Looking for best practice white paper on Internet Based Client Management

Similar Messages

• Looking for best practice on application scope beans

  Hey – a portal newbie here. I’ve got some application scope beans that need to be initialized on startup. First thought was to create a servlet that would set the bean. Then I saw the GlobalApp setting, but I think that looks like it is more session scope than application… Looking to be corrected here if I am wrong.
  Is there a place where these type of things traditionally happen? Read only, so no cluster worries (I think) Using WLP 8.1 SP4 and looking for best practices. Thanks for the help!

  To support "code sharing" you need an integrated source code control system. Several options are out there but CVS (https://www.cvshome.org/) is a nice choice, and it's completely free and it runs on Windows, Linux, and most UNIX variants.
  Your next decision is on IDE and application server. These are usually from a single "source". For instance, you can choose Oracle's JDeveloper and Deploy to Oracle Application Server; or go with free NetBeans IDE and Jakarta Tomcat; or IBM's WebSphere and their application server. Selection of IDE and AppServer will likely result in heated debates.

• Looking for best practice on J2EE development environment

  Hi,
  We are starting to develope with J2EE. We are looking for best practice on J2EE development environment. Our concern is mainly on code sharing and deployment.
  Thanks, Charles

  To support "code sharing" you need an integrated source code control system. Several options are out there but CVS (https://www.cvshome.org/) is a nice choice, and it's completely free and it runs on Windows, Linux, and most UNIX variants.
  Your next decision is on IDE and application server. These are usually from a single "source". For instance, you can choose Oracle's JDeveloper and Deploy to Oracle Application Server; or go with free NetBeans IDE and Jakarta Tomcat; or IBM's WebSphere and their application server. Selection of IDE and AppServer will likely result in heated debates.

• Looking for best practice / installation guide for grid agent for RAC

  I am looking for best practice / installation guide for grid agent for RAC, running on windows server.
  Thanks.

  Please refer :
  MOS note Id : [ID 378037.1] -- How To Install Oracle 10g Grid Agent On RAC
  http://repettas.wordpress.com/2007/10/21/how-to-install-oracle-10g-grid-agent-on-rac/
  Regards
  Rajesh

• Support for Internet based client Management - SCCM 2012

  Hi There,
  My Company wants to go for Internet based client Management in SCCM 2012 SP1 R2 and here is the design I'm proposing. I'm getting a bit confused at one point and need suggestion....
  Everything would work on HTTPS ( PKI Certificate based )... LAN and Internet.
  1 Primary ( with non-client facing roles installed ) on LAN with two site systems.
  - One Site System configured for INTRANET support only with MP, DP and SUP -> To support LAN users ( Allow
  Intranet-only connections )
  - One Site System configured for INTERNET support only with MP, DP and SUP -> To support Internet users ( Allow 
      Internet-only connections )
  The INTERNET facing site system is in DMZ network connected to parent Primary via Firewall.
  We want internet clients to talk to ONLY DMZ SCCM Site System and no connection to corporate LAN. We cannot open any ports for internet based clients to LAN.
  If this is the supported scenario, then why we need to put the Internet FQDN in the Primary server Site System property. This server would not be available to internet. It should only be my DMZ SCCM server client should connect for MP, DP and SUP and only
  this DMZ server should be accessible to client over internet.
  Also, what least ports should be opened between :
  - Parent Primary and its internet facing site system kept in DMZ
  - DMZ Site system and internet clients.
  Thanks in advance for your suggestions.
  Sam

  The FQDN has only to be specified on the Internet facing site system. You can leave this field blank on the primary site Server.
  Ports to Open:
  Internet --> DMZ Site Server:
  TCP Port 443
  TCP Port 80, if Fallback Status Point is installed
  DMZ Site Server --> Primary Site:
  TCP 135, 49152-65535
  TCP 445
  TCP 135, 24158 (fixed with
  http://msdn.microsoft.com/en-us/library/bb219447(v=vs.85).aspx )
  TCP 80, 443
  If you have some other roles installed, please consult this page:
  http://technet.microsoft.com/en-us/library/hh427328.aspx
  Cheers,
  Thomas Kurth
  Netree AG, System Engineer
  Blog:
  http://netecm.netree.ch/blog | Twitter:
  | LinkedIn:
  | Xing:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• SCCM 2012 R2 Internet Based client management (ICMB)

  Hi All
  We want to use internet based client management in our environment ,can we use same FQDN for both 
  internet and Intranet ,what settings need to be done and which ports needs to be open for them,is it required to put 
  SUP site syatem in DMZ or it can download updates directly from internet by getting policy from MP.
  which is the best security practice ,putting MP DP SUP servers in DMZ or opening pots in firewall is there any third way?. 

