IBCM Certificates

Similar Messages

• SCCM 2012 R2 IBCM - Certificates

  Hi all,
  I am trying to get internet based client management working but struggling with a few things.
  Here's what I have achieved so far:
  Single AD, Single Forest (2008 R2)
  1 x Primary Server (primary.contoso.com)
  2 x Distribution Points (newark.contoso.com & boston.contoso.com)
  1 x IBCM Server (ibcm.contoso.com)
  1 x Enterprise Certificate Server
  Domain name created with external DNS provider (sccmagent.contoso.com)
  Firewall NAT Rule forwards port 443 from sccmagent.contoso.com to ibcm.contoso.com
  Firewall Access Rule allows port 443 inbound from any WAN to LAN ibcm.contoso.com
  ==========
  There are no domain controllers within the DMZ and due to various internal issues, DMZ will not be used for this solution.  Therefore the IBCM server has been installed directly onto the LAN and will be secured with a sonicwall firewall (microsofts
  third best practice option).
  Certificates have been created and deployed.  Client agents have the certificates already installed and display PKI infrastructure.  The network settings tab on the agent have been updated to include the external FQDN of the IBCM server (sccmagent.contoso.com).
  Primary sites components all look to be in good health, management point and distribution point roles for IBCM look good.
  My problem is that when I take my test laptop home and connect to the internet, I do not believe it's communicating with the IBCM server.  I've checked the port 443 is open which it is.  When I visit
  https://sccmagent.contoso.com//sms_mp/.sms_aut?mplist
  I get the following error page:
  "The site's security certificate is not trusted!  You attempted to reach sccmagent.contoso.com, but the server presented a certificate issued by an entity that is not
  trusted by your computer's operating system."
  Every guide I have read tells me that I have done everything correctly, so what am I missing?  The certificates I created were all set to ibcm.contoso.com as the
  guides suggest and not sccmagent.contoso.com
  Thanks!!!!!

  sorry, i'm afraid the above solution didn't work
  Certificate was changed to the internet fqdn but still unable to manage or deploy anything to the client.  However, now when I browse to the url mentioned above the cert error is gone, but i do get a 403 forbidden message.  I think this is ok though?
  Here's a few things I have noticed
  primary server
  site server > monitoring > system status > component status > sms_mp_control manager (ibcm.contoso.com)
  mp control manager detected dmp proxy is not responding to http requests
  This was working about two hours ago and no changes have been made since (i wasnt even at work lol)
  internet client machine
  clientlocation.log
  domain joined client is in internet
  current internet management point is the only internet management point
  locationservices.log
  4 internet mp errors in the last 10 minutes
  ccmmessaging.log
  post to https://sccmagent.contoso.com/ccm_system/request, port=443..........ERROR_WINHTTP_SECURE_FAILURE
  I have tried turning off crlchecking on the site server as someone suggested in another forum, but made no difference.  They also said to edit some registry keys so the client thinks it was installed with the /nocrlcheck switch...again, no difference.

• SCCM 2012 IBCM and client certificate

  Hi all, I need to answer a question about an ICMB SSL Bridging configuration.
  If I am using more than one site server for each role, do I have to have a public DNS entry for each one of them (my guess is yes).
  And, if I have more than one site server used and publish on public DNS, does my client certificate require a SAN for each one of them? or only the MP is necessary and will give all the required information to my clients so that they are able to connect
  to the site server for each required role.
  I am trying to understand a bit more how does SSL Bridging work.
  The planned architecture is that all role would be on different servers, and tat each one of them will be accessible from the internet. I am still trying to understand how the client ill get the external FQDN for each roles.
  It doesn't seem that many documentation about using IBCM using many servers out there.
  Thank you!
  Mat

  The client certificate is only used by the client for client authentication, so there is no requirement at all to add a SAN for the site system(s) in there. The web server certificate of the Internet-facing site system is the certificate that requires a
  SAN for the Internet FQDN and the intranet FQDN. Pure technically speaking the requirement for both FQDNs is only for a SUP, or for a site system that's being used on the Internet and intranet.
  For more information see also:
  http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• WildCard Certificate for IBCM - SCCM 2012

  Hi,
  I have a Primary Site at the DataCenter. There are 2 MP's installed there.
  One MP I would like to publish using ISA/TMG for Internet Based Client Management. Can I use a wild card certificate on ISA Server for the same? The MP would have Local Cert in IIS.
  Does SCCM 2012 support wild card certificate?

