Internet Based client support with Existing PKI Environment

Hi Team,
I have a question.... My Environment is on SCCM 2007 environment and there is a requirement which has come-up to support internet based clients.
My Hierarchy is : ( All in Mixed Mode )
1 Central
2 Primary
5 Secondary under each Primary
Now to support Internet based client this is what I have proposed. To add another Primary on LAN for Native Mode and  its Site System server in DMZ with MP, DP and SUP role. Only This site system server would be internet facing to support clients.
Now to support internet based clients... I would have to move my Central from Mixed to Native mode and then New Primary server to Native mode. Please let me know if you agree with this design or you suggest another one.
Now my company has already existing PKI environment setup on non-windows platform. I'm aware of the fact that SCCM 2007 would support version 3 of the x.509 certificate format. When I reached the PKI team they mentioned that they only sign the certificates
and do not issue one.. They said that your application / server should generate the certificate which I can send them and they sign.
Now I'm not able to understand how this would happen. As per my understanding SCCM cannot generate the certificate for PKI team to sign. 
From OS perspective, via IIS we can get the certificate generated, but not sure if that is the right was to do that.
Please suggest how can I get these certificates generated for my SCCM environment and client machines to use.
Thanks,
Sam

First, you really should look at moving to ConfigMgr 2012 to make your life easier and simplify this scenario quite a bit.
As for certs, you need more than an IIS cert, you need a unique cert for each and every managed device that could communicate via the Internet. If your PKI team cannot accommodate this, then their PKI solution is feeble and weak and you should consider implementing
a Microsoft PKI.
Also, it's incorrect to say that a PKI only signs certs, they do create and issue certs; these are based upon a cert request you give them which effectively contains some meta-data and the public key that will be included in the cert that they
create, sign, and issue (honestly, not trying to throw stones, but if they truly believe that's what a PKI does, then you're never going to get what you need from them because they don't even know what they do). This is impractical to do for every managed
client though.
There is also a special cert type called a document signing cert that must be issued that contains a non-standard subject.
Ultimately, the PKI must be able to issue certificates based on the requirements listed at
http://technet.microsoft.com/en-us/library/bb680733.aspx and of course you need a method to get those certs to both the site systems hosting the roles, the site server, and the managed clients.
If they can't give you this (which at the very least they think they can't based on your comments), then no, you won't be able to use this in-place PKI.
Jason | http://blog.configmgrftw.com

Similar Messages

  • Support for Internet based client Management - SCCM 2012

    Hi There,
    My Company wants to go for Internet based client Management in SCCM 2012 SP1 R2 and here is the design I'm proposing. I'm getting a bit confused at one point and need suggestion....
    Everything would work on HTTPS ( PKI Certificate based )... LAN and Internet.
    1 Primary ( with non-client facing roles installed ) on LAN with two site systems.
    - One Site System configured for INTRANET support only with MP, DP and SUP -> To support LAN users ( Allow
    Intranet-only connections )
    - One Site System configured for INTERNET support only with MP, DP and SUP -> To support Internet users ( Allow 
        Internet-only connections )
    The INTERNET facing site system is in DMZ network connected to parent Primary via Firewall.
    We want internet clients to talk to ONLY DMZ SCCM Site System and no connection to corporate LAN. We cannot open any ports for internet based clients to LAN.
    If this is the supported scenario, then why we need to put the Internet FQDN in the Primary server Site System property. This server would not be available to internet. It should only be my DMZ SCCM server client should connect for MP, DP and SUP and only
    this DMZ server should be accessible to client over internet.
    Also, what least ports should be opened between :
    - Parent Primary and its internet facing site system kept in DMZ
    - DMZ Site system and internet clients.
    Thanks in advance for your suggestions.
    Sam

