How to enable for Internet-Based Client Management existing "intranet" clients
Hello,
Step #1
I have an existing "intranet-only" SCCM 2012 SP1 CU1 environment. It is made of HTTP Intranet-Only MP.
All clients are properly communicated with one of the intranet MP
All clients are leveraging auto-enrollment of our AD PKI and have a working client certificate recognized by SCCM client
Step #2
I expanded the above infrastructure to support IBCM clients. Basically I want the existing intranet clients still be managed when they are outside our network
I added MP, DP, SUP, FSP on dedicated DMZ servers. It has been published on Internet, and properly declared with public DNS
The DMZ MP has been configured for HTTPS / Internet client only
When I tested first this setup in my lab, it was working fine, and my "intranet" client moving to Internet was properly detecting this configuration, and was starting to contact the "DMZ/Internet MP" without any problem
I did the same on my production environment but this time, my client moving to "internet" detectes it is connected on Internet but does not have any clue about the DMZ/Internet MP to contact. According to logfile, it is trying to check on DNS,
WINS, etc. but obviously it is already too late when in Internet, this information is no longer available.
I guess I did something in my lab environment to make it work but I don't what. Any idea how to tell to existing clients they should use a new "Internet-Only" MP when they are on Internet ?
Regards.
Basically I found my problem...
In my lab, I manually configured the SCCM client option Internet-based management point (FQDN) to use the public DNS address of my Internet/DMZ MP.
If I do the same for my production sample client, it works fine now.
Question: how can I enforce this change on all my existing clients ?
Similar Messages
-
Support for Internet based client Management - SCCM 2012
Hi There,
My Company wants to go for Internet based client Management in SCCM 2012 SP1 R2 and here is the design I'm proposing. I'm getting a bit confused at one point and need suggestion....
Everything would work on HTTPS ( PKI Certificate based )... LAN and Internet.
1 Primary ( with non-client facing roles installed ) on LAN with two site systems.
- One Site System configured for INTRANET support only with MP, DP and SUP -> To support LAN users ( Allow
Intranet-only connections )
- One Site System configured for INTERNET support only with MP, DP and SUP -> To support Internet users ( Allow
Internet-only connections )
The INTERNET facing site system is in DMZ network connected to parent Primary via Firewall.
We want internet clients to talk to ONLY DMZ SCCM Site System and no connection to corporate LAN. We cannot open any ports for internet based clients to LAN.
If this is the supported scenario, then why we need to put the Internet FQDN in the Primary server Site System property. This server would not be available to internet. It should only be my DMZ SCCM server client should connect for MP, DP and SUP and only
this DMZ server should be accessible to client over internet.
Also, what least ports should be opened between :
- Parent Primary and its internet facing site system kept in DMZ
- DMZ Site system and internet clients.
Thanks in advance for your suggestions.
SamThe FQDN has only to be specified on the Internet facing site system. You can leave this field blank on the primary site Server.
Ports to Open:
Internet --> DMZ Site Server:
TCP Port 443
TCP Port 80, if Fallback Status Point is installed
DMZ Site Server --> Primary Site:
TCP 135, 49152-65535
TCP 445
TCP 135, 24158 (fixed with
http://msdn.microsoft.com/en-us/library/bb219447(v=vs.85).aspx )
TCP 80, 443
If you have some other roles installed, please consult this page:
http://technet.microsoft.com/en-us/library/hh427328.aspx
Cheers,
Thomas Kurth
Netree AG, System Engineer
Blog:
http://netecm.netree.ch/blog | Twitter:
| LinkedIn:
| Xing:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Quick recovery image for internet based clients
Hello all,
Imaging of internet based clients is not supported with SCCM, but is there any other (Microsoft) way to quickly recover to a standard image for internet based clients (we use MS Surface for our sales reps)? For example, putting an standard image on a seperate
partition with which you can instruct users by phone to redeploy their machine to an original configuration? I do not think that DaRT will solve my issue by the way.I haven't implemented this myself. I just thought it was a cool idea. It's primarily designed to solve this problem with very small branch offices using Direct Access. You should contact 1E for more information
eg the step: "Prestage content using Nomad".