  My assumption was that you had purchased a wildcard cert and thus were purchasing your certs as you made no mention of an internal PKI.
  What happens at your ISA box is between the client OS and ISA and really has nothing to do with ConfigMgr. So, although I haven't tried it, it should work. If you have an internal PKI though, why aren't you just issuing a non-wildcard cert to the ISA?
  Jason | http://blog.configmgrftw.com

• IBCM on non domain computers - Client Cert: None

  I have IBCM up and running for my domain joined computers, but I have problems with our DMZ and workgroup computers. I have imported the client certificate with the computer name in the subject and SAN, I imported the root and sub cert into the local store
  and the client actually installs. But it seems like there is no real communication.  When checking in the control panel, one thing that sticks out is "Client Cert: None" on the first tab. I'm lost.

  "I have imported the client certificate with the computer name in the subject and SAN"
  What exactly does this mean? Where did you get this cert from? Why are you using a SAN for the client auth cert? Is this a even a client auth cert? Is it unique to this client?
  Also, posting, single lines from a log file is useless and meaningless. Log files are about context and flow which are completely lost when you post a single line. Additionally, single lines rarely contain the actual issue and just reflect what happened
  previously which can not be discerned without the lines before and after it. Thus, please post the entire relevant and unedited snippet of the log files requested by Nash showing the problem areas.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• A client is trying to re-register with an administrator revoked certificate

  HI All,
  I have an Azure based server that will not register correctly in SCCM 2012, it is our IBCM server and has been working OK but our 3rd  party support team tried to uninstall the client
  on this server a 5 other DP’s (I have fixed those and the clients has PKI certificate) but also uninstall the roles, which has been unsuccessful and now there are the site server and component server roles still installed.
  I am unable to install the SCCM client successfully and the certificate says “None” rather than PKI which all my other servers have installed, I have tried the suggestions from
  https://social.technet.microsoft.com/Forums/en-US/48d496ee-4869-4cef-8cd0-9dcab843e373/sccm-2012-r2-client-on-distribution-point-doesnt-complete-registration-solved?forum=configmanagerdeployment
  and also from
  https://social.technet.microsoft.com/Forums/systemcenter/en-US/08119f92-fba7-43b1-bdb1-1b4d72963ff7/sccm-clients-registration-rejected-by-management-point
  which involved
  The following are the sequence,
  1) uninstall the client agent ccmsetup /uninstall
  2) remove the entries of CCMsetup and SMS from registry HKLM
  3) remove the Config mgr cert from computer personal store
  4) remove the smscfg.ini from windows folder
  5) restart the machine
  Installion process
  wait for the client pc to auto enroll config mgr client cert from CA
  reinstall the client
  The client registration successfully went through. I suspect is because the client no
  matter how many times you reinstall it tries use the old GUID to register with MP without even knowing that client has been marked as absolete in the SCCM primary site server.
  If you restart the and perform the above steps it will flush the cache and try to register
  with a mp and get the new GUID from the MP and then it successfully registers it.
  So at the moment my IBCM server is not working and I cannot get the client installed
  MP_Registration.log is below, all other clients get installed OK.
  Processing Registration request from Client 'GUID:8EC3C75A-AA8D-4421-8725-446FF891EF02'           
  MP_RegistrationManager         
  11/13/2014 5:13:27 AM          
  10172 (0x27BC)
  Begin validation of Certificate [Thumbprint AF0D7B12263DC9EF764750519884992CAA53FBE0] issued to 'SMS'           
  MP_RegistrationManager         
  11/13/2014 5:13:27 AM          
  10172 (0x27BC)
  Completed validation of Certificate [Thumbprint AF0D7B12263DC9EF764750519884992CAA53FBE0] issued to 'SMS'           
  MP_RegistrationManager         
  11/13/2014 5:13:27 AM          
  10172 (0x27BC)
  A client is trying to re-register with an administrator revoked certificate: SMSID='GUID:8EC3C75A-AA8D-4421-8725-446FF891EF02'.          
  MP_RegistrationManager         
  11/13/2014 5:13:27 AM          
  10172 (0x27BC)
  Any ideas?? A support call is needed I think…
  many thanks