    The FQDN has only to be specified on the Internet facing site system. You can leave this field blank on the primary site Server.
    Ports to Open:
    Internet --> DMZ Site Server:
    TCP Port 443
    TCP Port 80, if Fallback Status Point is installed
    DMZ Site Server --> Primary Site:
    TCP 135, 49152-65535
    TCP 445
    TCP 135, 24158 (fixed with
    http://msdn.microsoft.com/en-us/library/bb219447(v=vs.85).aspx )
    TCP 80, 443
    If you have some other roles installed, please consult this page:
    http://technet.microsoft.com/en-us/library/hh427328.aspx
    Cheers,
    Thomas Kurth
    Netree AG, System Engineer
    Blog:
    http://netecm.netree.ch/blog | Twitter:
    | LinkedIn:
    | Xing:
    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  • Internet Based Clients and Native Mode

    Hi guys,
    I have a question.... We have SCCM 2007 SP2 running in mixed mode in the environment. Now we plan to support internet based clients. Here is the current Hierarchy in mixed mode.
    1 Central Server
    1 Primary Server
    3 Secondary servers under above Primary Server
    Now as the requirement is to support internet based clients and want them to support on office LAN as well when they come to the office....this is what I would be doing : ( Theoretically I know, I need the practical steps to achieve that )
    1. Get all the 3 PKI Certificates : Site Server Signing, Web Server, Client agent.
    2. Make sure all the required ports are opened in-between Intranet <->DMZ AND DMZ <-> Internet
    3. Migrate Central server from Mixed to Native Mode.
    4. Install another Primary Server on Intranet in Native mode.
    5. Create a site system server connected to newly created Native Primary Site in the DMZ zone with these roles installed : MP, SUP and DP.
    6. Re-install all the SCCM clients in the environment with the command-line so that they can be supported on both internet and intranet.
    7. Make sure internet clients are able to connect DMZ site system server via internet.
    Please let me know if I'm missing something here and let me know the practical steps to achieve this. 
    Request you not to share Microsoft technet link for the same. Please share some step-by-step practical document etc.. to achieve this.
    Thanks,
    Sam

    1. This is incorrect. You need more than a single web server cert and client cert. You need a unique server auth cert for *every* one of your systems hosting a client role like the MP, DP, and SUP. Also, you need a unique client auth cert for each and *every*
    client that may/will connect via the Internet.
    4. Standing up a whole extra site just to support IBCM is a bit overkill. It does allow you to keep your "main" primary site in mixed mode, but it does add some overhead and cost and is not technically necessary.
    6. Incorrect. You only need to reinstall clients that will be configured as "Internet-only". Intranet clients should pick up the internet facing roles via policy. You can verify this by checking locationservices.log on the clients after they are successfully
    communicating and the Internet facing roles are stood up and healthy.
    You've made no account above for the CDP or CRL checking. This is a major stumbling block for many folks.
    Jason | http://blog.configmgrftw.com

  • Internet Based Clients via F5 Big-IP load balancer

    Hi Guys,
    Please help with below question....
    We have the requirement to support internet based clients...we have a proper MS PKI infra in-place. The SCCM design is like this : Primary Server is on corporate LAN and I have attached a site system server which is in DMZ network ( Say ABC Zone ). Now as
    per my knowledge DMZ SCCM Site System server should be accessible to clients over internet connection and to make this happen, FQDN of site systems that support Internet-based client management must be registered as host entries on public DNS servers.
    Now the twist is... as per our company policy we cannot make that SCCM Site system server directly available on internet... Network team is saying there is another DMZ zone ( Say PQR Zone ) where they have F5 Big-IP load balancer which are internet facing
     ( HTTPS ). Now they are saying that our SCCM clients should hit those devices and then internally re-direct to our SCCM site system server kept in ABC Zone.
    VeriSign certificates will be used to encrypt in-coming network traffic to the F5 Big-IP Load Balancers configured as ADFS reverse proxy servers residing in the PQR Zone.
    Is this scenario supported ? Please let me know what alternates we can have to avoid our SCCM server not directly facing to internet.
    Thanks,
    Sam 

