locked
HTTP and HTTPS with MP in the same site. RRS feed

  • Question

  • I've seen some behavior that I'm just starting to track down.  We have one site with multiple MPs, each in a different firewall isolated zone because of security constraints.  For all practical purposes SCCM Agents cannot communicate across the firewalls to the MPs.

    Initial setup has the MPs all with HTTP, the agents eventually find an MP in their zone, on occasion this can take some time.  We want to take one of the zones to HTTPS to use it for the Internet connected clients.  When we do that I've seen what looks like the clients all trying to get to the HTTPS MPs and ignoring the HTTP MPs. 

    I have a workaround which is to setup another MP strictly as HTTPS marked as Internet only or go to HTTPS everywhere.

    Any thoughts on this kind of configuration?


    Bob

    Tuesday, March 26, 2013 3:51 PM

Answers

  • Multiple MPs within a single site are not for anything except availability and cross-forest scenarios.

    Client selection of MPs is a GC query for all MPs. MPs are returned in two lists: HTTPS and HTTP. Clients capable of HTTPS communication prefer MPs in the HTTPS MP list but selection within those two lists is completely non-deterministic/random.

    Thus, what you are doing is unsupported and will result in unpredictable results.

    To cross hard security boundaries, you unfortunately need to use additional primary sites (and a CAS).


    Jason | http://blog.configmgrftw.com

    • Marked as answer by Bob Panick Tuesday, March 26, 2013 11:35 PM
    Tuesday, March 26, 2013 4:33 PM

All replies

  • Multiple MPs within a single site are not for anything except availability and cross-forest scenarios.

    Client selection of MPs is a GC query for all MPs. MPs are returned in two lists: HTTPS and HTTP. Clients capable of HTTPS communication prefer MPs in the HTTPS MP list but selection within those two lists is completely non-deterministic/random.

    Thus, what you are doing is unsupported and will result in unpredictable results.

    To cross hard security boundaries, you unfortunately need to use additional primary sites (and a CAS).


    Jason | http://blog.configmgrftw.com

    • Marked as answer by Bob Panick Tuesday, March 26, 2013 11:35 PM
    Tuesday, March 26, 2013 4:33 PM
  • Can secondary sites be used to establish the boundaries where clients connect to with an MP?  I think the answer is no, but thought I would ask.


    Bob

    Wednesday, April 3, 2013 6:19 PM