locked
SCEP 2012 R2 - Remote Distribution Point RRS feed

  • Question

  • Can I set up a SCEP 2012 web site or portal located in my DMZ that my remote users can connect to if their definition files are out of date.

    I would like the portal to be made accessible so that updates can be applied by the end user manually when there AV is out of date and they can not connect to services because of the out of date files.

    • Edited by Riley122 Friday, January 9, 2015 1:14 AM
    Friday, January 9, 2015 1:11 AM

Answers

  • Apologies Jeff - The following two options look good

    • Updates distributed from Microsoft Update – This method allows computers to connect directly to Microsoft Update in order to download definition and engine updates. This method can be useful for computers that are not often connected to the business network.
    • Updates distributed from Microsoft Malware Protection Center – This method will download definition updates from the Microsoft Malware Protection Center.

    Looking at them though there looks like to  much for a user to do  - We all know what users are like. I want something more like this to be hosted so once advised the AV files are out of data by the gateway devices the user is redirected to a page that will present a screen like the extract below and then all user has to do is click "update"

    

    • Marked as answer by Riley122 Friday, January 9, 2015 4:34 PM
    Friday, January 9, 2015 4:17 PM

All replies

  • can you be more specific on the subject line? SCEP 2012 and remote Distribution Point ? 

    you wanted to setup a remote distribution point for clients to download and install the the definition updates if they are out of date ? if so,you can install configmgr client on the DMZ computers,manage them via sccm as workgroup computers.more info refer this article http://www.georgealmeida.com/2014/01/install-sccm-2012-agent-dmz/



    Eswar Koneti | Configmgr blog: www.eskonr.com | Linkedin: Eswar Koneti | Twitter: Eskonr

    Friday, January 9, 2015 1:30 AM
  • You can configure multiple sources for SCEP definition updates, one of which is Microsoft's Malware Protection Center.  http://technet.microsoft.com/en-us/library/jj822983.aspx

    Maybe try just providing multiple locations to your clients and have one be from Microsoft so when they are not connected they can still get definition updates?

    Jeff

    Friday, January 9, 2015 3:51 AM
  • Thanks for the feed back Eswar and Jeff. A little more on the scenario. We are implementing a security gateway device to posture check external devices when they try to connect to internal services. One of the posture checks is that the antivirus is up to date, another is that there is a known certificate on the device (if it is a corporate machine) if it is a known machine but the antivirus is out of date I want to have the users redirected to a secure web page so that they can update the AV files manually by accessing a portal from the SCEP 2012 R2 environme
    Friday, January 9, 2015 8:30 AM
  • As mentioned by Eswar, a SCEP client  can use one of many sources including an alternate WSUS instance (this would/could be tricky though), Microsoft Malware Protection Center, Windows Update, and a UNC. Once configured, a client will try all of these in turn (per the policy applied).

    I don't think you can actually initiate the update from a web page, but you could certainly post instructions on how to manually initiate an update. However, if you've got alternate (and accessible) alternate sources set up, this should happen automatically anyway.


    Jason | http://blog.configmgrftw.com | @jasonsandys

    Friday, January 9, 2015 3:15 PM
  • Hi Jason, Thanks Can you advise on any documentation that I can read with regards to setting up alternate sources for AV updates in turn.
    Friday, January 9, 2015 3:49 PM
  • Did you check out the link I posted previously?

    http://technet.microsoft.com/en-us/library/jj822983.aspx

    Jeff

    Friday, January 9, 2015 3:56 PM
  • Apologies Jeff - The following two options look good

    • Updates distributed from Microsoft Update – This method allows computers to connect directly to Microsoft Update in order to download definition and engine updates. This method can be useful for computers that are not often connected to the business network.
    • Updates distributed from Microsoft Malware Protection Center – This method will download definition updates from the Microsoft Malware Protection Center.

    Looking at them though there looks like to  much for a user to do  - We all know what users are like. I want something more like this to be hosted so once advised the AV files are out of data by the gateway devices the user is redirected to a page that will present a screen like the extract below and then all user has to do is click "update"

    

    • Marked as answer by Riley122 Friday, January 9, 2015 4:34 PM
    Friday, January 9, 2015 4:17 PM
  • If you configure multiple sources for updates, the Endpoint client will automatically download updates.  If accessing ConfigMgr for updates fails, it will fall to the next option in the list.  There is a setting for the number of hours out of date before an alternate source is used.  You can configure that.  There really should not need to be user intervention. . .

    Jeff

    Friday, January 9, 2015 4:43 PM