This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 23%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
I'm using Endpoint Manager Current Branch 2006 with a single site configuration. I recently setup an external server in our DMZ that hosts the DP, MP, and SUP roles that appears to be healthy (Site Status & Component Status both indicate all green). I've verified external access to our server using https://fqdn.server.com/sms_mp/.sms_aut?mplist and can see both the internal and external MPs listed in the XML output.
All software that is distributed to our internal server is also distributed to our external server so that they can be downloaded whether connected to VPN or not, and all software is made available to everyone (we use the Administrator Approval option for licensed software installs). Yet, when users are not on VPN they see only a handful of software, not the entire list. And attempts to install the few software that are available ends up in error.
We are using PKI in our environment, but we setup the DMZ server to use a third-party certificate for both the Default website and the Windows Update site in IIS. Not sure if that's relevant or not. I've verified by looking at ClientLocation.log that external devices are set to Internet and have confirmed by DMZ server is set to be in the Internet boundary group. I've also tried looking in AppDiscovery.log, AppEnforce.log, ExecMgr.log, but not seeing anything that immediately stands out.
If the user connects to VPN they can see all software, but not off VPN. I suspect there's a problem when polling the DP for available software but not sure where else to check.
Is the software not shown when they are not connected to the VPN deployed to user-based collections?
Note that DPs have nothing to do with what is shown in Software Center.
All software deployments are to user-based collections.
What determines what is shown in Software Center?
What determines what is shown in Software Center?
All applicable deployments are shown.
However, for user-targeting, an Azure AD user account and hybrid identity is required for Internet-based devices. This is a change from when the Application Catalog existed as a separate entity to handle user targeting. See https://video2.skills-academy.com/en-us/mem/configmgr/apps/deploy-use/deploy-applications#deploy-user-available-applications for details on this.
I'm certain this is my problem, but until we finish our hybrid setup, I can't confirm 100%. Thanks for the link and the info. It'll come in handy during planning of the hybrid setup.
Just to be clear, I noted "hybrid identity" above but what I meant was hybrid-user identity. Device identity does not need to be hybrid but could be fully AAD joined (which is the strongly preferred path).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 67%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHM%3C/text%3E%3C/svg%3E)
Hi, @ CharlieDobson
Thanks for posting in Microsoft Q&A forum.
Please check whether the FQDN of external network is configured.
You can check it on the client computers in Network tab of Configuration Manager.
Thanks for your time.
If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I can confirm that the external server is shown in the tab you provided on the clients with the FQDN. We are not using a proxy for connection.
Hi, @Charlie Dobson
You said that tried to install the few software that available ends up in error.
Please can you share the latest AppEnforce.log as attachment(with sensitive information masked), may be some causes can be found.
Thanks for your time.
Best Regards
Alan Zhu