locked
dmz management point RRS feed

  • Question

  • Hello all

    I have a requirement on setting up sccm 2012 infrastructure to do internet based client management. Currently I have a MP inside the network that is http only.

    I was planning on setting up a perimeter network (MP and DP in the DMZ) that would talk https to internet clients  but i just realized that I cannot join the server in the DMZ to the domain, and if i am not mistaken non domain computers are not support for site server roles.

    What can I try in this situation ? We have Forefront TMG's that i dont have lot of knowledge of, is this something that I can put to use ? Given that MS Forefront TMG's are being discontinued out of the product line, what other options can I try

    http://technet.microsoft.com/en-us/library/cc707697.aspx

    http://blogs.technet.com/b/server-cloud/archive/2012/09/12/important-changes-to-forefront-product-roadmaps.aspx

    Monday, September 24, 2012 2:05 PM

All replies

  • Thats true. Site Systems role can only exist on Domain Members.

    Anyway this is improved in 2012, as you dont have to switch the entire site infrastructure into the former state called Native mode in 2007 and all Clients require cert.

    Now the SCCM 2012 can support both kind of Clients and this makes it easyer, however you still need to make a secure path from the internet to the SCCM server.

    The Heavy solution is to create a domain in the perimeter. 

    The easy way is to either create a Firewall rule that allow https trafic to the MP on the Inside Network MP SCCM Server. Read more here:

    http://technet.microsoft.com/en-us/library/dd8eb74e-3490-446e-b328-e67f3e85c779#Support_Internet_Clients

    Regarding the TMG beeing discontinued, thats true. But the its some years ahead, and alot can happen until then.

    "Forefront Threat Management Gateway 2010 and the product will be discontinued after April 14, 2020. Mainstream support will cease after April 14, 2015."

    The other solution is to consider Direct Access.

    Hope this was helpfull.


    Nicolai

    Tuesday, September 25, 2012 7:43 AM
  • Speaking of Certs, our root CA is on Server 2003 standard and I cannot use the custom templates described in this article http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_webserver2008_cm2012 to generate web server certificates for IIS. 2003 standard has limited templates available and to do what the article describes I have to either migrate our root CA to anything above 2003 standard. This can take months for us.

    What are my options to set up IBCM ? Thanks Nicolai,



    Wednesday, September 26, 2012 2:02 PM