Where is the content coming from? Remember that this is designed for a small office so Nomad could be using peer-to-peer distribution here. Also, with Nomad, you could run that step outside the OSD task sequence so that the content will already
be available (by downloading slowly over time) when and if required.
Gerry Hampson | Blog:
www.gerryhampsoncm.blogspot.ie | LinkedIn:
Gerry Hampson | Twitter:
@gerryhampson -
Is adjusting permissions for LightRoom based archive management worthwhile?
I'm trying to set up an archive that is managed through a LightRoom Catalog. I was wondering if anyone has done this before and adjusted the permissions of their files to read only to ensure that LightRoom Catalog metadata changes do not alter or get saved to files.
I plan to have the archive set up in 3 locations with copies of the LightRoom Catalog. I will need to be able to add keywords and collections to a catalog at 2 of the locations. I am interested in using permissions to ensure that the catalog is the only file that needs to travel between the locations. I don't want to get into a situation in which altering the LightRoom Catalog might alter files and necessitate that I either save new metadata to files with each keyword/collection addition or that I regularly synchronize the entire archive to ensure all 3 copies of the archive are mirrors of one another.
I have three serious concerns about the longterm viability of managing file permissions:
1. I worry that it will be difficult to manage the user/s who have the privileges to manage these permissions and that it will be difficult to do so in different locations and on different computers
2. I worry about whether permissions management might introduce some form of file corruption
3. I worry about the time involved in altering an entire archives worth of permissions to read only and the time involved in reversing this every time I want to unarchive content for new projects
I have also posted this question to Luminous Landscape here: Adjusting Permissions for LightRoom Catalog Based Archive Managment. Worthwhile?... and adjusted the permissions of their files to read only to ensure that LightRoom Catalog metadata changes do not alter or get saved to files.
By default, Lightroom does not write anything to your photo files. Of course, there's no way to prevent a user from changing this default behavior and writing information to the files. I suppose making the directories read-only helps, but people could still change that. If the directories are on a server, then only the server admin could change the permissions.
2. I worry about whether permissions management might introduce some form of file corruption
I never heard of such a thing, but this is an operating system issue, not a Lightroom issue.
I worry about the time involved in altering an entire archives worth of permissions to read only and the time involved in reversing this every time I want to unarchive content for new projects
I don't think you understand how Lightroom works. There would be no need to reverse anything to "unarchive" the content — although in my opinion, the idea of "archiving" content in the first place doesn't feel right ... if the photos are imported into Lightroom at one time, leave them in Lightroom, don't go through an archive process removing the photos from Lightroom followed by unarchive process, that is something that is ineffective and causes numerous problems with non-expert users. When you import photos into Lightroom, the photos still remain on your hard disk somewhere, Lightroom does not actually keep a copy of the photo. Lightroom keeps pointers to the photo's locations and stores any metadata and edits. Removing a photo from Lightroom (archiving) is the equivalent of deleting the metadata and edits, and I cannot see a reason to do that.
So, bottom line, to answer your title question, "Is adjusting permissions for Lightroom based archive management worthwhile?" — without further discussion of your setup and goals, I see no reason to even spend your time on this, unless you are the server admin of the location where the photos are stored, in which case then the answer is go right ahead and make them read-only. -
Manage System Center Endpoint Protection (SCEP) policies for Internet-based clients
Hi,
I've recently change my SCCM configuration in order to allow internet-based clients registered in our domain to communicate with our primary site server. The objectives were to let us manage the SCEP policies of these clients and receive alerts
when they're infected even when they are on the road, so not connected to the local network.
Now, everything seems to be in place; PKI certificates for server and client, the DNS is configured, firewall route too...but I still cannot update the policies of my client when it's not connected to the local network.
