locked
SCCM 2012 on File Server RRS feed

  • Question

  • We are planning on migrating to SCCM 2012 this year and have a question around security.  Since SCCM 2012 requires IIS to be installed on all servers used in the SCCM hierarchy is there any known concerns around using IIS on a shared server with SCCM/File/Print combined on the same hardware?

    Are there any best practices around configuring IIS for SCCM 2012?

    Thursday, January 2, 2014 4:24 PM

Answers

All replies

  • The only concern would be regarding performance. Typically the F&P server would be one of the most utilised servers in an organisation. Therefore I would never consider sharing this with ConfigMgr. ConfigMgr really should have its own server (if possible). How many clients?


    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson

    Thursday, January 2, 2014 4:36 PM
  • I concur with Gerry. Multi-use servers are bad joo-joos in general. Too many eggs in one basket is the perfect cliche for this.

    Jason | http://blog.configmgrftw.com

    Thursday, January 2, 2014 4:51 PM
  • Also agree. Keep it separate.

    Cheers

    Paul | sccmentor.wordpress.com

    Thursday, January 2, 2014 5:14 PM
  • on top of the other answers, also make sure you check these info: http://technet.microsoft.com/en-us/library/gg712264.aspx they do contain information about configuring IIS for ConfigMgr.

    Kent Agerlund | My blogs: blog.coretech.dk/kea and SCUG.dk/ | Twitter: @Agerlund | Linkedin: Kent Agerlund | Mastering ConfigMgr 2012 The Fundamentals

    Thursday, January 2, 2014 6:26 PM
  • We are planning on migrating to SCCM 2012 this year and have a question around security.  Since SCCM 2012 requires IIS to be installed on all servers used in the SCCM hierarchy is there any known concerns around using IIS on a shared server with SCCM/File/Print combined on the same hardware?

    Are there any best practices around configuring IIS for SCCM 2012?

      I guess I should have provided additional information this is only for use as a secondary server or remote distribution point.  Our CAS and PRI servers will be on dedicated hardware.  The SEC or DP will support less than 75 workstations per site where we will have shared hardware.
    Friday, January 3, 2014 4:01 AM
  • For 75 clients, I probably would not do a secondary site unless the bandwidth is crazy constrained. I also generally would not have an issue putting a DP on a file server at a branch location. Yes, IIS is required, but as long as it's not exposed to the Internet and you have good internal security measures like a host based firewall and a solid patching process, then IIS on an internal file system is not a risk even worth discussing (anyone who says it is need to update their knowledge IMO).

    Also, the elephant always is the CAS: are you sure you need one? If you have more than 100,000 systems to manage, then the answer 99% of the time is a resounding NO. It *will* cause you pain and is to be avoided unless absolutely necessary.


    Jason | http://blog.configmgrftw.com

    Friday, January 3, 2014 4:50 PM
  • In that case there are no extra considerations. IIS will be a requirement but will play nicely with the F&P functions. You should take Jason's advice on board. I would only deploy DPs for 75 user sites. I wouldn't consider a Secondary Site unless a location had hundreds of users.


    Gerry Hampson | Blog: www.gerryhampsoncm.blogspot.ie | LinkedIn: Gerry Hampson | Twitter: @gerryhampson

    Sunday, January 5, 2014 12:30 PM
  • After a few weeks of pilot testing the concern about IIS has lessen but a question has arise about SCCM using the default website from my security group. Is it possible to setup a DP, MP, etc. and not have it use the default website in IIS?
    Thursday, February 6, 2014 2:25 AM
  • Why would it mater at all? The default web site is simply a construct on the server that plays no part whatsoever in the actual communication that takes place.

    If instead are they asking about changing the port, then yes its possible, but IMO is a terrible idea. Security by obscurity is not security. Changing these details in no way increases your security posture or reduces risk in any way. All it does is increase the problems experienced by running a non-standard configuration.


    Jason | http://blog.configmgrftw.com

    Thursday, February 6, 2014 3:14 AM
  • I agree with Jason on this however in our organization we were asked to change the default port for http from 80 to 49xxx and the reason for that was network related so that they could flag our traffic for QoS and assign corresponding priority to it. In our environment we have 200+ DP's and have not seen any issues with doing so
    Thursday, February 6, 2014 11:48 PM
  • This is a (more or less) valid reason; however, being in IT for a long time now, anytime you deviate from what just about everyone else is doing, problems always arise: doing non-standard things leads to non-standard problems. There are other ways to flag traffic for QoS than port number.

    Jason | http://blog.configmgrftw.com

    Friday, February 7, 2014 3:04 AM