    Hi Jason,
    Thanks for your quick and prompt reply as always. My answers in BOLD...
    First a question, you said "we have a proper MS PKI infra in-place". Does this mean you have a CDP exposed to the Internet or is an OCSP responder Internet accessible? If not, you will have issues although this can be overcome by disabling CRL checking
    on the clients, that does lower your security posture. With "Proper PKI infra" I meant... they have if available already and supporting SCCM 2007 environment with it...but not supporting internet based clients in SCCM 2007. They implemented PKI there
    just for better security. At present PKI CRL server is on internal network and the assumption is that, machines will also VPN-in the corporate network for CRL and certificate renewal when required...at some point in time.
    To your real question here, is the F5 bridging or can it be set to pass-through? Pass-through is generally easier. Ultimately though, ConfigMgr doesn't care as long as the traffic gets to the site system hosting the roles. The main difference will be with the
    certificates used by each component. With bridging, the F5 will terminate the SSL traffic and then initiate a new SSL stream to the site system.
    This is all pretty transparent to ConfigMgr and the client as long as the certs used are configured with the proper SANs and the F5 properly passes the traffic along.
    I don't think Network team would allow 'pass-through' and would go for 'bridging' option. Can you please let me know the steps I need to follow to configure bridging in-between F5 Balancers and SCCM site system server...bottom line is...our SCCM clients
    should be able to communicate to our site server to get the MP, SUP and DP service. I'm not clear with the statement I underlined in above para.
    Is using a third-party product like an F5 supported by Microsoft. No not explicitly. They rarely support anyone else's technology. Is the scenario in general supported? Yes, however Microsoft only provides guidance for doing so in conjunction with TMG/ISA.
    If you search the web for "internet based client management bridge" you'll get lots of hits. Most (if not all) will be for ConfigMgr 2007 but they are still applicable.
    Not able to find much fruitful data... Can you please provide me with good links which would help me clear this technically.
    Now, if your F5 is set to pass-through, then there's not much extra to do at all assuming the traffic is routed properly
    THANKS AGAIN for your help in this regard.
    Sam

  • Internet Based Client Management Design Question

    Hi,
    I read many articles and many forum posts about IBCM design possibilities. I want to make sure I am on the right path, so I would like to mention about what I have currently in my environment and how I will change it. Please let me know if something is wrong
    with my plannings for IBCM.
    Currently I have one SCCM2012 R2 primary site server and one database server. We dont have
    public key infrastructure at the moment , so communication is via HTTP. We dont have DMZ either. I would like to make my internal SCCM site server reachable from intranet and internet
    without installing any other site server or MP,DP,SUP point. The article below says that is possible. I will implement the scenario1 in that article.
    http://blogs.technet.com/b/configmgrteam/archive/2012/05/25/system-center-2012-configuration-manager-r-i-p-native-mode.aspx
    So, I guess
    1.I need to create
    public key infrastructure.
    2.Public DNS registration for site server's internet FQDN
    3.Firewall Settings from internet to site server
    After those 3 steps, my client will connect from intranet when they are in the office and they will also be able to connect from internet when they are outside of our network. Can you please verify whether this planning is correct or not? If you know any
    step by step IBCM implementation article that I can use , can you please give me the link?
    Yavuz Selim Atmaca

    Very high level those are indeed the right steps at this moment. Just keep in mind that this definitely is not the most secure solution.
    I created a blog post about some important configuration steps:
    http://www.petervanderwoude.nl/post/five-key-configuration-steps-for-implementing-internet-based-clients-in-configmgr-2012/
    On a side-note, if your going to build a PKI anyway, you might want to think about DirectAccess instead of Internet clients.
    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

  • SCCM 2012 R2 Internet Based Client Management

    Can someone give me a quick overview on how they are using Internet Based Client Management in their environment.
    Some helpful things I am looking for.
    IBMC -Should it be a separate server from Primary Site Server?
    What roles should typically be installed?
    A helpful Visio drawing would be great.
    Thanks!