  Hi Jason,
  thank you for the response, I called support and it turns out that SCCM was actively revoking certs, so when a new one was created it automatically revoked it for this server for some reason, all other clients on the network installed OK, it was particular
  to this server, so we had to delete from the DB all revoked certs even though in the SQL view there were no certificates or SMSGUIDS related to the server itself.
  So running
  select
  *fromclientkeydatawhereisrevoked='1'
  Update
  clientkeydatasetisrevoked=0
  whereisrevoked=1
  resolved the issue and the client installed correctly.
  Hope this helps anyone else who experiences this issue.
  many thanks

• SCCM Internet Based Client Management Client authentification certificate on untrusted forest

  Hi everybody,
  I'm installing a IBCM server of SCCM 2012 and i'm facing a problem related the client authentification certificate. My DMZ server is in another domain of the primary site and the is only a one way trusted between. I'm not able to push the
  client authentification certificate using GPO. Is there a way to get the that certificate?
  Thanks for your help.
  Guillaume

  First, there's no single client auth cert. Each client must have its own unique client auth cert.
  Next, issuing certs to a system can be done in many different ways including the web portal, AD auto-enrollment, and the command-line. In this case, AD auto-enrollment can work if you've set up cross-forest support in your PKI. That is nothing done by default
  though and is something you need to configure. You can certainly use one of the other methods however.
  I highly recommend you engage a more knowledgeable PKI resource though because doing PKI right is not easy.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Installing MP,DP and SUP in DMZ for IBCM

  Hi all,
  I would like start installing MP, DP and SUP role in my DMZ to support IBCM. My DMZ is in the same forest but in different and untrusted domain. The primary site and Enterprise Root Certificate (CA) are in the same domain (intranet). An admin account
  has been created in DMZ domain so the above roles can be installed from primary site server. I am still not too sure how I will install Cert that I created on root CA that is on intranet. Do I need to export it from Intranet and import back on the new site
  server in DMZ or use a different method?
  If the question is too confusing then please give your experience as how you have installed certificate on your site server (DMZ) for IBCM?
  Are you using primary server computer account for installing site roles in DMZ or a user account?
  Do I need to publish site information in DMZ domain as well?
  Thanks

  "My DMZ is in the same forest but in different and untrusted domain"
  This is not possible. By definition, all domains in a forest trust each other -- maybe not directly, but they do trust each other.
  Also, the new system in the DMZ will not be a "site server", it will be a site system (sometime called a site system server but not usually). This may seem like semantics, but its very important because "site server" means something very
  specific which the site system in the DMZ is not.
  Deploying certs in the DMZ can be done in one of many ways. You really should get a PKI smart person involved though because it's not ConfigMgr task. There are ways to deploy certs cross-domain and cross-forest using group policy auto-enrollment but these
  take setup and configuration on the PKI side. Alternatively you could use web enrollment on your CA is it is setup and has the proper templates available -- once again, that will take setup and configuration on your PKI. Finally, you could just use the command-line
  assuming the cert templates are accessible for the system in the other domain.
  For your scenario, you should be able to grant the site server's computer account local admin permissions on the DMZ site system. Don't forget about the FSP which can be very valuable for IBCM but will require and additional site system because it must be
  left to listen for HTTP traffic.
  Finally, publishing site information to the domain allows clients to locate the MP on the intranet however your clients won't be on the intranet to use location information, so that wouldn't help much. Additionally, clients use global catalog queries to
  perform their site location so within a forest, there is no need to publish the same informatin to mutliple domains (unless you have multiple sites which you do not).
  Jason | http://blog.configmgrftw.com | @jasonsandys