I'm able to reach my primary site from my client when connected outside the network, but the policies won't update until I connect to the local network.
Is it actually possible to manage the policies and receive alerts from internet-based clients like I'm trying to do?
Thank you very much for your helpIt's going to come down to log checking at this point to find where the failure is happening or the connection is not happening.
Initiate a machine policy refresh and watch the two logs noted above.
CAS.log may also be helpful as well as locationservices.log and clientlocation.log.
Try deploying an app as well and watch the logs.
Also, if the client is not properly getting policy, there's no way for it to know that you disabled client CRL checking on the site.
Jason | http://blog.configmgrftw.com
Ok so now I see an error in clientlocation.log that might be the cause of my problem.
[Domain joined client is in Internet]
[Rotating internet management point, new management point is : SERVER.DOMAIN.COM ...
[Unable to retrieve AD forest + domain membership] <- Pretty sure this is related to my issue
I guess it's because my AD schema is not extended, is that right?
EDIT: I thought this was the issue, but the AD schema seems to be extended already. Any idea of what could cause this error?
EDIT: Do I need to open ports in order for my client to be able to reach the AD or something? I thought that was the MP's job once we granted him full control access on the AD. Am I wrong? -
Is Intune a feasible solution for Internet-Based Client Management?
Our organization is looking at implementing SCCM 2012, with a key requirement being that we need to be able to manage Windows updates to clients off site. My understanding is that we must have a PKI in place to do this. However, our environment is complex
enough that PKI may not be an option.
My question is, would leveraging Intune and SCCM 2012 be a possible solution? I understand Intune is geared towards MDM, but I'm trying to figure out if we could "assign" off-site clients to SCCM via Intune and manage Windows updates like we do
with on-site clients.
I apologize ahead of time if this question has already been answered, but I'd appreciate any insight you all have. Thanks.No, unfortunately you can't do that. Computers are handled differently than mobile devices in the Unified Solution of ConfigMgr and Intune.
Mobile Devices - enrolled with Intune and managed via ConfigMgr (must set the Mobile Device Authority to ConfigMgr).
Computers - they can have an Intune client OR a ConfigMgr client. They cannot have both. Therefore if you enrol and computer with Intune you cannot manage it with ConfigMgr.
Are these remote computers domain joined? Have you considered Direct Access as a possible solution. It's straightforward to implement.
Gerry Hampson | Blog:
www.gerryhampsoncm.blogspot.ie | LinkedIn:
Gerry Hampson | Twitter:
@gerryhampson -
How to enable downloading of an Attached File at the Client End
Hi
In the process of enabling File Attachment in my Email Service (using Servlets), I have been able to upload the file chosen for attachment.
Now I am facing the following 3 problems :-
1. How to enable the client to download his file from his broser ?
2. How to provide features of uploading multiple files, as till now i have been able to upload only a single fiel ?
3. I don't want the files to be uploaded as soon as i press upload. Instead I want all files to be collected in a list box and then be uploaded together when i press Attach.
If anybody has any information, then please send that ASAP.
thanxgo there
http://forum.java.sun.com/thread.jsp?forum=45&thread=155600 -
How to Enable USB Internet Dongles and only Block USB storage device from Group Policy
Hi ,
I have a very urgent requirement , Is there a way to disable the USB and only enable to Internet Dongle using Group policy.
Regards,
Schan.Hi,
Checkout the below link for restricting the access for USB devices using Group Policy,
http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Control-USB-Devices-Group-Policy.html
Checkout the below thread on similar discussion,
http://social.technet.microsoft.com/Forums/en-US/89c8a8f0-da98-4cc9-8044-1e457e26840e/how-to-disable-usb-internet-dongle-datacard-from-group-policy-server-2008-r2?forum=winserverGP
Regards,
Gopi
www.jijitechnologies.com -
How to design a web based leave management application using jsf n Spring
I'm a beginner for spring and jsf technology. I have a requirement to design web based leave management module using jsf and spring. Im confused in the design phase itself and not clearly knowing how to classify the classes. I need to understand clearly on how to do class design, and wanted to use MVC design patterns. As i know jsf itself is MVC but, as i want to use spring, i need to have some kind of model files and bean files.