    Hi Mike,
    Can you please help me with this...
    I brought the book : System Center 2012 Configuration Manager (SCCM) Unleashed and I need some clarification on Internet based client topic.
    Can you please let me know if this is a supportive design? I'm getting confused with statements in the book.
    Here we do not want internet based clients to connect to ANYTHING in LAN network. I have designed to have the entire internet facing Site Systems in DMZ, connected to the Primary server.
    If my design looks OK to you... then why we need to mention the Internet FQDN of Primary server in Primary Server Site System Property…. This server should not be visible to internet based clients….
    The most important point here is …we want internet based clients to talk to ONLY DMZ site system server. And we cannot open any ports for internet based clients to talk to Primary server kept in Chicago LAN.
    I'm not able to add the picture here... please let me know know the email address where I can send that.
    Thanks,
    Sam

  • Internet Based Client Management - upgrade clients

    Hi.
    I have a customer, who wants to deploy an SCCM site and Internet Based clients. Main purpose is to patch manage the clients.
    I have one concern though - the certificate and client deployment AND the ongoing upgrade of clients.
    I believe, we will have to deploy certificates from the internal PKI and install the clients manually/scripted - right?
    How about upgrading clients when a CU is installed on the SCCM-server? Can Internet Based clients automatically upgrade or will we have to manually install every time a new client is available?
    Thanks in advance!
    /Michael

    The certificate doesn't have to be of the internal PKI it can come from anywhere as long as it can be used to authenticate the client.
    When you're dealing with Internet-only clients then yes the client needs to be manually/ scripted installed to specifically provide the client with the right information.
    Once the client is installed the normal CU packages can be used to upgrade the clients.
    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

  • Manage System Center Endpoint Protection (SCEP) policies for Internet-based clients

    Hi,
    I've recently change my SCCM configuration in order to allow internet-based clients registered in our domain to communicate with our primary site server. The objectives were to let us manage the SCEP policies of these clients and receive alerts
    when they're infected even when they are on the road, so not connected to the local network.
    Now, everything seems to be in place; PKI certificates for server and client, the DNS is configured, firewall route too...but I still cannot update the policies of my client when it's not connected to the local network.
    I'm able to reach my primary site from my client when connected outside the network, but the policies won't update until I connect to the local network.
    Is it actually possible to manage the policies and receive alerts from internet-based clients like I'm trying to do?
    Thank you very much for your help

    It's going to come down to log checking at this point to find where the failure is happening or the connection is not happening.
    Initiate a machine policy refresh and watch the two logs noted above.
    CAS.log may also be helpful as well as locationservices.log and clientlocation.log.
    Try deploying an app as well and watch the logs.
    Also, if the client is not properly getting policy, there's no way for it to know that you disabled client CRL checking on the site.
    Jason | http://blog.configmgrftw.com
    Ok so now I see an error in clientlocation.log that might be the cause of my problem.
    [Domain joined client is in Internet]
    [Rotating internet management point, new management point is : SERVER.DOMAIN.COM ...
    [Unable to retrieve AD forest + domain membership] <- Pretty sure this is related to my issue
    I guess it's because my AD schema is not extended, is that right?
    EDIT: I thought this was the issue, but the AD schema seems to be extended already. Any idea of what could cause this error?
    EDIT: Do I need to open ports in order for my client to be able to reach the AD or something? I thought that was the MP's job once we granted him full control access on the AD. Am I wrong?

  • SCCM 2012 internet based client mgmt installation in Lab

    Hi All
    Is it possible to install sccm 2012 WITH INTERNET BASED CLIENT MGMT IN lAB???

    Hi,
    Short answer: Yes, you can
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

  • Internet based client activity

    I am setting up clients for internet based client management.  We were already have PKI certs for all of our clients.  The client shows the connection type as currently internet, but the client activity shows inactive in the console.  Where
    would I start to trouble shoot this?

    The client indeed needs to have the information the Internet-based Management Point information. Normally the client should get that information as a policy when it's correctly communicating with a Management Point, or as a property during the client installation.
    Also, indirect it's at least one of the things that counts with the InternetEnabled property.
    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

  • Quick recovery image for internet based clients

    Hello all,
    Imaging of internet based clients is not supported with SCCM, but is there any other (Microsoft) way to quickly recover to a standard image for internet based clients (we use MS Surface for our sales reps)? For example, putting an standard image on a seperate
    partition with which you can instruct users by phone to redeploy their machine to an original configuration? I do not think that DaRT will solve my issue by the way.