  The most important thing is that the Internet FQDN can be solved from a public DNS (usually you don't want any of your internal names to be that).
  Also, yes your clients can download straight from Microsoft Update, but they would still require access to a SUP to scan for available updates.
  For some more information see the following:
  http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients
  http://www.petervanderwoude.nl/post/five-key-configuration-steps-for-implementing-internet-based-clients-in-configmgr-2012/
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• SCCM 2012 R2 Internet Based Client Management

  Can someone give me a quick overview on how they are using Internet Based Client Management in their environment.
  Some helpful things I am looking for.
  IBMC -Should it be a separate server from Primary Site Server?
  What roles should typically be installed?
  A helpful Visio drawing would be great.
  Thanks!

  Hi Mike,
  Can you please help me with this...
  I brought the book : System Center 2012 Configuration Manager (SCCM) Unleashed and I need some clarification on Internet based client topic.
  Can you please let me know if this is a supportive design? I'm getting confused with statements in the book.
  Here we do not want internet based clients to connect to ANYTHING in LAN network. I have designed to have the entire internet facing Site Systems in DMZ, connected to the Primary server.
  If my design looks OK to you... then why we need to mention the Internet FQDN of Primary server in Primary Server Site System Property…. This server should not be visible to internet based clients….
  The most important point here is …we want internet based clients to talk to ONLY DMZ site system server. And we cannot open any ports for internet based clients to talk to Primary server kept in Chicago LAN.
  I'm not able to add the picture here... please let me know know the email address where I can send that.
  Thanks,
  Sam

• SCCM 2012 Internet based client management

  I used the link below to get started. I'm testing now on my test client. The test client is showing Client Certificate: Self-signed. The connection type however is correct: Currently Internet. Also under Internet-based management point. The
  server name is correct. However when looking at the client's ccmexec.log. It appears to be trying HTTP instead of HTTPS. 
  http://www.systemcenterdudes.com/internet-based-client-management/
  Thoughts?

  If it shows a self-signed certificate the client won't be able to connect. The Internet-based management could be because you've provided it during the installation of the client, or if the client was on the intranet before, received via a client policy.
  If you just installed that client while not on the intranet, start with the
  ClientIDManagerStartup.log. If the client was working before on the intranet, start with the
  CcmMessaging.log.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• Internet Based Client Management Design Question

  Hi,
  I read many articles and many forum posts about IBCM design possibilities. I want to make sure I am on the right path, so I would like to mention about what I have currently in my environment and how I will change it. Please let me know if something is wrong
  with my plannings for IBCM.
  Currently I have one SCCM2012 R2 primary site server and one database server. We dont have
  public key infrastructure at the moment , so communication is via HTTP. We dont have DMZ either. I would like to make my internal SCCM site server reachable from intranet and internet
  without installing any other site server or MP,DP,SUP point. The article below says that is possible. I will implement the scenario1 in that article.
  http://blogs.technet.com/b/configmgrteam/archive/2012/05/25/system-center-2012-configuration-manager-r-i-p-native-mode.aspx
  So, I guess
  1.I need to create
  public key infrastructure.
  2.Public DNS registration for site server's internet FQDN
  3.Firewall Settings from internet to site server
  After those 3 steps, my client will connect from intranet when they are in the office and they will also be able to connect from internet when they are outside of our network. Can you please verify whether this planning is correct or not? If you know any
  step by step IBCM implementation article that I can use , can you please give me the link?
  Yavuz Selim Atmaca

  Very high level those are indeed the right steps at this moment. Just keep in mind that this definitely is not the most secure solution.
  I created a blog post about some important configuration steps:
  http://www.petervanderwoude.nl/post/five-key-configuration-steps-for-implementing-internet-based-clients-in-configmgr-2012/
  On a side-note, if your going to build a PKI anyway, you might want to think about DirectAccess instead of Internet clients.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• SUP and Internet based client management

  Can an internet based client access the software update point via http, or is HTTPS required?  For some reason my internet based client is attempting to connect via HTTPS for which it is not configured.  How would I force it to use Http?

