locked
IBCM and IIS site system RRS feed

  • Question

  • Hello,

    I am setting up IBCM within our SCCM 2012 SP1 environment.

    Accordig to this article:

    http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_webserver2008_cm2012

    I read the information below in italic. What I do not understand is: Is  MP the IIS server member ?

    What they mean with : It must be installed externally

    I have the following servers on the one primary site which need certificates:

    MP, 2x DP, SUP

    Do I need another machine for IIS ????

    Thanks,

    Hanna

    You have one computer that has Windows Server 2008 (Standard Edition or Enterprise Edition) installed on it and that is designated as a member server, and Internet Information Services (IIS) is installed on it. This computer will be the Configuration Manager site system server that you will configure with an intranet FQDN

    Web server certificate for site systems that run IIS

    This certificate is used to encrypt data and authenticate the server to clients. It must be installedexternally from Configuration Manager on site systems servers that run IIS and that are configured in Configuration Manager to use HTTPS.

    For Configuration Manager SP1 only: This certificate might also be required on management points when client notification traffic falls back to using HTTPS.

    Tuesday, June 11, 2013 8:29 AM

Answers

All replies

  • It just means the certificate you have generated needs to be installed manually and configured in IIS because Configuration Manager cannot do this for you.  Everything can all be on the one box.

    Andy


    My Personal Blog: http://madluka.wordpress.com

    Tuesday, June 11, 2013 10:53 AM
  • Thank you. Do I understand it properly:

    So if I have 4 seperate  machines:

    MP, SUP, DP1, DP2

    I need 4 certificates then to enable SSL on each machine's IIS.

    Then, I want to publish it on TMG, do I need a listener for:

    MP, SUP -> also DP1 and DP2?

    Thanks in advance

    Hanna

    Tuesday, June 11, 2013 3:05 PM
  • each server with IIS in HTTPS mode will need a Web Server Certificate.  In addition, if the server has the MP role then it will ALSO need a Client Authentication Certificate (same one as your client systems.)

    TMG - I can't help you much there, other than to tell you that when we configured IBCM for a client we had to poke around in TMG to configure it to ALSO have a client authentication certificate registered for it's own name and also, if i recall correctly, a Web Server Certificate - as it acts as the middle ground between client and server and authentication applies both ways.  It was a little complex, but we muddled through in the end.

    I would strongly recommend having just the one box to simplify the configuration required - unless you really, really think a single server will not cope with incoming requests, which it should handle no problem.


    My Personal Blog: http://madluka.wordpress.com

    Tuesday, June 11, 2013 3:35 PM
  • Any Internet-facing IIS site role will need to have an SSL certificate configured for IIS.

    With regard to TMG configuration, this documentation may provide some insight (it's for ConfigMgr 2007 and ISA Server 2004/2006, but it largely applies to ConfigMgr 2012 and TMG): http://technet.microsoft.com/en-us/library/cc707697(TechNet.10).aspx


    Check out my Configuration Manager blog at http://blogs.msdn.com/b/ameltzer


    Tuesday, June 11, 2013 11:32 PM
  • Thnks,

    I set up native mode in the past for SCCM 2007 and TMG  based on this wonderful walkthrough you just point to !

    Because it worked perfectly, now I am just focusing on diferrences I need to take in account that apply for SCCM 2012 SP1.

    What I need to know for 2012 SP1 is:

    What is the main difference while setting up certificate's and TMG for  2007 and for 2012 SP1 ? Can I do it in the same way?

    Since I cannot put everything on one box (organisation is too big), do I need to publish DP's as well on the TMG ?

    And, still I do not understand which machine is ment in technet article I mentioned in my first question, do they mean MP ? DP ???

    You have one computer that has Windows Server 2008 (Standard Edition or Enterprise Edition)installed on it and that is designated as a member server, and Internet Information Services (IIS) is installed on it. This computer will be the Configuration Manager site system server that you will configure with an intranet FQDN

    Thanks again,

    Hanna

    Wednesday, June 12, 2013 8:18 AM
  • They mean ANY internet facing site system (configured with an internet FQDN) must be accessible by the client through TMG.

    My Personal Blog: http://madluka.wordpress.com

    • Marked as answer by Hana_hanna Wednesday, June 12, 2013 9:56 AM
    Wednesday, June 12, 2013 9:19 AM
  • Oh I understand, I was reading it completely wrong ! Like "you need to have a dedicated server with IIS on it which is not a MP nor DP…"

    Wednesday, June 12, 2013 9:56 AM