    I haven't implemented this myself. I just thought it was a cool idea. It's primarily designed to solve this problem with very small branch offices using Direct Access. You should contact 1E for more information
    eg the step: "Prestage content using Nomad".
    Where is the content coming from? Remember that this is designed for a small office so Nomad could be using peer-to-peer distribution here. Also, with Nomad, you could run that step outside the OSD task sequence so that the content will already
    be available (by downloading slowly over time) when and if required. 
    Gerry Hampson | Blog:
    www.gerryhampsoncm.blogspot.ie | LinkedIn:
    Gerry Hampson | Twitter:
    @gerryhampson

  • Queries regarding Internet Based Client Management (IBCM) 2012 R2

    Hi All,
    I am trying to work with IBCM, but I have few queries for which I am not able to get any proper Information from Internet. I would be really Thankful if you all can help with your advice.
    1) I will need to publish host record Internet FQDN of the Site system server, which will point to Public IP on Public DNS.
    - So If I NAT the public IP to Local SCCM server IP on firewall, will that work, or I will have to give a different Private IP?
    2) Let say I have Few workgroup machine which will be on Internet and they wont even come to office network, so in this scenario, how should I proceed.
    a. Will I be able to get Remote session of the user?
    b. Can I install SCCM client manually over the internet? if yes then what all information I will need to provide while client installation.
    c. If I use Public wild card certificate on the server, do I need to purchase Client certificate as well?
    d. If I use Internal CA certificate on the server, then I will have to install Client certificate manually on all the work group machine, I am right? can Public Certificate act as an alternative?
    e. Any other specific Port apart from 443 that need to open on firewall?
    3) Is it necessary to put the internet facing Site system server in DMZ or it is OK to use the same Site System server for Intranet and internet.
    4) Currently I have a Site System fully functional, and set to HTTP & HTTPS communication setting, For IBCM I will be moving MP and DP from HTTP to HTTPS, I want to know will there be any issue, or any other aspect that I need to take care before performing
    these steps.
    5) Currently My OS deployment, App Deployement & Software Update is working perfectly, Moving MP and DP to Https, will that effect any of the current functionality, please advise.
    Thanking in advance,
    Regards,
    Ritesh
    Thanks & Regards, Ritesh Hegde, Exchange,BPOS, FOPE, O365.

    1. Yes, the device performing the NAT will forward the traffic to the private IP of the site system. That's the whole point of NAT assuming you've configured it correctly and allowed the traffic to pass.
    2a. No, remote Control does not work for Internet based clients.
    2b. What are your expectations and what does "manually over the Internet mean"? If you are talking about client push, then technically, yes its possible, although in reality it won't work because almost everything connected on the Internet is behind
    its own NAT and firewalls that won't allow the traffic to reach the destination. Additionally, if these clients are to be Internet only (which workgroup machine must be), then they must be installed with the CCMALWAYSINF property set to true which is only
    done when manually installing the client on the system by directly initiating ccmsetup.
    2c. The certs on the clients have nothing to do with cert on the servers. All clients connecting via IBCM require their own, unique client auth cert. If you plan on purchasing these, it will get real expensive, real quick and of course remember that this
    is a recurring cost.
    2d. How else would you install any certificate? They can't magically appear on the systems particularly since they are workgroup systems.
    2e. 8531 for WSUS and 10123 for client notification.
    3. Using the same internal site system is technically fine, but I doubt your security folks would like that idea.
    4. Site Systems cannot be set to both HTTPS and HTTP. They can only be set to one or the other. Your site can accept both, but the site systems cannot. If you convert your existing/only MP and DP to HTTPS, then *all* of your clients will need their own unique
    client auth certs.
    5. Only if you don't configure things properly.
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • Internet Based Client Updates