  Side note:
  New in System Center 2012 Configuration Manager, when you have a software update point that is configured to accept connections from the Internet, Configuration Manager Internet-based clients on the Internet always scan against this software
  update point, to determine which software updates are required. However, when these clients are on the Internet, they first try to download the software updates from Microsoft Update, rather than from an Internet-based distribution point. Only if this fails,
  will they then try to download the required software updates from an Internet-based distribution point.
  http://technet.microsoft.com/en-us/library/gg712701.aspx#BKMK_PlanforInternetClients
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Queries regarding Internet Based Client Management (IBCM) 2012 R2

  Hi All,
  I am trying to work with IBCM, but I have few queries for which I am not able to get any proper Information from Internet. I would be really Thankful if you all can help with your advice.
  1) I will need to publish host record Internet FQDN of the Site system server, which will point to Public IP on Public DNS.
  - So If I NAT the public IP to Local SCCM server IP on firewall, will that work, or I will have to give a different Private IP?
  2) Let say I have Few workgroup machine which will be on Internet and they wont even come to office network, so in this scenario, how should I proceed.
  a. Will I be able to get Remote session of the user?
  b. Can I install SCCM client manually over the internet? if yes then what all information I will need to provide while client installation.
  c. If I use Public wild card certificate on the server, do I need to purchase Client certificate as well?
  d. If I use Internal CA certificate on the server, then I will have to install Client certificate manually on all the work group machine, I am right? can Public Certificate act as an alternative?
  e. Any other specific Port apart from 443 that need to open on firewall?
  3) Is it necessary to put the internet facing Site system server in DMZ or it is OK to use the same Site System server for Intranet and internet.
  4) Currently I have a Site System fully functional, and set to HTTP & HTTPS communication setting, For IBCM I will be moving MP and DP from HTTP to HTTPS, I want to know will there be any issue, or any other aspect that I need to take care before performing
  these steps.
  5) Currently My OS deployment, App Deployement & Software Update is working perfectly, Moving MP and DP to Https, will that effect any of the current functionality, please advise.
  Thanking in advance,
  Regards,
  Ritesh
  Thanks & Regards, Ritesh Hegde, Exchange,BPOS, FOPE, O365.

  1. Yes, the device performing the NAT will forward the traffic to the private IP of the site system. That's the whole point of NAT assuming you've configured it correctly and allowed the traffic to pass.
  2a. No, remote Control does not work for Internet based clients.
  2b. What are your expectations and what does "manually over the Internet mean"? If you are talking about client push, then technically, yes its possible, although in reality it won't work because almost everything connected on the Internet is behind
  its own NAT and firewalls that won't allow the traffic to reach the destination. Additionally, if these clients are to be Internet only (which workgroup machine must be), then they must be installed with the CCMALWAYSINF property set to true which is only
  done when manually installing the client on the system by directly initiating ccmsetup.
  2c. The certs on the clients have nothing to do with cert on the servers. All clients connecting via IBCM require their own, unique client auth cert. If you plan on purchasing these, it will get real expensive, real quick and of course remember that this
  is a recurring cost.
  2d. How else would you install any certificate? They can't magically appear on the systems particularly since they are workgroup systems.
  2e. 8531 for WSUS and 10123 for client notification.
  3. Using the same internal site system is technically fine, but I doubt your security folks would like that idea.
  4. Site Systems cannot be set to both HTTPS and HTTP. They can only be set to one or the other. Your site can accept both, but the site systems cannot. If you convert your existing/only MP and DP to HTTPS, then *all* of your clients will need their own unique
  client auth certs.
  5. Only if you don't configure things properly.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• Internet Based Client Management - upgrade clients

  Hi.
  I have a customer, who wants to deploy an SCCM site and Internet Based clients. Main purpose is to patch manage the clients.
  I have one concern though - the certificate and client deployment AND the ongoing upgrade of clients.
  I believe, we will have to deploy certificates from the internal PKI and install the clients manually/scripted - right?
  How about upgrading clients when a CU is installed on the SCCM-server? Can Internet Based clients automatically upgrade or will we have to manually install every time a new client is available?
  Thanks in advance!
  /Michael

  The certificate doesn't have to be of the internal PKI it can come from anywhere as long as it can be used to authenticate the client.
  When you're dealing with Internet-only clients then yes the client needs to be manually/ scripted installed to specifically provide the client with the right information.
  Once the client is installed the normal CU packages can be used to upgrade the clients.
  My Blog: http://www.petervanderwoude.nl/
  Follow me on twitter: pvanderwoude

• I'm looking for best practice on allowing employees to install apps.

