locked
Internet Clients and lowest level of AD Domain functionality? RRS feed

  • Question

  • Trying to find out if it is possible to deploy SCCM 2012 SP1 using PKI for Internet client support but only with Domain functionallity of 2003?
    Thursday, May 23, 2013 10:09 PM

Answers

  • Domain functionality has no bearing on Internet client support or PKI.

    You do need to be at the 2003 domain functional level to support system discovery filtering by last logon timestamp in 2012, but that's it.

    As for PKI, there are a lot of variables there, but none that require any specific domain or forest functional levels to my knowledge.


    Jason | http://blog.configmgrftw.com

    Thursday, May 23, 2013 11:32 PM

All replies

  • Domain functionality has no bearing on Internet client support or PKI.

    You do need to be at the 2003 domain functional level to support system discovery filtering by last logon timestamp in 2012, but that's it.

    As for PKI, there are a lot of variables there, but none that require any specific domain or forest functional levels to my knowledge.


    Jason | http://blog.configmgrftw.com

    Thursday, May 23, 2013 11:32 PM
  • Thanks Jason.

    So any suggestions on how to implement the capablilities of internet clients?  I have some theories and basic knowledge from reading blogs and books but have never had to implement it. 

    I am thinking of two ways.

    1. setup a CA and DP in the clients DMZ for internet clients.

    or

    2. setup the same but in Windows Azure.

    Suggestions?

    Friday, May 24, 2013 4:20 PM
  • I would never put a CA in a DMZ; it's a bad thing to do security wise and isn't required. Curious why you are considering doing this? Certificate issuance is a one-time thing (although certs do need to be renewed periodically).

    Having an Internet facing DP in the DMZ (or on Azure) is not sufficient to manage Internet clients. You also need an Internet facing MP (which cannot be in Azure).

    Don't mix up PKI requirements and design with ConfigMgr requirements and design; they are two different things. ConfigMgr IBCM and HTTPS client communication requires trusted certificates, not necessarily a PKI. That's not to say that you shouldn't use a PKI to fulfill this requirement (you probably should), it's to say that you need to design them separately and with a good working knowledge of each. Setting a up a PKI (for whatever purposes) is a complex task all by itself as is ConfigMgr.


    Jason | http://blog.configmgrftw.com

    Friday, May 24, 2013 5:16 PM
  • Thanks.  Have been doing a lot of reading this past weekend on IBCM.

    The end goal is to have all clients managed.  This enviornment has only 700+ clients.  However, 70% of them are all remote users and out of that 70% about half of them very rarely connect to the network via VPN or come into a remote office.  It is that group of computers that is the reasons behind IBCM.  To be able to have some sort of inventory and be able to manage software updates at least on a reporting level.  No plans to push software or even push updates to those clients. 

    Tuesday, May 28, 2013 3:48 PM