A ConfigMgr client uses HTTP or HTTPS to get content from a distribution point (DP) when running a deployment that requires content. IIS has a built in function called IIS Request Filtering which blocks certain file extensions, folders and file names.
Some examples include:
<filename>.resx (file extensions)
Visual C++ (double escaping)
\bin folder (hidden segments)
The ConfigMgr client doesn’t get blocked when downloading content from a ConfigMgr DP over HTTP or HTTPS. This is because when the ConfigMgr client downloads a blocked file extension rather that requesting the URL https://<servername>/SMS_DP_SMSPKG$/<contentID>/New Text Document.cs it will request the content with URL: https://<servername>/query?SMS_DP_SMSPKG$/<contentID>/New Text Document.cs
However 1E Nomad agent, which is an Alternate Content Provider (ACP) for the ConfigMgr client (it is basically a data fetcher for ConfigMgr client), does get blocked as it will always use the first URL.
So in practice when the 1E Nomad agent has been told by the ConfigMgr client to get content from a ConfigMgr DP that has IIS Request Filtering rules in place, the 1E Nomad agent will fail to download the content and pass a failure back to the ConfigMgr client which will fail to run the deployment. The error in the NomadBranch.log looks like this:
The ConfigMgr DP IIS log will also show an error:
There are a few ways to resolve this issue.
1. Either allow or remove the rule for the file extension that failed. This will make the current issue go away but there could and most probably will be more files that get blocked.
This command that can be run on the ConfigMgr DP in a Command window will allow a single file extension:
%windir%\system32\inetsrv\appcmd set config /section:requestfiltering /+fileExtensions.[fileextension='.xxx',allowed='true']
This command that can be run on the ConfigMgr DP in a Command window to remove the ‘bin’ hidden segment:
%windir%\system32\inetsrv\appcmd set config /section:requestfiltering /-hiddensegments.[segment='bin']
This command that can be run on the ConfigMgr DP in a Command window will allow double escaping:
%windir%\system32\inetsrv\appcmd set config /section:requestfiltering /allowdoubleescaping:true
2. Remove all the rules for all file extensions blocked by IIS Request Filtering. Take the normal factors like security and change management into account if taking this approach.
If you choose to remove all the file extensions then this can be done in the following file – C:\Windows\System32\inetsrv\config\applicationHost.config.xml
Changes made in the file will affect all websites on the server.
If you have any comments on Nomad and IIS Request Filtering, please feel free to leave me a comment below.