    Hi,
    We have SCCM 2012 R2 installed, with IBCM enabled. These clients are able to switch between intranet and internet fine.
    Updates work internally and externally fine too. We only have 1 SUP configured for intranet access only, and the Internet facing server is there as a DP and MP for clients to check in and report in etc. This enables us to see if any machines have viruses
    and what software they have installed etc
    Now, the problem...
    Our mobile workforce all use aircards with a data limit. We need to be able to report on these, and for them to get updates, but only from our DPs, NOT from windows updates, which is what happens by default when a client switches to internet based.
    This is an extract from a technet article:
    New in System Center 2012 Configuration Manager, when you have a software update point that is configured to accept connections from the Internet, Configuration Manager Internet-based clients on the Internet always scan against this software update point,
    to determine which software updates are required. However, when these clients are on the Internet, they first try to download the software updates from Microsoft Update, rather than from an Internet-based distribution point. Only if this fails, will they then
    try to download the required software updates from an Internet-based distribution point. Clients that are not configured for Internet-based client management never try to download the software updates from Microsoft Update, but always use Configuration Manager
    distribution points.
    We need to able to turn this off, so they do not get updates from windows updates and consume all their data allowance.
    On our SCCM 2007 server, we simply added a SUP internally, an internet facing DP/MP and when they were on the intranet they got updates and when they were on the internet they did not as we did not distribute the packages to that DP, but got them the next
    time they were at one of our sites...
    We need to replicate this functionality.
    Can you advise how to do this in SCCM 2012?
    Many thanks

    You are welcome to file a design change request (DCR) on connect.microsoft.com.
    Are these system Win 8.1? If so, then your scenario actually shouldn't be an issue because Win 8.1 can detect metered connections and ConfigMgr client settings can be set so that they do not use metered data connections.
    Jason | http://blog.configmgrftw.com | @jasonsandys

  • SCCM 2012 R2 Internet Based client management (ICMB)

    Hi All
    We want to use internet based client management in our environment ,can we use same FQDN for both 
    internet and Intranet ,what settings need to be done and which ports needs to be open for them,is it required to put 
    SUP site syatem in DMZ or it can download updates directly from internet by getting policy from MP.
    which is the best security practice ,putting MP DP SUP servers in DMZ or opening pots in firewall is there any third way?. 

    The most important thing is that the Internet FQDN can be solved from a public DNS (usually you don't want any of your internal names to be that).
    Also, yes your clients can download straight from Microsoft Update, but they would still require access to a SUP to scan for available updates.
    For some more information see the following:
    http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients
    http://www.petervanderwoude.nl/post/five-key-configuration-steps-for-implementing-internet-based-clients-in-configmgr-2012/
    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

  • Looking for best practice white paper on Internet Based Client Management

    Looking for best practice white paper on Internet Based Client Management for SCCM 2012 R2.
    Has anyone implemented this in a medium sized corporate environment? 10k+ workstations.  We have a single primary site, SQL server and 85 DP's. 

    How about the TechNet docs: http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients ?
    Or one of the many blog posts on the subject shown from a web search: http://www.bing.com/search?q=configuration+manager+2012+internet+based+client+management&go=Submit+Query&qs=bs&form=QBRE ?
    Jason | http://blog.configmgrftw.com | @jasonsandys

Maybe you are looking for

  • Deploying web application in a web server

    Hi Frds, I am new to web applications, Can Anybody tell me how to run a web application in Tomcat and Web sphere... I am using eclipse3.2 IDE step wise procedure is helpful Can any body help me out plz.. Thanks In Advance Anji

  • Have a macbook alu running on osx 10.5.8... but need to upgrade software to run my iphone 5,, what do i need and where can i get it?

    Hi I have a Macbook alu running on osx 10.5.8 I cant get anymore software updates any more ..i guess because its too old? However have just got an iphone 5 which it will not work with. What software do i need to upgrade to and where can i get it Than

  • Forms 9i variable assignment BUG

    Hello All, I've been working with Forms 9i for a while now and on my current form and I am experiencing very weird bugs. All bugs seem to have the same nature of an Assignment taking place where the bug will occur. My form is a block to block form ,

  • Beginner's Questions

    As a really new beginner for BEx, I would like to ask you guys some basic questions. 1) I have a problem with designing a query to serve our requirement. Fiscal Year       Accounting Num.        Amount          AVG(Amount)          2006              

  • Which printer is recommended by real users to print on glossy photo paper?

    My MG8100 can't seem to grab the glossy photo paper when I am printing pictures. Very frustrating to spend so much on a machine that is for printing photos and the rollers are plastic and won't grab the glossy paper. Thanks for any suggestions.