locked
SCCM 2012 with internet clients RRS feed

  • Question

  • We need to enable SCCM 2012 for internet based clients.

    Trying to decide on PKI infra.

    Some articles say using AD CA with SAN's is not safe for internet based clients.

    I could use some recommendations to set this up properly.

    Thursday, December 27, 2012 9:25 AM

All replies

  • That's really a security or PKI question much better addressed in a forum dedicated to PKI.

    Also, without knowing what articles you are referring to, as I've never seen this advice, it's very difficult for us to either dispute or concur with their recommendations.

    In general, most folks do implement an AD integrated PKI; however, that is a very simplistic statement that does not reflect the complexities of setting up or maintain a PKI.

    If you are planning on implementing an internal PKI, I highly recommend you either bring in an expert or learn as much as can. An excellent book is this one http://www.microsoft.com/learning/en/us/book.aspx?ID=9549&locale=en-us . Basically, anyone can set up a PKI in 10 minutes by clicking through the CA set up wizard in Windows server; however, setting up a secure and proper PKI for your environment and purposes (without falling into the many possible pitfalls or incorrect choices) takes *a lot* of planning and knowledge.


    Jason | http://blog.configmgrftw.com

    Thursday, December 27, 2012 2:35 PM
  • A properly deployed AD CA is very secure.  I have never seen anyone recommend not using it for systems management.

    The only word of caution I have is that once you've built it for systems management, other groups always seem to want to leverage it, and the thing grows in its importance.  Planning for security and disaster recovery ahead of time is important.  If you've never done PKI before, this is definitely an area where it can make sense to bring in an expert.

    I hope that helps,

    Nash


    Nash Pherson, Senior Systems Consultant
    Now Micro - My Blog Posts
    <-- If this post was helpful, please click "Vote as Helpful".


    • Edited by NPherson Thursday, December 27, 2012 3:03 PM
    Thursday, December 27, 2012 3:03 PM