locked
Manage SCCM 2012 clients in DMZ (OS Deploy, Windows updates) via DP/MP RRS feed

  • Question

  • Hi,

    We ’d like to manage (=OS Deploy, Packages,Windows updates) Windows clients (Windows 2008/2012 R2 servers for now, about 20 of them) in a DMZ (= different domain).

    There is this article https://nikifoster.wordpress.com/2011/01/31/installing-configmgr-clients-on-servers-in-a-dmz/ which explains what to do … in 2011. Since then lots of things are changed I guess

    Before I dive in, I’d need to have an overview + do some administrative tasks (like asking for firewall accesses).

    Current setup DMZ:

    1. Our SCCM 2012 R2 server is on a Windows 2008 R2 OS
    2. Client communication is done via HTTP (not HTTPS)
    3. An extra physical Distribution point is setup (only DP, nothing more) in our current domain
    4. A new Windows 2012 server is setup in the DMZ which should host the DP and probably management point (since it should manage the clients over there)
    5. There are clients in DMZ that are currenlty managed by SCCM 2007 but  this server will be phased out, these client have:
      1. Correct sccm functionality
      2. Correct DNS resolution

    My steps/questions, please comment:

    1. Add the DMZ ip range to SCCM 2012 boundary as “DMZ”
    2. Add the network access account to be able to deploy as well clients as distribution point in DMZ
    3. In the DMZ accesses on firewall for server VLAN have to be asked
      When we have a distribution point and communication is “HTTP only” then http (port 80) from DMZ to sccm server should suffice, correct? Or are  extra firewall openings needed for management point access/packages and windows updates sync?
    4. Now the sccm clients will be deployed to the servers in DMZ: deploy SCCM clients to hosts in DMZ, how this should be done: we connect a console to the SCCM-server in the DMZ then deploy the discovered clients?
    5. OS Deploy should be made available, but no dhcp is available in DMZ and it is not an option either, therefore we would boot from an ISO then enter an ip (or pre-enter it so there is already filled in an ip?). So tasksequences/deployments for servers in DMZ, where are they configured/deployed then? Via console access on DMZ management point or can we deploy on our domain SCCM management point (not in DMZ) and it will be synced to the DMZ management point? Not clear
    6. Selective sync of software to this distribution point (howto? not sure), we don’t need any Windows 8 software/drivers to be synced.

    Thanks for your input!

    J.


    Jan Hoedt

    Wednesday, March 25, 2015 2:42 PM

Answers

    1. No comment;
    2. I think you mean the client push installation account and the site system installation account;
    3. More ports are required, see site server > distribution point and distribution point > management point from the provided link;
    4. The console will always be connected to your primary site server. The client will be pushed from the primary site server and it will provide the initial files. The other files will be downloaded from the local distribution point;
    5. The task sequence deployment will be just like a normal taks sequence deployment. The only difference is the location of the server;
    6. Only the content that's distributed to the distribution point in the DMZ will be available on that distribution point.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Marked as answer by janhoedt Monday, March 30, 2015 1:34 PM
    Wednesday, March 25, 2015 7:16 PM

All replies

  • This article should assist with the port communication requirements

    https://technet.microsoft.com/en-gb/library/hh427328.aspx


    Steven Hodson | http://www.stevenhodson.com | @_hodders

    Wednesday, March 25, 2015 2:50 PM
  • Thanks, found that already, that helps me indeed for port configs IF I would know what ports to configure: do I need the management point in my case, probably yes. What traffic is it using then? WSUS sync to SCCM-server or should it sync from Internet, should it get its antivirus updates from sccm-server or Internet, how does it sync the packages (that I might find in the overview you mention), do clients fully and only connect to the DMZ SCCM-server or to the domain sccm-server etc?

    Jan Hoedt

    Wednesday, March 25, 2015 3:16 PM
    1. No comment;
    2. I think you mean the client push installation account and the site system installation account;
    3. More ports are required, see site server > distribution point and distribution point > management point from the provided link;
    4. The console will always be connected to your primary site server. The client will be pushed from the primary site server and it will provide the initial files. The other files will be downloaded from the local distribution point;
    5. The task sequence deployment will be just like a normal taks sequence deployment. The only difference is the location of the server;
    6. Only the content that's distributed to the distribution point in the DMZ will be available on that distribution point.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Marked as answer by janhoedt Monday, March 30, 2015 1:34 PM
    Wednesday, March 25, 2015 7:16 PM