I'm clear about the following 3 classes.
Applicant
Approver
Leave
this will be like applicant will apply for leave and approvar when he logs he will see list of applied leaves and he will approve / reject the same by selecting one or more rows from datatable.
Please guide me on designing this or gimme some link where i can read about designing java classes for web based applications.
Thanks for your time and help.Please guide me on designing this or gimme some link where i can read about designing java classes for web based applications.Sure:
http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/ -
Ideas for text based budget management and software
I'm looking for suggestions for text-based software or just basic scripts for tracking expenses.
For the last six months I've been recording my purchases in text files, one file for each month.
An entry looks like this:
01/01/2013,Schnucks,banana, groceries,1.00,cash
It works pretty well for recording info, no alternative system could be much faster than just adding a line to a text file.
Now that I've been recording data for about 6 months, I'm more interested in parsing through it to see what I'm spending in each month and in various categories. At the moment, I just run the files through grep and awk to get what I want. I'm contemplating writing a python program to let me filter and calculate totals and do whatever else comes to mind: importing credit card statements, generating graphs, etc. But at that point, I feel like I'm probably just re-inventing the wheel.
Does anybody want to share how they are handling a similar case?
I'm ok with changing my entry format, but I'm pretty attached to handling things as text files. I don't need anything more complex if it adds to the overhead of creating an entry.Hey, I been doing something very similar!
Except it also will measure income, so I can know how much I have done/expend this month, week, etc.
I don't have it at hand atm, but I use : to separate the fields, and use slashes to escape it (like \:)
Yes, that is a DSV file.
I haven't dedicated time to work on it lately, but I was writing a perl script to do the calculations.
One idea I have is to create an additonal file for a list of expenses names, like this:
milk-z:Milk brand Z:milk
milk-y:Milk brand Y:milk
the first field is an unique code for the product, second field a description, and third field is a category.
That way I could see how much I have expend on milk, no matter the brand.
On the expenses file, an expense would be similar to this:
2012-12-20:expense:milk-z:5.0
The first field has the date, in the format YYYY-MM-DD; that order is important to be able to sort the file if is necessary
Second field has "expense"; it could be "income" if it was an income
Third field is the product code - if its something I don't buy regulary, I could be only a name (like "new led tv" or something), if is an income, the reason behind the income.
And fourth field is just the amount of money.
Oh, I think I'll dedicate some time to the project again -
How to enable a component based on a command button
Hi, i'm looking for the options to enable and disable "af:showDetailItem" component based on selection of "af:SelectBooleanCheckBox " component . Thanks for your help.
ganeshWrite a changeListener for the checkbox and in it set the property you want for your showDetail item.
More on working with backing beans and code here:
http://blogs.oracle.com/shay/2010/03/working_with_backing_beans_in.html -
How to enable multiple users logging in to the same client machine?
Hi,
We have our home directories shared from the server (using AFP) and this allows our users to log in to any machine via the normal console login.
But if you try to remotely login to a machine with ssh, and another user is already logged in at the machine, then you get the error message:
Could not chdir to home directory /Network/Servers/machinename/Users/keith: No such file or directory
I can connect (via) ssh, only if no user is logged in at the console. If I connect with ssh when no users are logged in, and then a user logs in at the console, then this unmounts the home directory for the ssh user.
I have read about the mnthome command, and if I try running this (from my ssh login whilst there is a console login) then I get the error message:
Error: Mount failed with error 1 Operation not permitted
I'm assuming that multiple ssh logins must be allowed somehow? Can you only do this if you share your home directories with NFS (in this case, I understand that all home directories always appear mounted on each client)???
