locked
Client DMZ communitcations RRS feed

  • Question

  • Are DMZ clients supposed to communicate to the DMZ MP/DP then get forwarded to the internal MP/DP? I was able to install the ccm client on a DMZ MP/DP and get it to check into the internal MP/DP only because port 443 was allow through the firewall.  I am assuming I am missing a boundary/Group for my DMZ MP and clients? 

    I am using PKI certs for computer authentication.

    Reading this article it does not mention the flow of communication from the client, to DMZ MP, to internal MP.

    Justin Chalfant's Configuration Manager Blog   Justin Chalfant's Configuration Manager Blog

    Ports Required for a Site System in DMZ in Configuration Manager

    Wednesday, October 2, 2019 7:39 PM

Answers

  • That depends on your configuration. Also, there's no such thing as a "DMZ" MP, they're all just MPs to ConfigMgr so the fact that an MP is setting in an alternate network location (which is all a DMZ is) is transparent and irrelevant to ConfigMgr. If you need to manipulate MP selection by clients, then you need to configure MP affinity and associate your site systems hosting the MP role with the proper boundary groups. Strictly speaking though, this only establishes a preference and not necessarily a guarantee.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, October 2, 2019 11:18 PM
  • Hello,
     
    > Are DMZ clients supposed to communicate to the DMZ MP/DP then get forwarded to the internal MP/DP?
     
    1. DMZ MP would not forward data to internal MP, but to site server. As Jason mentioned, there are no difference between DMZ MP and internal MP except for their location.
     
    2. The DMZ client does not select DMZ MP by default. There is nothing special about choosing MP for DMZ clients, which is the same as for all other clients. To assign DMZ MP to DMZ clients, add DMZ MP to the boundary group of DMZ clients.
     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Fernand19 Wednesday, October 16, 2019 3:41 PM
    Thursday, October 3, 2019 2:31 AM

All replies

  • That depends on your configuration. Also, there's no such thing as a "DMZ" MP, they're all just MPs to ConfigMgr so the fact that an MP is setting in an alternate network location (which is all a DMZ is) is transparent and irrelevant to ConfigMgr. If you need to manipulate MP selection by clients, then you need to configure MP affinity and associate your site systems hosting the MP role with the proper boundary groups. Strictly speaking though, this only establishes a preference and not necessarily a guarantee.

    Jason | https://home.configmgrftw.com | @jasonsandys

    Wednesday, October 2, 2019 11:18 PM
  • Hello,
     
    > Are DMZ clients supposed to communicate to the DMZ MP/DP then get forwarded to the internal MP/DP?
     
    1. DMZ MP would not forward data to internal MP, but to site server. As Jason mentioned, there are no difference between DMZ MP and internal MP except for their location.
     
    2. The DMZ client does not select DMZ MP by default. There is nothing special about choosing MP for DMZ clients, which is the same as for all other clients. To assign DMZ MP to DMZ clients, add DMZ MP to the boundary group of DMZ clients.
     
    Hope my answer could help you and look forward to your feedback.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by Fernand19 Wednesday, October 16, 2019 3:41 PM
    Thursday, October 3, 2019 2:31 AM
  • Hello,
     
    I noticed that you have not updated for several days. So has your issue been solved? Or is there any update? Feel free to feedback.
     
    Best Regards,
    Ray

    Please remembers to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 7, 2019 2:11 AM