locked
Segregating SCCM Traffic to a Security Zone RRS feed

  • Question

  • Hi,

    We have requirement where, we need to build a SCCM MP\DP\SUP server or a secondary site. 

    All the required ports will be only opened up between this new SCCM server and existing Primary Site server.

    all SCCM client in this few dedicated subnets, will report to the new server and should never communicate to primary site server or any other sccm server for software distribution, policy, software updates or any other SCCM tasks.

    This is to contain all the traffic to be contained in that particular security zone.

    Please let me know, if this is possible or standalone primary site server in that zone is only answer for this ?


    Friday, August 12, 2016 5:10 AM

Answers

  • Hi,

    There are some challenges, If you use  a secondary site the client will always register with the Primary Site MP and you cannot control which SUP the SCCM client chooses either. If you go for a site system with an MP all clients will try to use that one if the "normal" one goes down.

    So if you can live with the client registration traffic and potentially SUP the you can go for a secondary site.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Friday, August 12, 2016 5:31 AM
  • The key point above is that secondary sites are not gateways and by the letter of the requirements above will not work.

    If this is simply a segregated network and there are no bandwidth challenges, then using a site system hosting the MP, DP, and SUP will work.

    Are the clients to be managed in this network a member of a different domain or forest?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, August 12, 2016 1:50 PM

All replies

  • Hi,

    There are some challenges, If you use  a secondary site the client will always register with the Primary Site MP and you cannot control which SUP the SCCM client chooses either. If you go for a site system with an MP all clients will try to use that one if the "normal" one goes down.

    So if you can live with the client registration traffic and potentially SUP the you can go for a secondary site.

    Regards,
    Jörgen


    -- My System Center blog ccmexec.com -- Twitter @ccmexec

    Friday, August 12, 2016 5:31 AM
  • The key point above is that secondary sites are not gateways and by the letter of the requirements above will not work.

    If this is simply a segregated network and there are no bandwidth challenges, then using a site system hosting the MP, DP, and SUP will work.

    Are the clients to be managed in this network a member of a different domain or forest?


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, August 12, 2016 1:50 PM