locked
Can Internet Based Management be added after initial SCCM 2012 Site Deployment? RRS feed

  • Question

  • Hello, all.  I'm in need of some assistance from some System Center experts.

    We are looking at possibly deploying Internet Based Management in our SCCM 2012 environment, but it looks like we can't do it when we push the upgrade from 2007 to production.  We do NOT have Internet Based Management in our current SCCM 2007 environment.

    The scenario we would most likely use is having the MP in our intranet and using a reverse proxy server with PKI to allow Internet clients to authenticate into our network.  We have an F5 that would handle the traffic coming in, and the incoming https connections would terminate there and then be sent from the F5 back to the internal MP.

    Question 1) Can we do this after our SCCM 2012 environment is up and running in production?  If so, what do we need to do to make it happen?  Should we go ahead and create the Workstation Certs and the Web Server Certs now, or can all of the certificate creation wait until we're at the point of setting up Internet Based Management?

    Question 2)  Will any roles need to be recreated when we implement Internet Based Management if it's done later, or will we need to rework our hierarchy?  We want to avoid that as much as possible.

    Question 3)  Can documentation be provided for the above answers (i.e. technet or something similar)?


    Thank you SO MUCH.  I appreciate it!!

    Sarah
    Friday, August 24, 2012 3:04 AM

Answers

  • Security. Most security folks will tell you that letting any traffic originating on the Internet go directly to a server on your internal network is a huge no-no.

    Putting the ConfigMgr roles in the DMZ doesn't expose your AD to anything so I'm not sure where that comment is coming from. Sure the systems hosting those roles need access to AD, but that's not the same thing and can be done in a variety of ways.

    IBCM in 2007 and 2012 is nearly identical. There are some differences, but they are mainly semantic in nature.


    Jason | http://blog.configmgrftw.com

    • Marked as answer by Sarah Naumann Tuesday, September 4, 2012 6:58 PM
    Friday, August 24, 2012 6:12 PM
  • " ..there is a TON of documentation on IBMP for 2007 but not as much for 2012..."

    The irony is, there is less documentation because it's less restrictive, which means less documentation is needed.  If you haven't already seen it, here's a great blog post that helps to summarize how/why it's simpler: http://blogs.technet.com/b/configmgrteam/archive/2012/05/25/system-center-2012-configuration-manager-r-i-p-native-mode.aspx

    Do your counterparts realize that you can create a new Active Directory forest in the DMZ for the Internet-based site system roles, with no trust to your AD forest in the intranet? Because the forest is the security boundary, that minimizes the risks significantly.

    • Marked as answer by Sarah Naumann Tuesday, September 4, 2012 6:58 PM
    Tuesday, August 28, 2012 1:03 AM

All replies

  • 1) Yes, it can be configured at any time. Certs just need to be in place when you actually need the clients to communicate via HTTPS. Don't under estimate PKI planning and deployment though -- this is not a trivial exercise or task.

    2) No.

    3) Most of it is here: http://technet.microsoft.com/en-us/library/gg712701.aspx#Planning_Client_to_Site_System


    Jason | http://blog.configmgrftw.com

    Friday, August 24, 2012 3:28 AM
  • Thanks for the information!  Can you (or someone else) tell me why it seems like most companies who do Internet Based Management put a server in the DMZ?  My counterparts here don't like the idea of exposing our AD to the outside world, even if we secure it . . . but if we can somehow find a way to do this without exposing AD, I think it would be a viable option.

    Also, there is a TON of documentation on IBMP for 2007 but not as much for 2012.  This site (http://blogs.technet.com/b/configmgrteam/archive/2009/03/03/tips-and-tricks-using-internet-only-client-management-on-the-intranet.aspx) is great but how much of it applies to 2012?

    Sarah

    Friday, August 24, 2012 5:21 PM
  • Security. Most security folks will tell you that letting any traffic originating on the Internet go directly to a server on your internal network is a huge no-no.

    Putting the ConfigMgr roles in the DMZ doesn't expose your AD to anything so I'm not sure where that comment is coming from. Sure the systems hosting those roles need access to AD, but that's not the same thing and can be done in a variety of ways.

    IBCM in 2007 and 2012 is nearly identical. There are some differences, but they are mainly semantic in nature.


    Jason | http://blog.configmgrftw.com

    • Marked as answer by Sarah Naumann Tuesday, September 4, 2012 6:58 PM
    Friday, August 24, 2012 6:12 PM
  • " ..there is a TON of documentation on IBMP for 2007 but not as much for 2012..."

    The irony is, there is less documentation because it's less restrictive, which means less documentation is needed.  If you haven't already seen it, here's a great blog post that helps to summarize how/why it's simpler: http://blogs.technet.com/b/configmgrteam/archive/2012/05/25/system-center-2012-configuration-manager-r-i-p-native-mode.aspx

    Do your counterparts realize that you can create a new Active Directory forest in the DMZ for the Internet-based site system roles, with no trust to your AD forest in the intranet? Because the forest is the security boundary, that minimizes the risks significantly.

    • Marked as answer by Sarah Naumann Tuesday, September 4, 2012 6:58 PM
    Tuesday, August 28, 2012 1:03 AM
  • I'm not sure, honestly.  I'd have to look into what's required to create a new AD forest out there.  Interesting concept, though.  I like it!!

    Thanks, everyone for your input!

    Tuesday, September 4, 2012 6:57 PM
  • Hi, Carol.  If we have an AD Forest in the DMZ that's untrusted, wouldn't we then have to have a CA in there as well to serve certs from for PKI?  That to me seems sort of risky.  If I'm misunderstanding, please let me know! 
    Monday, September 17, 2012 4:01 PM