SCCM 2012 R2 and Server 2012 Web Application Proxy (Reverse Proxy) for IBCM RRS feed

  • Question

  • Hi,

    I have a fully functional single server deployment of SCCM 2012 R2 in our domain with full PKI and Https working as it should when at the domain or connected via VPN.

    I'd like to leverage our new Server 2012 R2 web application proxy for Internet based clients to communicate back to the main site without needing to deploy another site server in our DMZ for this purpose, or use VPN connections (or DirectAccess for that matter)

    I'm having trouble working out the exact steps to publish the connection between the proxy server and the SCCM server.  I can get to the default IIS page or Application Catalog from an external client if I do pass-through publishing with a public wildcard certificate, but the internet client doesn't seem to actually be polling back and if I try to install an application via the portal it throws an error relating to security.

    I'm fairly sure this has something to with how the client certificate is passed from the outside to the inside but I haven't been able to get it to work and for all my searching I haven't been able to find much information about configuring the web application proxy for SCCM internet based clients

    My understanding is this is a supported configuration as per this article (for 2007 but still applies):


    These sites also have pointed me in the right direction that explain this setup with ISA and TMG:



    Does anyone out there have experience in using the Server 2012 web application proxy to enable Internet based client communications or could post a link for me with some further information?

    I have been working with SCCM for a few years but this is the first deployment I have had to do that needs to accommodate internet based clients, and from my reading using a reverse proxy seems like the simplest and neatest deployment for our environment

    I would really appreciate any assistance as this is my last hurdle in our SCCM deployment before we move into production.



    Thursday, February 13, 2014 10:45 AM

All replies

  • Hi there Jeremy

    Just wondering whether you had any luck on this?

    Tuesday, March 25, 2014 2:10 PM
  • Hi,

    Did you get this working in the end? Any tips and tricks you could share?

    I am in a similar position, have been working with SCCM for years but this is the first time I have had to look at Internet Based Client Management. I would like to deploy a Web Application Proxy in our DMZ and leverage existing SCCM role servers on the internal network (or deploy new servers and roles that can be used for both intranet and internet communications). 

    Or is this not a recommended best practice with ConfigMgr 2012 R2?

    Monday, April 7, 2014 3:24 AM
  • What ever happened with this?
    Sunday, June 15, 2014 2:40 AM
  • bump. Anyone get this figured out?

    born to learn!

    Monday, June 30, 2014 7:33 PM
  • Does this work or not?
    Sunday, October 12, 2014 4:35 AM
  • No it doesn't work, because the request from the Web Application Proxy to ConfigMgr doesn't use a client authentication certificate. You can verify that behavior by looking at the IIS logs (at your ConfigMgr site system). They will show all 403 7 messages, which indicate that a client certificate is required.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Sunday, October 12, 2014 11:11 AM
  • OK, I found this:


    They only mention Workplace Join/Client Registration, but it seems like the same limitation would apply to communication needed for IBCM.

    Does anyone know if the SSL bridging functionality is in Server 10 Tech Preview now or coming later?

    Since ISA and TMG are no longer available for purchase, which reverse proxies that are currently on the market support clients connecting when they are required to authenticate with client certificates?

    Does Cisco ASA or ACE support this?

    Sunday, October 12, 2014 3:50 PM
  • The only thing I know that it's not available in the current Windows Server Technical Preview.

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    Sunday, October 12, 2014 6:04 PM
  • So we know what will not work and still have no solution.

    What besides ISA and TMG properly pass the client certificates through the reverse proxy?

    Can someone name some specific product brands and models of hardware appliances or alternate Windows software that are known to support compatible SSL bridging requirements and work without causing the 403.7 failure errors?

    • Edited by MyGposts Monday, October 13, 2014 3:21 AM
    Monday, October 13, 2014 3:04 AM
  • Has anyone found a solution for this yet? I also would like to be able to reverse proxy internet based clients into the internal Configuration Manager site - something like WAP would be ideal - shame it is not supported at present.

    Any alternatives?

    Friday, November 28, 2014 10:34 AM
  • Is there really no solution for this at all?!!

    What can people do to make IBCM work when they don't have TMG or ISA?

    Sunday, December 7, 2014 6:13 PM
  • Use another reverse proxy or simply use a DMZ -- there is no requirement for a reverse proxy whatsoever. The traffic and traffic pattern is no different than a browser and web server here so you can treat them exactly the same way.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Sunday, December 7, 2014 11:53 PM
  • What is an example of a currently available reverse proxy that allows filtering to allow through only the valid CM HTTP methods? I can't find any. Everything points to the assumption that everyone has TMG or ISA.
    • Edited by MyGposts Monday, December 8, 2014 12:30 AM
    Monday, December 8, 2014 12:29 AM
  • Don't know -- Microsoft doesn't make one. You could try Citrix Netscalar, Cisco, F5, etc.

    There's no such thing as "valid CM HTTP methods". HTTP is HTTP is HTTP. As mentioned, Configuration Manager traffic looks and acts just like normal web traffic because ... it is normal web traffic.