• IBCM Migrating existing SCCM 2012 Clients

  Hi,  We have in our current environment 120,000 endpoints configured on CAS with 3 Primary sites. All the clients are currently setup for SCCM 2012. 
  We started new project to introduce IBCM in the environment and here is the question on the clients, what is needed to setup the existing clients for IBCM, so basically when connected on the "Intranet" they will use infrastructure on the Intranet
  and when connected to the "Internet" they would use our infrastructure we installed in the DMZ with Public DNS entries etc.... 
  what I like to understand is what is needed on the existing clients to configure them to be IBCM aware.
  I've done some testing in my Dev environment and managed to configure client using https and PKI Certs.
  Few questions on this
  New Client Installation parameters
  currently we have installed all our clients using following command line "/Service SMSSITECODE=AUTO" I've left out the other parameters but basically the current clients are not IBCM aware
  New install command I'm using:  /Service /UsePKICert SMSSITECODE=<SiteCode> CCMHOSTNAME=<FQDN MP>.  With this command line the client gets installed on the Intranet I can see it does recognize the Certificate, however when I switch
  over to the internet, checking control panel applet it's still saying "Client Certificate: Self-signed" ==> Would this not switch to PKI?  to be clear for my Intranet I don't use https but just http and I would like to keep it that way.
  I've tried using the script I found on TechNet and that does set the Internet MP, but checking the properties of the client it still shows "Client Certificate: Self-signed", even when connected on the Internet.
  Client Migration
  I've tried using the script I found on TechNet and that does set the Internet MP, but checking the properties of the client it still shows "Client Certificate: Self-signed", even when connected on the Internet.
  Does it require to re-install the client so it will be IBCM aware?  We're planning to upgrade our Client to R2 release in August, would it be sufficient if I then update the ClientPush parameters to include the IBCM specific parameters and guess
  that would  work also?
  Thx.

  Hi Jason, thx for the reply and here are some answers to your questions early
  Background is R2, but clients are not yet upgraded (SCCM 2012 SP1), they will be upgraded aug-sept time frame, using the built-in upgrade process, obviously after doing our testing :-)
  You said:
  "No, you should not have to do anything for the clients to be Intranet and Internet capable as long as they have properly trusted and valid client auth certs. Note that this includes being able to reach the CRL on an accessible CDP."  
  ==> How is the client then going to find his Internet Management Point?  I know the clients gets MP List every 25 hours  I assume that would include the Internet MP's, is that the way the client will find the internet mp?
  Checking the logs on 1 client I can see in "ClientLocation.log"
                 Client is internet
                 Current internet Management point is <empty>
  if I check the control panel applet - "Network", the Internet MP is empty for that particular client.
  I will have full infrastructure available in DMZ, currently doing my testing in DEV environment, have to be creative in faking Intranet/Internet using 2 separate networks
  Follow-up question.
  If I understand you correctly, I don't have to change anything on the installation params that I'm currently using.  This assumes clients have valid certificates and can access CRL.
  thx again for your help appreciated.

