locked
Set Up SCCM 2012 R2 With Fewest Number Of Servers? RRS feed

  • Question

  • We do not have SCCM at all now, but it was just purchased along with SQL Server and is now ready to be setup for the first time.

    We do not have Software Assurance or Enterprise versions of Windows.  We use Windows 7 Pro and Windows 8.1 Pro.

    We plan to use SCCM 2012 R2 for the following purposes:

    400 user computers that are a combination of desktops on the LAN and remote laptops on the Internet that occasionally connect to VPN and are rarely brought into the office.

    Install Windows Updates on computers on user in the local office and send Windows Update approvals to laptops on the Internet and get status reports back from remote laptops showing when the updates were installed.

    Install software applications and software updates for third party apps (Adobe, Oracle etc.) on computers in the local office to replace current method of software installation via GPO.

    Maintain hardware inventory and inventory/reports of installed applications.

    Get email notification of selected events such as low disk space, important services not running (such Automatic Updates service or third party AV service stopped).

    Deploy Windows 7 ans 8.1 workstations via Lite Touch and Zero Touch.

    WSUS updates and hardware/software inventory for about 30 local servers. 

    Immediate email notification that server is offline such as not responding to PING or monitored service not started.

    We have most of our servers our in our local office, but servers that must have access from the Internet without VPN (such as web servers, Exchange CAS servers etc.) and must be in a DMZ are installed at a remote site.

    We would like to be able push Windows Updates approvals (actual update installation files to be downloaded from Microsoft) and software installation to remote laptops and get status reports of and installed updates and installed application software whenever the laptops are online on the Internet even if they are not connected to VPN if that is possible.

    For this situation, how many servers would be recommend as a minimum?  Can we install SQL and SCCM 2012 R2 and WSUS update approval server on one single Server 2008 R2 or 2012 R2 server and put this single server at the remote site in the DMZ so it is accessible from both our local LAN remote laptops.

    Saturday, March 22, 2014 12:24 AM

Answers

  • You should be just fine with one server, it's a best practice to put SQL and SCCM on the same server anyways. Install Windows 2012 R2, SQL 2012 SP1 and SCCM 2012 R2 on the server and configure your environment as one Primary site. After you got the site server installed, you can add roles like SUP (software update point) to your server. Because you're environment isn't that big you should be just fine.

    Saturday, March 22, 2014 6:02 AM

All replies

  • You should be just fine with one server, it's a best practice to put SQL and SCCM on the same server anyways. Install Windows 2012 R2, SQL 2012 SP1 and SCCM 2012 R2 on the server and configure your environment as one Primary site. After you got the site server installed, you can add roles like SUP (software update point) to your server. Because you're environment isn't that big you should be just fine.

    Saturday, March 22, 2014 6:02 AM
  • I concur with Ronni: compared to what ConfigMgr can scale to, your organization (size-wise, not importance-wise), is trivial and a single site server (assuming everything is co-located o is highly connected) will work just fine.

    Jason | http://blog.configmgrftw.com

    Saturday, March 22, 2014 3:44 PM
  • So, putting the single server with all required features into the DMZ at the colocation site will make it accessible for all our required roles and functions to both the computers and other servers on our LAN and also the laptop Internet clients?

    I found a thread about IBCM and one of the answers says not to put everything on the same server for security:

    http://social.technet.microsoft.com/Forums/windows/en-US/c7f6909f-00b6-40ce-a723-5b64d0bc446e/sccm-2012-r2-ibcm?forum=configmanagergeneral

    "For ConfigMgr you look good, but you might also want to add a CRLDP and not install the FPS on the same box as the other server (security)"
    • Edited by MyGposts Saturday, March 22, 2014 3:55 PM
    Saturday, March 22, 2014 3:53 PM
  • No, I would not put the entire site server into the DMZ. There are various ways to expose the necessary roles to the Internet though including reverse proxies, Direct Access, VPN, etc.

    Jason | http://blog.configmgrftw.com

    Saturday, March 22, 2014 4:00 PM
  • We do not have Software Assurance and therefore do not have the Enterprise versions of Windows 7/8 and therefore do not have Direct Access available to us.  We also do not have TMG.

    We are trying to avoid requiring VPN to get Windows Updates and patches to the laptops.  All the laptops have VPN software installed and the users have access to use VPN, but sometimes the users do not use the VPN for long periods of time because they have the laptop at home "just in case" there is some outage they need to handle after hours and the rest of the time they may be just using it for personal use surfing the web etc. and they can access email and SharePoint without VPN, however they and are not getting WSUS Updates and other software patches unless they use VPN.

    We were hoping SCCM would allow us to keep these laptops patched even if the user doesn't connect to VPN frequently.

    Is there another way to do this?



    • Edited by MyGposts Saturday, March 22, 2014 4:17 PM
    Saturday, March 22, 2014 4:16 PM
  • First note that there are other reverse proxies besides TMG.

    To answer your question, yes, but that really starts depending upon your infrastructure and security posture. You *could* allow Internet traffic directly through to your internal ConfigMgr server. Not a great thing security wise though. At this point, I would recommend adding an additional site system in the DMZ to host the necessary Internet facing client roles.


    Jason | http://blog.configmgrftw.com

    Saturday, March 22, 2014 4:34 PM
  • So, to do what we want to do securely without depending on the laptop users always connecting to our VPN regularly, we will either need two SCCM servers (additional server hardware and additional Windows server license and also additional SCCM 2012 R2 license?) or else we will need a reverse proxy.

    I know we do not have any reverse proxy such as TMG running on any of our Windows servers.  I will need to check with someone in our network team to see if there is already some kind of other reverse proxy system already in place.  If there is one already running, we will use that. 

    If there is no existing reverse proxy, what are common reverse proxies other than TMG we could look at implementing that would be good for about 150 laptops on the Internet to access SCCM 2012R2?  

    How does implementing a new reverse proxy system compare in hardware and software costs compared to installing a second SCCM site and putting it in the DMZ?

    Saturday, March 22, 2014 4:49 PM
  • If you install another SCCM site for just 150 laptops, that's just management overkill... You can easily do with just ONE server and ONE primary site, why do you want to complicate things? Much better way is to just get those laptops to talk to your site server.

    Sunday, March 23, 2014 7:12 AM