locked
IBCM Server Confuse RRS feed

  • Question

  • Dears,

    I have my internal primary site SCCM Server working with Internal PKI Solution & WSUS as charm.

    I have to deploy IBCM SCCM Server in my DMZ, instep to Manage Internet Client and Deploy Software Update...

    My Questions:

    1. Shall it be Secondary Site? & does the secondary site support Software Update to my clients?
    2. Shall I create Site System Server? and enable: MP DP and SUP?
    3. Can I use my Internal PKI or I have to obtain Trusted Public Certificate?

    Please advice with supported way.

    Thanks

    Saturday, January 14, 2017 11:25 AM

Answers

  • Sorry, but that's not correct.

    1. No, you can't use a secondary site for this.

    2. Yes, the typical path is to use a site system with an MP, DP, and SUP on it and place that in the DMZ. There are other possibilities though so you should read over the documentation.

    3. Using a public PKI would get expensive. There is no technical reason you must use one or the other though -- a cert, is a cert, is a cert. Depending upon your internal PKI though, you will probably have to disable client CRL checking in ConfigMgr.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by Jean M Wednesday, January 18, 2017 7:51 AM
    Sunday, January 15, 2017 4:50 PM
  • Technical reason is that Internet clients simply won't use roles at secondary sites and the roles cannot be configured to server Internet clients.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by Jean M Wednesday, January 18, 2017 7:51 AM
    Tuesday, January 17, 2017 6:38 PM

All replies

  • Please your feedback is important to me
    Saturday, January 14, 2017 3:29 PM
  • Hi Jean,

    You can use your Internal Certificate as well for the same or a purchased certificate but the root of the Certificate CA has to be the same in that case that is the most important requirement.

    A MP role and DP role also would help here as the content and policy has to be secured(Secondary is preferred to me).

    Secondary site would support ie.. it would get the content and policy(Global data) for the location from primary, have a better b/w control as the data replication would be db and only local data may use file based replication.

    As always you can test it on your test lab before go live to mitigate the risk associated.


    Kamala kannan.c| Please remember to click “Mark as Answer” or Vote as Helpful if its helpful for you. |Disclaimer: This posting is provided with no warranties and confers no rights

    Sunday, January 15, 2017 7:52 AM
  • Sorry, but that's not correct.

    1. No, you can't use a secondary site for this.

    2. Yes, the typical path is to use a site system with an MP, DP, and SUP on it and place that in the DMZ. There are other possibilities though so you should read over the documentation.

    3. Using a public PKI would get expensive. There is no technical reason you must use one or the other though -- a cert, is a cert, is a cert. Depending upon your internal PKI though, you will probably have to disable client CRL checking in ConfigMgr.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by Jean M Wednesday, January 18, 2017 7:51 AM
    Sunday, January 15, 2017 4:50 PM
    1. Shall it be Secondary Site? & does the secondary site support Software Update to my clients?

    No, you can't and shouldn't also from a security standpoint it shouldn't live in the DMZ. The better way would be to put it inside and use a reverse proxy to connect to it, yes it's supported. 

    1. Shall I create Site System Server? and enable: MP DP and SUP?

    Yes, normally create MP, DP and SUP OR just an MP and use a cloud based DP dependent on your organizations needs. 

    1. Can I use my Internal PKI or I have to obtain Trusted Public Certificate?

    You can certainly use your internal PKI, you might need to turn off CRL checking, and also distributing those clients to machines that are off network can be trying.

    Alternatively, you could dump the idea of IBCM and implementation, upgrade to IBCM and use the new cloud based management features. 

    https://docs.microsoft.com/en-us/sccm/core/clients/manage/setup-cloud-management-gateway


    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"

    Sunday, January 15, 2017 4:54 PM
  • > "Alternatively, you could dump the idea of IBCM and implementation, upgrade to IBCM and use the new cloud based management features. "

    The Cloud Management Gateway (CMG) is still IBCM and still requires PKI certificates so this doesn't change everything. The only thing it eliminates today is having to stand up infrastructure on-premises.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Sunday, January 15, 2017 5:17 PM
  • Sorry, but that's not correct.

    1. No, you can't use a secondary site for this.

    Hi Jason,

    Please I want to know the technical reason

    Monday, January 16, 2017 6:13 AM
  • Technical reason is that Internet clients simply won't use roles at secondary sites and the roles cannot be configured to server Internet clients.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    • Marked as answer by Jean M Wednesday, January 18, 2017 7:51 AM
    Tuesday, January 17, 2017 6:38 PM
  • Thanks for support.
    Wednesday, January 18, 2017 7:51 AM