internet based client management in system center 2012 configuration manager r2 justin chalfant...
TRANSCRIPT
![Page 1: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/1.jpg)
![Page 2: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/2.jpg)
Internet Based Client ManagementIn System Center 2012 Configuration Manager R2
Justin Chalfantblogs.technet.com/jchalfant
Jason [email protected]
![Page 3: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/3.jpg)
Overview
In-scope• IBCM Hierarchy Scenarios• Reverse Proxy (TMG)• SSL Bridging
Out-of-scope• HTTPS Client Communication Basics• Public Key Infrastructure (PKI) Configuration Implementation
Basics or Details
![Page 4: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/4.jpg)
Steps To Implement IBCM
Setup PKI
Deploy site system and client certificates
Setup/configure site systems and client facing roles
Configure site
Test, Test, Test
![Page 5: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/5.jpg)
What’s Needed
Trusted PKICertificate Authority
Unique client authentication certificates for each clientServer authentication certificates for each site system*
![Page 6: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/6.jpg)
Lab Environment – Traffic Flow
BOBOI
BOBOI = Big Old, Bad Old Internet
Site System(MP, DP, SUP, App Catalog)
Site Server
Reverse Proxy(TMG)
Edge Router
InternetClient
![Page 7: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/7.jpg)
Certificate Templates
WSUS Configuration
Verify IIS Certificate on Internet Facing Site System
Exporting the Certificate for Workgroup Client
Requesting the Certificate Template for Workgroup Client
Issuing the Certificate Templates
Creating Certificate Templates
DEM
O
![Page 8: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/8.jpg)
IBCM Site Architecture – No DMZ
FSP
MP / DP / SUP
Site ServerReverse Proxy
Bridged
Passthrough
![Page 9: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/9.jpg)
IBCM Site Architecture – DMZ
FSP
MP / DP / SUP
Site ServerReverse Proxy
Site Server initiated communication
SQL Replica
Bridged
Passthrough
![Page 10: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/10.jpg)
TMG
Create TMG Web Publishing Rules
Create Website Publishing Rules for DP and SUP
Review TMG ConfigurationsReview the Web Listener
Review Website Publishing Rules• MP, Application Catalog
DEM
O
![Page 11: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/11.jpg)
Site Systems and AD Forests/Domains
Site System
Site Server
Site DB
1
2
1. Site Server’s AD Computer Account or Specified Installation Account2. MP Connection Account
3. Site System’s AD Computer Account or Specified Installation Account
3In
tern
al F
ores
t
DM
Z Fo
rest
![Page 12: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/12.jpg)
IBCM Three Client Modes
Intranet onlyIntranet or Internet
Internet only
BOBOI
ccmsetup.exe CCMALWAYSINF=1 CCMHOSTNAME=SERVER3.CONTOSO.COM SMSSITECODE=ABC
AD GC
CCMHOSTNAME set via policy starting in R2
![Page 13: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/13.jpg)
IBCM Three Role Modes
Intranet only - HTTPSIntranet or Internet
BOBOI
Internet only
![Page 14: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/14.jpg)
Clients
Workgroup Client
Review Importing the Client Authentication Certificate Review Installation of the Client
Domain Joined ClientReview Client Switching
from Intranet to Internet
Review Software Update Installation on Internet
Client
Review Application Catalog from Intranet Client
DEM
O
![Page 15: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/15.jpg)
The Missing Link
LDAP, HTTP, SMB, FTP
Certificate Revocation Lists (CRL) are hard-codedin each certificate at certificate creation time
CRLs are available on CRL Distribution Points (CDP)CRL checking is optional
![Page 16: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/16.jpg)
IBCM Communication and Content Sources
WSUS
Cloud DP
Other
Cont
ent*
*
Software Updates*
Internet Client
Update Catalog
* Content onlyMP
Policy
DP
** Does not include any updates
All Other Content
![Page 17: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/17.jpg)
IBCM vs. VPN vs. Direct Access Highlights
IBCM• ConfigMgr
only• PKI
Required
VPN• User
Initiated• The
networking team
Direct Access• Always on• IPv6• May
require PKI
![Page 18: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/18.jpg)
Hints, Allegations & Things Left Unsaid
Most of this has nothing to with ConfigMgr
PKI is not easy
Manually bind certificates in IIS*
Certificate deployment can be challenging
Client auth certs define ConfigMgr client identity
ccmhttpstate is undocumented for a reason
![Page 19: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/19.jpg)
Links
• http://technet.microsoft.com/en-us/library/gg699362.aspx• http://blogs.msdn.com/b/ameltzer/archive/2008/04/14/
common-native-mode-client-mp-error-messages-and-what-to-do-about-them.aspx• http://technet.microsoft.com/en-us/library/gg682023• http://technet.microsoft.com/en-us/library/
bb633246.aspx • http://blogs.technet.com/b/wemd_ua_-
_sms_writing_team/archive/2008/01/17/tips-tricks-hints-for-native-mode-and-internet-based-client-management-part-3-of-3.aspx
![Page 20: Internet Based Client Management In System Center 2012 Configuration Manager R2 Justin Chalfant blogs.technet.com/jchalfa nt Jason Sandys @JasonSandys](https://reader030.vdocument.in/reader030/viewer/2022020117/56649cd75503460f9499f11e/html5/thumbnails/20.jpg)
EvaluationsPlease provide session feedback by clicking the Eval button in the scheduler app. One lucky winner will get a free ticket to the next MMS!
Platinum Sponsors
Gold Sponsors
Visit all of our sponsors in the expo area and online!