System Center Configuration Manager TechCenter >
System Center Configuration Manager Forums
>
Configuration Manager Internet Clients and Native Mode
>
Native mode clients downloading via BITS is it always encrypted traffic
Native mode clients downloading via BITS is it always encrypted traffic
- Customer has SCCM 2007 SP1 in native mode deployed. They have Cisco WAAS devices in some remote locations(not WoWaas). It is their understanding that the WAAS devices are not caching the SCCM download packages because the data is encrypted. They want to use the WAAS devices(no peer DP's, etc). If we created protected DPs without web certs .... would the client download via BITS in an unecrypted manor? Or can you change the IIS config on the site servers DP web shares?
Thanks
Tim
Answers
- That's an usual request - it's more usual to ask to encrypt/secure traffic! Native mode communication requires https, which uses both authentication and encryption at the SSL layer, and you can't change this. A distribution point without a Web cert = http and a native mode client attempting to connect to a BITS-enabled distribution point in a native mode site would fail to connect to it, for security reasons. Authentication and encryption comes as a package deal with SSL.
If these distribution points were in a mixed mode site and these native mode clients roamed into that site and they were configured with the option "Allow HTTP communication for roaming and site assignment", then they could connect to them over http (unauthenticated and unencrypted). But that doesn't sound like your setup.
If the requirement is to download unencrypted content from distribution points, then you could disable the option "Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS" on distribution points that are protected for these clients, and data transer will be over SMB (no Web certificate required). However, SMB might be a problem for firewalls and limited bandwidth, and you lose the additional security of mutual authentication.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights- Marked As Answer byTim McGilvery Thursday, October 22, 2009 11:51 AM
- Hi,
Also check following:
http://technet.microsoft.com/en-us/library/bb680900.aspx
HTH.
Jie-Feng Ren - MSFT- Marked As Answer byTim McGilvery Thursday, October 22, 2009 11:51 AM
All Replies
- That's an usual request - it's more usual to ask to encrypt/secure traffic! Native mode communication requires https, which uses both authentication and encryption at the SSL layer, and you can't change this. A distribution point without a Web cert = http and a native mode client attempting to connect to a BITS-enabled distribution point in a native mode site would fail to connect to it, for security reasons. Authentication and encryption comes as a package deal with SSL.
If these distribution points were in a mixed mode site and these native mode clients roamed into that site and they were configured with the option "Allow HTTP communication for roaming and site assignment", then they could connect to them over http (unauthenticated and unencrypted). But that doesn't sound like your setup.
If the requirement is to download unencrypted content from distribution points, then you could disable the option "Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS" on distribution points that are protected for these clients, and data transer will be over SMB (no Web certificate required). However, SMB might be a problem for firewalls and limited bandwidth, and you lose the additional security of mutual authentication.
- Carol
This posting is provided “AS IS” with no warranties and confers no rights- Marked As Answer byTim McGilvery Thursday, October 22, 2009 11:51 AM
- Hi,
Also check following:
http://technet.microsoft.com/en-us/library/bb680900.aspx
HTH.
Jie-Feng Ren - MSFT- Marked As Answer byTim McGilvery Thursday, October 22, 2009 11:51 AM
