Monitoring workspace. If the task is successfully delivered to clients, it will be counted in the Success column.
Notification manager and notification server provide rich status messages that can help you monitor client notification tasks. In the Configuration Manager console, click Monitoring, expand System Status, click Component Status, select SMS_NOTIFICATION_SERVER or SMS_NOTIFICATION_MANAGER, and then click Show Messages to see status messages for this component.
You can also use the following log files to help you troubleshoot client notification problems.
<smssiteserver setup dir>logsbgbmgr.log
<mp setup dir>logsBGBServer.log
<sms_ccm dir or client setup dir>logsBgbHttpProxy.log
For installation issues:
<mp setup dir>logsBgbSetup.log
<mp setup dir>logsbgbisapiMSI.log
<client setup dir>logsCcmNotificationAgent.log