    As mentioned though, there is no requirement for ConfigMgr to use a reverse proxy. You really should get your networking and security folks involved.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, December 8, 2014 1:49 PM
  • I know there is no "requirement" to use a reverse proxy, but since this is a small environment that can easily be handled by a single server with all roles, using a single server in the LAN with a reverse proxy in the DMZ would be the most efficient and cost effective method.  

    If it is setup correctly, it should also be the most secure.

    The ISA instructions show that you can add additional security by only allowing valid commands to make it's way past the proxy to your internal network.  We would want to do the same if we used a third party reverse proxy so that we know that no malicious traffic could get through the reverse proxy to the LAN if somehow a client certificate was spoofed.


    To Modify the Web Publishing Rule to Enable the required HTTP Methods:

                • In the ISA Server management console middle pane, right-click the Web Publishing rule, and then select Configure HTTP.

                • On the Methods tab, select Allow only specified methods, and then click Add.

                • On the Method dialog box, type an HTTP method in the Method box, and then click OK. Repeat this step to allow the following HTTP methods:

                  • HEAD
                  • CCM_POST
              • BITS_POST
          • GET
      • PROPFIND

    I haven't found a non-Microsoft reverse proxy that has the ability to do this, but I don't know all reverse proxy hardware available on the market.  I just know the suggestions of ISA and TMG are no longer available.

    A Google search for this only finds a proxy that doesn't do what we need.



    • Edited by MyGposts Monday, December 8, 2014 2:23 PM
    Monday, December 8, 2014 2:22 PM
  • If this is what you want, then you'll need to get with the possible vendors and ask them directly.

    I have no explicit experience with any third-party reverse proxies but have set up IBCM with an F5 reverse proxy in place already. We did not limit the HTTP methods though.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Monday, December 8, 2014 2:51 PM
  • I have searched online and found nothing.  Looks like it doesn't exist or it would come up in a search or someone in these forums would have posted that they use this or that proxy and it has the needed functionality.

    I found this thread and hoped that maybe Microsoft's web application proxy might do the job and then found out that doesn't work either.

    I don't understand why Microsoft chose to discontinue TMG when there is no alternative products on the market that do everything that TMG does to take its place.

    Nobody else making a really competitive alternate product by now probably means it cannot be done due to patents or some other legal issue preventing it.

    Wednesday, December 10, 2014 6:24 AM
  • First, as mentioned, there are absolutely multiple other reverse proxy products out there including those from F5, Cisco, and Citrix. And as mentioned, I have implemented IBCM using an F5 before.

    Next, as to why Microsoft chose to sunset all Forefront products, that's a question for them although the short skinny of it is that they didn't want to be a security company. Does it really matter here though?

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, December 10, 2014 2:18 PM
  • I know there are other reverse proxies that can be used if you not strict on security requirements, but apparently there are none that have have all the functionality of TMG or even ISA (most importantly the ability to filter by HTTP methods) so that the reverse proxy can be used to connect IBCM clients to an internal MP/SUP/DP as securely as possible.

    Without these features, if you need best security for IBCM, you would need to put an additional DP/MP/SUP in a DMZ so you internal network can be more secure.  This makes a more costly and complicated design that would have been otherwise unnecessary in small environments become necessary for security to mitigate against this lack of functionality in all the non-Microsoft reverse proxy solutions.

    If we were to use one the non-Microsoft reverse proxies that don't support filtering to only allow IBCM-related HTTP methods, we would need to still use a secondary DP/MP/SUP in a DMZ and put this less-functional reverse proxy in the DMZ in front of those as an additional security layer.

    Wednesday, December 10, 2014 4:50 PM
  • Yep, all true. It is what it is although I can neither confirm nor deny the last paragraph -- that's something to discuss with the many vendors out there that produce reverse proxies.

    The "more secure" statement is debatable of course because it is subjective and dependent on many different things. Ultimately that's for you to determine for your environment though.

    Also remember that all ConfigMgr client agent traffic is both encrypted and signed as well as authenticated so the need for filtering on the http methods doesn't really add a lot of value if you key off of these characteristics of the traffic. That's still subjective and up to you though.

    Is it too bad that TMG is no longer offered? Sure, but nothing will change that. As mentioned, your best bet at this point is to communicate directly with those vendors to determine the best path. Not trying to stonewall you here as its possible someone that stumbles across this thread and has some input, but ultimately, the best source of information on third-party products is the third-parties themselves.

    Jason | http://blog.configmgrftw.com | @jasonsandys

    Wednesday, December 10, 2014 5:32 PM
  • I understand, but there is nobody to contact.  If there was, they would show up in a keyword search.  

    Otherwise, they have extremely poor SEO, which is unlikely for a reputable company trying to sell a product.  

    A company selling such a product would want to be found and not wait for potential customers to find them after randomly contacting all their competitors.

    If Microsoft is blocking this filtering capability for third parties due to patent or other licensing issues, they should at least provide it themselves so it is available *somewhere*.  Seems like the Web Application Proxy would be the logical place to add this feature now that they no longer have TMG on the market.

    Wednesday, December 10, 2014 9:09 PM