Internet Based Client ManagementIn System Center 2012 Configuration Manager R2

Justin Chalfantblogs.technet.com/jchalfant

Jason Sandys@JasonSandysblog.configmgrftw.com

Overview

In-scope• IBCM Hierarchy Scenarios• Reverse Proxy (TMG)• SSL Bridging

Out-of-scope• HTTPS Client Communication Basics• Public Key Infrastructure (PKI) Configuration Implementation

Basics or Details

Steps To Implement IBCM

Setup PKI

Deploy site system and client certificates

Setup/configure site systems and client facing roles

Configure site

Test, Test, Test

What’s Needed

Trusted PKICertificate Authority

Unique client authentication certificates for each clientServer authentication certificates for each site system*

Lab Environment – Traffic Flow

BOBOI

BOBOI = Big Old, Bad Old Internet

Site System(MP, DP, SUP, App Catalog)

Site Server

Reverse Proxy(TMG)

Edge Router

InternetClient

Certificate Templates

WSUS Configuration

Verify IIS Certificate on Internet Facing Site System

Exporting the Certificate for Workgroup Client

Requesting the Certificate Template for Workgroup Client

Issuing the Certificate Templates

Creating Certificate Templates

DEM

O

IBCM Site Architecture – No DMZ

FSP

MP / DP / SUP

Site ServerReverse Proxy

Bridged

Passthrough

IBCM Site Architecture – DMZ

FSP

MP / DP / SUP

Site ServerReverse Proxy

Site Server initiated communication

SQL Replica

Bridged

Passthrough

TMG

Create TMG Web Publishing Rules

Create Website Publishing Rules for DP and SUP

Review TMG ConfigurationsReview the Web Listener

Review Website Publishing Rules• MP, Application Catalog

DEM

O

Site Systems and AD Forests/Domains

Site System

Site Server

Site DB

1

2

1. Site Server’s AD Computer Account or Specified Installation Account2. MP Connection Account

3. Site System’s AD Computer Account or Specified Installation Account

3In

tern

al F

ores

t

DM

Z Fo

rest

IBCM Three Client Modes

Intranet onlyIntranet or Internet

Internet only

BOBOI

ccmsetup.exe CCMALWAYSINF=1 CCMHOSTNAME=SERVER3.CONTOSO.COM SMSSITECODE=ABC

AD GC

CCMHOSTNAME set via policy starting in R2

IBCM Three Role Modes

Intranet only - HTTPSIntranet or Internet

BOBOI

Internet only

Clients

Workgroup Client

Review Importing the Client Authentication Certificate Review Installation of the Client

Domain Joined ClientReview Client Switching

from Intranet to Internet

Review Software Update Installation on Internet

Client

Review Application Catalog from Intranet Client

DEM

O

The Missing Link

LDAP, HTTP, SMB, FTP

Certificate Revocation Lists (CRL) are hard-codedin each certificate at certificate creation time

CRLs are available on CRL Distribution Points (CDP)CRL checking is optional

IBCM Communication and Content Sources

WSUS

Cloud DP

Other

Cont

ent*

*

Software Updates*

Internet Client

Update Catalog

* Content onlyMP

Policy

DP

** Does not include any updates

All Other Content

IBCM vs. VPN vs. Direct Access Highlights

IBCM• ConfigMgr

only• PKI

Required

VPN• User

Initiated• The

networking team

Direct Access• Always on• IPv6• May

require PKI

Hints, Allegations & Things Left Unsaid

Most of this has nothing to with ConfigMgr

PKI is not easy

Manually bind certificates in IIS*

Certificate deployment can be challenging

Client auth certs define ConfigMgr client identity

ccmhttpstate is undocumented for a reason

Links

• http://technet.microsoft.com/en-us/library/gg699362.aspx• http://blogs.msdn.com/b/ameltzer/archive/2008/04/14/

common-native-mode-client-mp-error-messages-and-what-to-do-about-them.aspx• http://technet.microsoft.com/en-us/library/gg682023• http://technet.microsoft.com/en-us/library/

bb633246.aspx • http://blogs.technet.com/b/wemd_ua_-

_sms_writing_team/archive/2008/01/17/tips-tricks-hints-for-native-mode-and-internet-based-client-management-part-3-of-3.aspx

EvaluationsPlease provide session feedback by clicking the Eval button in the scheduler app. One lucky winner will get a free ticket to the next MMS!

Platinum Sponsors

Gold Sponsors

Visit all of our sponsors in the expo area and online!