  How does your company deal with employees uploading apps on company owned devices? Is there a request process? Can they expense them? What if they use their personal Apple accounts? Do you use an MDM to manage the devices? What are your security concerns? I'm in the process of formulating a policy (large multi national corp.) and am looking for some best practices.
  Thanks

  I think the main consideration is that you a multi-national organization, presumably widely distributed geographically.  Local management via Configurator or USB IPCU really don't make sense over the long term.  An MDM is designed for situations such as you describe.  For licensing reasons,each iPad used by a different individual must have a unique Apple ID.  One individual could use the same Apple ID on multiple devices he or she controls.  Individual devices used by multiple individuals can also have a single Apple ID. In our environment, we typically ask each user to setup an individual Apple ID when they receive their device.  They are allowed to download and pay for whatever personal apps they choose.  Apps which would be used for Business purposes must be vetted by Security to ensure they protect organization data.   Business apps can be deployed via the Apple VPP using our MDM, which is AirWatch.  An MDM is included with Lion Server.  You could look at this to get some ideas about what it does and how it does it.  Airwatch offers a free trial.  Some users of this forum have had experience with Meraki.  That is another choice.  You should also look at the Enterprise Deployment Guide
  http://manuals.info.apple.com/en_US/Enterprise_Deployment_guide.pdf
  and the VPP
  http://www.apple.com/business/vpp/
  Frankly, though it isn't completely applicable to your situation, the Education deployment guide has a great deal of good information
  http://images.apple.com/education/docs/IOS_5_Education_Deployment_Guide.pdf
  Hope this helps a bit. 

• Looking for a Good White Paper on Oracle Data Modeling

  Hopefully this is the proper area in which to ask this questions - been looking around these boards for a while but can't find what I'm looking for. I'd like to get a good modeling overview for topics such as:
  -- pros and cons of normalization, e.g., performance considerations when deciding to normalize some data (and incur the cost of joins) vs keeping it denormalized (and having simpler queries)
  -- overall performance considerations
  -- warehouse vs mart considerations, esp as they relate to front end tools that will sit on the data mart
  A general data modeling white paper or PDF would be very helpful to get me started.
  Thanks all!
  Mike

  You don't need a White Paper you need a college course or a book.
  The book I have on my shelf, don't know if it is still in print, is CASE*METHOD Entity Relationship Modelling by Richard Barker
  Addison-Wesley Publishing Company
  ISBN 0-201-41696-4
  Normalization isn't about pros and cons. For performance denormalize. For data integrity normalize. Most systems end up somewhere between 3N and 4N or with what is referred to as Boyce-Codd NF. Google is your friend here but buy the book or take the course. This is not a subject to be read lightly in a dozen or so pages.

• Looking for best practice sending args to classes

  Unfortunately, I'm stuck in a company that only employs MS developers, so I'm kind of stranded with no buddies to mentor my java skills... so thanks in advance for any help, I appreciate it.
  Anyway, I think that I've been doing things the hard way for a while and I'm looking for some sort of best practice to start using. I'm currently working on a GUI that will take all the selections, via combo boxes, text fields, etc., and send them to a class (a web bot, actually) and run it.
  I'm starting to run into the problem of having too many arguments to send to my Bot class. What's a good way that I should be doing this? I figure I can do it a couple of ways, right?
  new Bot(arg1, arg2, ......... argX);
  Bot bot = new Bot();
  bot.setArg1("something");
  bot.setArg2("something");
  etc..
  bot.run();Or, is there a better way? Can I package all the args in a collection somehow?? That way I only have 1 argument to send... I don't know... Thanks for the help.

  Create a class "Data" (for example) that encapsulates all the data you want to pass to the Bot class. Then create an instance of the Data class and set all the relevant fields (i.e. setArg1 etc). Now you pass this Data instance to your Bot class. This way you only have to pass one Object around and you've encapsulated all your data.