Internet Based Client ManagementIn System Center 2012 Configuration Manager R2
Justin Chalfantblogs.technet.com/jchalfant
Jason [email protected]
Overview
In-scope• IBCM Hierarchy Scenarios• Reverse Proxy (TMG)• SSL Bridging
Out-of-scope• HTTPS Client Communication Basics• Public Key Infrastructure (PKI) Configuration Implementation
Basics or Details
Steps To Implement IBCM
Setup PKI
Deploy site system and client certificates
Setup/configure site systems and client facing roles
Configure site
Test, Test, Test
What’s Needed
Trusted PKICertificate Authority
Unique client authentication certificates for each clientServer authentication certificates for each site system*
Lab Environment – Traffic Flow
BOBOI
BOBOI = Big Old, Bad Old Internet
Site System(MP, DP, SUP, App Catalog)
Site Server
Reverse Proxy(TMG)
Edge Router
InternetClient
Certificate Templates
WSUS Configuration
Verify IIS Certificate on Internet Facing Site System
Exporting the Certificate for Workgroup Client
Requesting the Certificate Template for Workgroup Client
Issuing the Certificate Templates
Creating Certificate Templates
DEM
O
IBCM Site Architecture – No DMZ
FSP
MP / DP / SUP
Site ServerReverse Proxy
Bridged
Passthrough
IBCM Site Architecture – DMZ
FSP
MP / DP / SUP
Site ServerReverse Proxy
Site Server initiated communication
SQL Replica
Bridged
Passthrough
TMG
Create TMG Web Publishing Rules
Create Website Publishing Rules for DP and SUP
Review TMG ConfigurationsReview the Web Listener
Review Website Publishing Rules• MP, Application Catalog
DEM
O
Site Systems and AD Forests/Domains
Site System
Site Server
Site DB
1
2
1. Site Server’s AD Computer Account or Specified Installation Account2. MP Connection Account
3. Site System’s AD Computer Account or Specified Installation Account
3In
tern
al F
ores
t
DM
Z Fo
rest
IBCM Three Client Modes
Intranet onlyIntranet or Internet
Internet only
BOBOI
ccmsetup.exe CCMALWAYSINF=1 CCMHOSTNAME=SERVER3.CONTOSO.COM SMSSITECODE=ABC
AD GC
CCMHOSTNAME set via policy starting in R2
IBCM Three Role Modes
Intranet only - HTTPSIntranet or Internet
BOBOI
Internet only
Clients
Workgroup Client
Review Importing the Client Authentication Certificate Review Installation of the Client
Domain Joined ClientReview Client Switching
from Intranet to Internet
Review Software Update Installation on Internet
Client
Review Application Catalog from Intranet Client
DEM
O
The Missing Link
LDAP, HTTP, SMB, FTP
Certificate Revocation Lists (CRL) are hard-codedin each certificate at certificate creation time
CRLs are available on CRL Distribution Points (CDP)CRL checking is optional
IBCM Communication and Content Sources
WSUS
Cloud DP
Other
Cont
ent*
*
Software Updates*
Internet Client
Update Catalog
* Content onlyMP
Policy
DP
** Does not include any updates
All Other Content
IBCM vs. VPN vs. Direct Access Highlights
IBCM• ConfigMgr
only• PKI
Required
VPN• User
Initiated• The
networking team
Direct Access• Always on• IPv6• May
require PKI
Hints, Allegations & Things Left Unsaid
Most of this has nothing to with ConfigMgr
PKI is not easy
Manually bind certificates in IIS*
Certificate deployment can be challenging
Client auth certs define ConfigMgr client identity
ccmhttpstate is undocumented for a reason
Links
• http://technet.microsoft.com/en-us/library/gg699362.aspx• http://blogs.msdn.com/b/ameltzer/archive/2008/04/14/
common-native-mode-client-mp-error-messages-and-what-to-do-about-them.aspx• http://technet.microsoft.com/en-us/library/gg682023• http://technet.microsoft.com/en-us/library/
bb633246.aspx • http://blogs.technet.com/b/wemd_ua_-
_sms_writing_team/archive/2008/01/17/tips-tricks-hints-for-native-mode-and-internet-based-client-management-part-3-of-3.aspx
EvaluationsPlease provide session feedback by clicking the Eval button in the scheduler app. One lucky winner will get a free ticket to the next MMS!
Platinum Sponsors
Gold Sponsors
Visit all of our sponsors in the expo area and online!
Top Related