Any help appreciated,
Keith
Server and all clients running 10.4.3
iBook & PowerMac G5 Mac OS X (10.4.3)Thanks for the info. I really thought that this would be a fixable problem. I also thought that it might work when two different users both logged in using ssh only (i.e. when there is no console login). But this also causes problems for the second ssh login.
What practical work-arounds have people tried? The respondent to your other post (linked to above) suggested that NFS sharing might work, only that ssh logins still don't mount the home directory. Is this the case?
Thanks for the speedy answer.
Keith -
Dynamic Action - How to enable text field based on a condition
Hi,
I have two text items. Need to create dynamic action for the following,
1. Order_type - Drop down values having CONSUMER & WHOLESALE.
2. Order_number- Text field
Order number should be disabled and only on selection of order type ,order number should be enabled.
Can someone please help me on this?Hi Gayathri,
Gayathri Venugopal wrote:
Hi,
I have two text items. Need to create dynamic action for the following,
1. Order_type - Drop down values having CONSUMER & WHOLESALE.
2. Order_number- Text field
Order number should be disabled and only on selection of order type ,order number should be enabled.
Can someone please help me on this?
Create two dynamic action
1. Make it order number item disable on page load.
Event : Page Load
Action : Disable
Fire When event result is : True
Selection Type : Item
Item : Your order number item
2 . enable and disable order number on selection of order type(assuming when order type is null it is disable otherwise it is enable)
Event : Change
Selection type : item
Item : your order type item
condition : is not null
True Action
Action : Enable
Fire When event result is : True
Fire on page load : True
Selection Type : Item
Item : Your order number item
False Action
Action : Disable
Fire When event result is : False
Fire on page load : True
Selection Type : Item
Item : Your order number item
Hope this helps you,
Regards,
Jitendra -
How to configure for Internet access from USB EV-DO wireless broadband stick
I have WRT120N and I installed it in my office which has three computers (wired) that I've connected to the WRT120N. They all can communicate with one another. What I need to do is share the EV-DO connection (USB Stick) I have on of of these computers with the others and also with the devices that connect over the Wi-Fi.
Thank you!
NahomAre you trying to share the Internet connection using EV-DO and WRT120N?
-
How to look for bundle based on its content (actions)?
Hello,
I want to have a list of all bundles that use a specific system variable, for exemple ${NSSREPO}.
It is possible to make an SQL query to do it or do you know a way to get such list?
I do not want to export all bundles on XML files and then look for the string.
Thanks in advance.micgra,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://www.novell.com/support and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Forums Team
http://forums.novell.com
Maybe you are looking for
-
My playlist on My iPad 2 has blacked out, the music is all there and i can listen to it but i have no playlist breakdown of songs and i can only go back and forward with the arrows to listen to music. Any help would be appreciated, thank you.
-
How to send only part of a sequence to Encore?
Hi I'm new to CS5.5 and I've been trying to figure out how to send only part of a sequence to Encore from PPro. I see in the Help file that it says this can be done but it doesn't explain how to do this (or I haven't been able to find where it's expl
-
Hi All Our Client is sending data from SAP to Non SAP Through IDOC Using XML HTTP port . IDoc is a custom idoc. Out bound idoc is generating and posting to Non sap system .. no issues...But idoc is generating with 30 Status even though in Partner pr
-
OSX 10.6.7 will not allow me to delete applications.
I've had this problem for a while now and have tried to live with it but it's just starting to drive me nuts. Whenever I attempt to delete an application from within the Applications folder, it will move to the Trash folder and then within a moment,
-
Msn messenger sent out a unknown link from my macbook to everyone on list ?
Hi all I just purchase my macbook last week. Lots of my friend told me that they got a unknown link from my mssenger, and told me I might got virus. There's nothing wrong showing on my mac. but I am really worried. Is that a virus? what should I do t