• IBCM weird issue

  Hi, I'm running in weird/strange issue with our IBCM environment.  I've managed to setup up IBCM in our America's and Europe DMZ (THx Jason and Wally for helping out on previous posts).  For the America's all is working fine, I see clients sending
  inventory/DDR request policy and install software. 
  For our Europe DMZ, the setup completed the Management point is working checking mpcontrol.log, site components however when connected to the "Public Internet" I'm not able to get to the
  https://XXX01.XX.com/SMS_MP/.sms_aut?MPLIST. 
  My clients in Europe have received the Policies and populated the "Internet Management Point" however when the client is connected to the Internet and try to get Policies I see following error in the client logs
  Post to https://XXX01.XX.com/ccm_system/request failed with 0x87d00231. CcmMessaging 9/11/2014 9:42:19
  OutgoingMessage(Queue='mp_[http]mp_locationmanager', ID={6C9D26A6-D5C4-4CF5-B521-396CE6E64BA1}): Error posting to host 'XXXP01.XX.com' (0x87d00231). CcmMessaging 9/11/2014 9:42:19
  The error 0x87d00231 translates to "Transient error" or network problem.
  Following troubleshooting I've done from Public Internet:
  - The client have the right machine certificates installed
  - check the MP is accessible from Public Internet, able to resolve the name  ==> OK
  - I'm able to browse to our test page using https  ==> OK
  The odd issue that I have is when I access the MPLIST page from internal network still using https protocol it works ???  I'm kind of lost with this one, any help or suggestions are welcome

  Jason, thx again for providing some advice, one thing I forgot to mention when I run the MPLIST request from the America's it does show me the 2 Internal MP's + 1 Extranet MP.  This site is also configured as Fallback side.  if I do the same
  from Europe the MPLIST only returns the 2 Internal MP's and not the extranet MP.  Is that normal behavior.  when I check my clients in Europe (few test machines that are on-line) they have received the right policies and the "Internet Management
  Point" is populated with the right info.

• [SCCM 2012 R2] - IBCM - Authenticate computers on TMG from another forest

  Hi All,
  There is no article on TechNet that describe client certificate requirements for computers in another forest.
  Scenario:
  We have Domain A [aaa.bbb.ccc] and Domain B [111.222.333] and those domains are in different forest. There is "Forest" trust between forests.
  TMG and IBCM site server are in Domain A and computers authenticate successfully from Internet to TMG using SSL client authentication. Problem are computers from Domain B that cannot authenticate to TMG.
  We used old documentation
  https://technet.microsoft.com/en-us/library/cc707697.aspx#AppendixA for SCCM 2007 and ISA without success. I created certificate for computers in Domain B with custom
  SAN:upn=<hostname>$@<domain.tld> and TMG still cannot authenticate computers from Domain B.
  Please help.
  Thank you in advance.
  Regards,

  There's no difference -- ConfigMgr does *not* care about forests, domain, or trusts for client authentication and neither does certificate based authentication.
  The certs in use, both the client auth and server auth certs, must of course be trusted by the site systems and the clients and in this case the TMG server -- that's simply how certs work though and has nothing to do with ConfigMgr. Additionally, the CRLs
  for the certs in use must be accessible to the clients and servers via an accessible CRL DP but that is also simply how certs work.
  For what you've described above, does TMG trust the certs issued to the clients? In other words, does it trust the CA that issued those certs and can it access a CRL for that CA?
  Jason | http://blog.configmgrftw.com | @jasonsandys

• IBCM internet and intranet management on the same server

  Could anyone help me see what I am missing? We are trying to test setting up IBCM using the same management point as the intranet clients. We have already successfully implemented PKI for intranet clients because we were bringing in a MacBook Air. We have
  an external URL coming through reverse proxy and forwarded to our internal server. I can navigate to
  https://sccmext.domain.com/sms_mp/.sms_aut?MPlist and get 403 access denied I also get that when I am on prem and navigate to the local server
  The CcmMessging.log has errors regarding post to
  https://sccmext.domain.com/ccm_system/request failed with 0x87d00231
  I think this has something to do with certificates... I have a SCCM Web certificate for the internal server hostname and another certificate for the external name coming through the reverse proxy.
   I have the internet FQDN on the site system properties, MP and DP are set to allow internet and intranet based clients...

