Meraki

Community

Autopilot Issues when behind an MX

Solved
ChrisIreland
Here to help
‎Jul 31 2023 6:13 AM
‎Jul 31 2023 6:13 AM

Autopilot Issues when behind an MX

We have found an issue with trying to use MS Autopilot when behind an MX firewall.
We have created two rules (one for TCP, the other UDP) from the build VLAN to any destination on ports 123,53,80,443,3544.  Every time we try to deploy a laptop using Autopilot it gets stuck.
We have tested these rules on two different non-Meraki firewalls and have not had the issue.
Has anyone else seen this issue?    

Labels:
0 Kudos
1 Accepted Solution
In response to PhilipDAth
ChrisIreland
Here to help
‎Aug 1 2023 7:37 AM
‎Aug 1 2023 7:37 AM

Hi, After various tests and packet captures, we have found that we need to add the ephemeral port range and restricted them to the recommended autopilot FQDNs.  And its now working!  A classic of Microsoft documentation not listing everything needed.  Investigating the non-Meraki firewalls, it would appear that they were doing something under their "stateful" badge and allowing these ports even though not directly listed in the rule set.  Thanks for your help. 

View solution in original post

10 Replies 10
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jul 31 2023 6:26 AM
‎Jul 31 2023 6:26 AM

Do you have the Threat protection enabled? If yes, try disabling it.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
ChrisIreland
Here to help
‎Aug 1 2023 12:16 AM
‎Aug 1 2023 12:16 AM

Hi, Thanks for the reply, there is nothing in the TP logs, but its worth a try!  I'll do some testing today.

0 Kudos
DarrenOC
Kind of a big deal
Kind of a big deal
‎Jul 31 2023 9:04 AM
‎Jul 31 2023 9:04 AM

Are you seeing anything in the Event logs for the Appliance?

 

Do you also have an Layer 7 Geo-IP based rules you can rule out?

Darren OConnor | doconnor@resalire.co.uk
https://www.linkedin.com/in/darrenoconnor/

I'm not an employee of Cisco/Meraki. My posts are based on Meraki best practice and what has worked for me in the field.
0 Kudos
In response to DarrenOC
ChrisIreland
Here to help
‎Aug 1 2023 12:15 AM
‎Aug 1 2023 12:15 AM

Thanks for the reply, nothing in the event logs and no Geo rules on this MX.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jul 31 2023 12:59 PM
‎Jul 31 2023 12:59 PM

We have used AutoPilot behind MX lots without issue.  We use content filtering, IPS and AMP.  We don't use firewall rules to apply L4 restrictions.

 

Why don't you try temporarily creating a "permit any any" rule and see if that resolves it?  If it does - you know your firewall rules are the issue.

0 Kudos
In response to PhilipDAth
ChrisIreland
Here to help
‎Aug 1 2023 12:14 AM
‎Aug 1 2023 12:14 AM

Hi, Thanks for the reply.  We have tried a 'permit any any' rule and it works, but due to the environment, we can't leave that in place.  The ports we have open are the MS recommended ones.  We are just a bit stumped about what is being blocked.

0 Kudos
In response to ChrisIreland
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 1 2023 12:25 AM
‎Aug 1 2023 12:25 AM

If a "permit any any" works - then you 100% know it is the firewall rules you have added causing the issue.  Perhaps one of the apps you have deployed via Intune needs additional ports.  Perhaps you are doing a hybrid AD join.

 

I would put back the "permit any any" and do a packet capture while deploying a machine.  Make a note of every port used, add them to the firewall rules, and go back to your "deny any any".

In response to PhilipDAth
ChrisIreland
Here to help
‎Aug 1 2023 7:37 AM
‎Aug 1 2023 7:37 AM

Hi, After various tests and packet captures, we have found that we need to add the ephemeral port range and restricted them to the recommended autopilot FQDNs.  And its now working!  A classic of Microsoft documentation not listing everything needed.  Investigating the non-Meraki firewalls, it would appear that they were doing something under their "stateful" badge and allowing these ports even though not directly listed in the rule set.  Thanks for your help. 

amabt
Building a reputation
‎Jul 31 2023 2:49 PM
‎Jul 31 2023 2:49 PM

The issues we have with AutoPIlot are ussualy

 

1) Web Proxy (we use Zscaler)

2) Meraki Content Filtering rule.

 

You can try putting Fiddler one of the AutoPIlot machine and see what URL it stuck on?That will give you a clue as to where to look.

 

Make sure to allow the URL Microsoft listed for AutoPilot to work. Also check that its not stuck on trying to do WIndows updates,

0 Kudos
In response to amabt
ChrisIreland
Here to help
‎Aug 1 2023 12:19 AM
‎Aug 1 2023 12:19 AM

Thanks for the reply. I'll do some more testing today and try Fiddler.  The rules allow any destination unfiltered so it should be ok for that.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.