SCCM 2012 IBCM and client certificate RRS feed

  • Question

  • Hi all, I need to answer a question about an ICMB SSL Bridging configuration.

    If I am using more than one site server for each role, do I have to have a public DNS entry for each one of them (my guess is yes).

    And, if I have more than one site server used and publish on public DNS, does my client certificate require a SAN for each one of them? or only the MP is necessary and will give all the required information to my clients so that they are able to connect to the site server for each required role.

    I am trying to understand a bit more how does SSL Bridging work.

    The planned architecture is that all role would be on different servers, and tat each one of them will be accessible from the internet. I am still trying to understand how the client ill get the external FQDN for each roles.

    It doesn't seem that many documentation about using IBCM using many servers out there.

    Thank you!


    Thursday, November 27, 2014 4:07 PM


All replies

  • The client certificate is only used by the client for client authentication, so there is no requirement at all to add a SAN for the site system(s) in there. The web server certificate of the Internet-facing site system is the certificate that requires a SAN for the Internet FQDN and the intranet FQDN. Pure technically speaking the requirement for both FQDNs is only for a SUP, or for a site system that's being used on the Internet and intranet.

    For more information see also: http://technet.microsoft.com/en-us/library/gg712701.aspx#Support_Internet_Clients

    My Blog: http://www.petervanderwoude.nl/
    Follow me on twitter: pvanderwoude

    • Marked as answer by mdesjardins Friday, November 28, 2014 2:32 PM
    Thursday, November 27, 2014 7:28 PM
  • If my understanding are correct:

    • All internet available site server should have an entry using their public FQDN in the Public DNS so that client can resolve the name.
    • All internet available site server should have both internal and external FQDN using SAN.
    • Client computer only need standard certificate but ConfigMgr client should be installed using the SMSMP (internal) and CCMHostName (external).
    • Can contact a CRL from the internet

    Thank you for your help!, Really appreciated.

    Friday, November 28, 2014 2:41 PM