locked
Manage servers in DMZ and IBCM with the same MP/SUP/DP in DMZ RRS feed

  • Question

  • Hi all, 

    I already asked a similar question on this forum about a month ago. I got some amswers but couldn't make it work and I still need some extra help.
    I use SCCM 2012 R2 with CU3, I only have one Primary site installed in my internal domain and a management point in my DMZ domain (different forests, no trust) that serves internet clients.
    I also want this DMZ MP to manage the intranet clients in DMZ (Web servers...) and I can't make it work. 
    I thought I could take advantage of the registry AllowedMPs offered by the CU3 because my DMZ clients are not allowed to communicate with the internal primary site on 80/443.

    I would like to avoid using the CCMALWAYSINF switch during the SCCM Client installation and to not treat my servers as internet clients. It works but I don't want the DMZ clients to use windows update to download the updates.

    Thanks again for your help.
    Sunday, April 12, 2015 6:01 PM

Answers

  • There are three important configurations that you need to think about:

    1. The DMZ servers need to have a client certificate to communicate with the MP in the DMZ;
    2. The certificate, used on the site server in the DMZ, needs to contain both names (intranet FQDN and Internet FQDN);
    3. The MP and DP, on the site server in the DMZ, need to be configured to allow intranet and Internet connections.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Sunday, April 12, 2015 6:15 PM

All replies

  • There are three important configurations that you need to think about:

    1. The DMZ servers need to have a client certificate to communicate with the MP in the DMZ;
    2. The certificate, used on the site server in the DMZ, needs to contain both names (intranet FQDN and Internet FQDN);
    3. The MP and DP, on the site server in the DMZ, need to be configured to allow intranet and Internet connections.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Sunday, April 12, 2015 6:15 PM
  • Hello, 

    Peter, thanks for your quick answer.

    1. I have a client certificate and it works because i was able to connect my DMZ server to the MP as an Internet client.

    2. I created the certificated with both names (Internet and Intranet), I used the alernative names filed.

    3. The MP and DP allow Intranet and Internet connnection.

    Here is the other thread I created a while ago, so you can have all the information

    https://social.technet.microsoft.com/Forums/en-US/ce18386b-8306-48d3-a27f-59fa2ee3a4fa/wrong-mp-assignement-for-clients-in-dmz?forum=configmanagergeneral#09a5ca7d-e626-4cbf-9f00-e8ef2ab745c9

    Sunday, April 12, 2015 6:29 PM
  • If the DMZ systems are in a different forest, then there's no need to explicitly use the AllowedMPs feature of CU3. Clients will prefer using the MP (DD and SUP also) in their own forest.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Sunday, April 12, 2015 6:34 PM
  • Also, keep in mind that the SMSMP property provides the initial management point during the client installation. The minor detail with this is that the client forgets the HTTPS part after the client installation. That means that the client needs to discover that information somewhere, and that can be something like the AD, or DNS.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Sunday, April 12, 2015 6:45 PM
  • Unfortunately, this is not what I observe in the locationservices.log or clientlocation.log. Do you know what other log could help me to identify the source of my problem ? 
    Sunday, April 12, 2015 7:16 PM
  • My AD schema is not extended for SCCM in the DMZ domain. What specific record should I create in my DMZ DNS so the client can discover the right information ?

    Thanks.

    Sunday, April 12, 2015 7:18 PM
  • Sunday, April 12, 2015 7:22 PM
  • But I installed the client with the /SMSMP option so the management point doesn't be to be located since it's configured during the manual install of the client.
    Sunday, April 12, 2015 9:38 PM
  • That only configures the initial MP to use -- it in no way hard-codes or statically sets the MP to use. Every time the client agent starts, detects a network change, or every 25 hours, the client will re-query for an MP. It will use whatever MP it already has configured to locate new MPs though -- it won't use AD or DNS unless it does not know about an MP at all or cannot communicate with its current MP.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, April 13, 2015 12:24 AM