System Center Configuration Manager TechCenter >
System Center Configuration Manager Forums
>
Configuration Manager General
>
SCCM in the DMZ - one internal site server and one SQL server, mixed mode
SCCM in the DMZ - one internal site server and one SQL server, mixed mode
- I have been reading quite a bit about possible implementations regarding WORKGROUP systems in an SCCM environment. My company's current implementation exists of a site server and a sql server. They live in our internal domain. We eventually would like to configure WSUS via SCCM and have laid the foundation but are still using a WSUS standalone server. The primary site is in mixed mode and we could eventually move to native mode but have not had a need yet.
I need to get the SCCM client installed onto our DMZ systems and have concerns regarding the most secure way to do this given our current SCCM implementation.
From what I have been reading, manually installing the client on each system and opening ports 80, 445, 443, 135 UDP, 1025-5000 will allow me to add these DMZ systems directly to my internal SCCM site server. This seems like we would be opening a large hole from our DMZ systems into our internal network.
Another option, if I have been reading correctly, would be to stand up another site system in the DMZ and have it communicate with my SCCM server. The DMZ clients would then communicate with the DMZ site system and back to the primary site.
I have a few questions about this, probably from my lack of understanding on the SCCM product.
1)Can i stand up a secondary site in my DMZ, or does it need to be a Primary site?
2)Do i require a domain in my DMZ, which we currently do not have.
What would be seemingly ideal is a server I could place in the DMZ that runs some site systems, is trusted by the site server, and is the proxy for all the DMZ clients to communicate to my primary site server. Something like a gateway server in the SCOM environment.
Mostly, I require some advice regarding my company's current needs. Given our SCCM implementation as is, what would an SCCM expert do to get the client working on SCCM systems (require hardware/software inventory, software distribution, and eventually Windows Updates via SCCM.)
Thanks!
-Scott
All Replies
- To answer both questions at once: You can create a secondary site in the DMZ but all site system servers must be in a domain and it would be up to you to protect the server-to-server communication betweeen the sites and open ports for this. Some site systems can only be installed in primary sites, so you might still need to open some ports for the clients.
If you could achieve your business requirements (client installation, hardware/software inventory, software distribution, software updates) by not having to install a domain/forest in the DMZ or install additional site systems, or configure additional site boundaries, and require only HTTPS to be open on a firewall from the DMZ into the intranet - would this be a sufficient reason to migrate the site to native mode? If so, have a look at this post: http://social.technet.microsoft.com/Forums/en-US/configmgrsetup/thread/d78cf16e-4360-43eb-97bf-874ae1200d0b
- Carol
This posting is provided “AS IS” with no warranties and confers no rights - Thank you for your reply Carol. I was considering the same thing this past week however we might soon implement AD in the DMZ. We dont really have any internet clients and our majority of mobile phone users carry blackberry's.
I suppose there isnt much of a downfall to migrating to Native mode other than the additional administration required to set it up and it does seem like the better way to achieve what the company is requesting.