  Here are some entries before and after that entry above:
  10.7.29.195 GET / - 443 - 10.7.29.81 - 200 0 0 778 0
  10.7.29.195 GET / - 443 - 10.7.29.82 - 200 0 0 778 0
  10.7.29.195 GET / - 80 - 10.7.29.82 - 200 0 0 701 0
  10.7.29.195 GET / - 80 - 10.7.29.81 - 200 0 0 701 0
  10.7.29.195 GET / - 443 - 10.7.29.81 - 200 0 0 778 0
  10.7.29.195 GET / - 443 - 10.7.29.82 - 200 0 0 778 0
  10.7.29.195 CCM_POST /ccm_system/request - 443 - 10.7.29.9 ccmhttp 403 7 5 1466 15
  10.7.29.195 GET / - 80 - 10.7.29.82 - 200 0 0 701 0
  10.7.29.195 GET / - 80 - 10.7.29.81 - 200 0 0 701 0
  10.7.29.195 GET / - 443 - 10.7.29.81 - 200 0 0 778 0
  10.7.29.195 GET / - 443 - 10.7.29.82 - 200 0 0 778 0
  These are from the IIS log file .195 is the SCCM site server, 81 and 82 are the reverse proxy servers. Sorry if I am not answering questions accurately, this is getting into parts of SCCM I am not familiar with at all.

• Queries regarding Internet Based Client Management (IBCM) 2012 R2

  Hi All,
  I am trying to work with IBCM, but I have few queries for which I am not able to get any proper Information from Internet. I would be really Thankful if you all can help with your advice.
  1) I will need to publish host record Internet FQDN of the Site system server, which will point to Public IP on Public DNS.
  - So If I NAT the public IP to Local SCCM server IP on firewall, will that work, or I will have to give a different Private IP?
  2) Let say I have Few workgroup machine which will be on Internet and they wont even come to office network, so in this scenario, how should I proceed.
  a. Will I be able to get Remote session of the user?
  b. Can I install SCCM client manually over the internet? if yes then what all information I will need to provide while client installation.
  c. If I use Public wild card certificate on the server, do I need to purchase Client certificate as well?
  d. If I use Internal CA certificate on the server, then I will have to install Client certificate manually on all the work group machine, I am right? can Public Certificate act as an alternative?
  e. Any other specific Port apart from 443 that need to open on firewall?
  3) Is it necessary to put the internet facing Site system server in DMZ or it is OK to use the same Site System server for Intranet and internet.
  4) Currently I have a Site System fully functional, and set to HTTP & HTTPS communication setting, For IBCM I will be moving MP and DP from HTTP to HTTPS, I want to know will there be any issue, or any other aspect that I need to take care before performing
  these steps.
  5) Currently My OS deployment, App Deployement & Software Update is working perfectly, Moving MP and DP to Https, will that effect any of the current functionality, please advise.
  Thanking in advance,
  Regards,
  Ritesh
  Thanks & Regards, Ritesh Hegde, Exchange,BPOS, FOPE, O365.

  1. Yes, the device performing the NAT will forward the traffic to the private IP of the site system. That's the whole point of NAT assuming you've configured it correctly and allowed the traffic to pass.
  2a. No, remote Control does not work for Internet based clients.
  2b. What are your expectations and what does "manually over the Internet mean"? If you are talking about client push, then technically, yes its possible, although in reality it won't work because almost everything connected on the Internet is behind
  its own NAT and firewalls that won't allow the traffic to reach the destination. Additionally, if these clients are to be Internet only (which workgroup machine must be), then they must be installed with the CCMALWAYSINF property set to true which is only
  done when manually installing the client on the system by directly initiating ccmsetup.
  2c. The certs on the clients have nothing to do with cert on the servers. All clients connecting via IBCM require their own, unique client auth cert. If you plan on purchasing these, it will get real expensive, real quick and of course remember that this
  is a recurring cost.
  2d. How else would you install any certificate? They can't magically appear on the systems particularly since they are workgroup systems.
  2e. 8531 for WSUS and 10123 for client notification.
  3. Using the same internal site system is technically fine, but I doubt your security folks would like that idea.
  4. Site Systems cannot be set to both HTTPS and HTTP. They can only be set to one or the other. Your site can accept both, but the site systems cannot. If you convert your existing/only MP and DP to HTTPS, then *all* of your clients will need their own unique
  client auth certs.
  5. Only if you don't configure things properly.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• PKI requirments for IBCM Server in DMZ

  Hello,
  I'm looking for experienced person with PKI certificates and IBCM configuration. as suggested by Microsoft for user policies to work from Internet, below three scenarios are supported. we had decided to go with option 2 due to non availability of RODC in
  DMZ.
  The Internet-based management point is in the perimeter network where a read-only domain controller resides to authenticate the user and an intervening firewall allows Active Directory packets.
  The user account is in Forest A (the intranet) and the Internet-based management point is in Forest B (the perimeter network). Forest B trusts Forest A, and an intervening firewall allows the authentication packets.
  The user account and the Internet-based management point are in Forest A (the intranet). The management point is published to the Internet by using a web proxy server.
  PKI is available in forest A where all our SCCM servers present. when we tried to use the webserver certificate from forest A, MP installation is failing with error that CERTIFICAT is not good for configmgr. I hope some one might have already worked on this
  and know what to do with it.
  Since client are in forest A, the IBCM server in DMZ in Forest B. does it require a separate PKI in Forest B also?  
  Kind Regards,
  Sreedhar

  Hi
  Have you generated the certificates according to the requirements:
  http://technet.microsoft.com/en-us/library/gg699362.aspx
  Then you have to deploy the root certificate to the trusted root certificate store on the ICMB Server?
  Cheers,
  Thomas Kurth
  Netree AG, System Engineer
  Blog:
  http://netecm.netree.ch/blog | Twitter:
  | LinkedIn:
  | Xing:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• IBCM Design configuration

  hi,  I've got some design questions around IBCM.  We're planning to setup IBCM for customer in 2 DMZ locations (Americas / Europe).  Current thinking would be to have 1 MP; 2x DP's in each of the DMZ.  Our exisiting configuration consist
  of 1 CAS and 3x Primary sites (120,000 end points)  (SCCM 2010 SP1 CU2) will be upgrading to R2 next month.
  here are some questions I have
  - I know that the MP need to have Public DNS name, I guess this is also needed for the DP's in the DMZ otherwise the clients will not be able to connect to these?
  - do I need to create new SCCM site for each DMZ, or can the DMZ MP's be joined to the existing site for that region?
  -DP,  When installing the DP role, I guess no boundaries can be assigned, when Internet Clients request for Content the clients will get list of DP's and will select first the http(s) enabled DP's vs. http DP's is that correct?
  - SUP, do I need to install Full WSUS or is the WSUS console sufficient enough for installing the SUP Role ?  Is there any issue/problem with adding the SUP Role alongside to the MP or DP?  Current thinking is that we will have max. 10,000
  clients globally configured for IBCM, so I don't think should be any issue from performance point of view.
  - Clients? Currently all our clients are installed as "Intranet" clients, to make them IBCM aware is it necessary to do full re-install of the SCCM Client, and then pass along the MP and Cert info, or can this be done with registry tweak? The client
  certs will be deployed using AD.

  Jason,
  few follow-up questions to your replies, sorry for the delay on this but has been hectic, and now I have some time again to work on this.
  you said about the client re-install following:
  - Clients: No, you only need to reinstall them if you want to configure them as "Internet only". Other clients will pick up the necessary info from AD and ConfigMgr policy allowing them to switch between Intranet and Internet modes.
  ==> for this to work, obviously the client need to have the right certificate which we will deploy using AD/GPO's, what about the management point?  I did found script that allowed me to update the client setting so that the mp field was populated
  with the Internet MP, are you now saying that this is not required?  if so can you explain how my client will find the Internet MP?  Our client will be configured for both Intranet/Internet.
  last question (for now)  Our DMZ has it's own AD Forest, so I will request to have the schema change applied to that Forest, are there any other watch out, that I should consider.  There is trust relationship between Extranet Forest and regular
  production forest to which also all workstations are joined.  I'm confused with this one about the info the is published in AD.
  thx for all the help