locked
SCCM Internet facing server RRS feed

  • Question

  • Hi,  

     

    We are in process to test/evaluate SCCM internet facing capability to cater the clients on internet for patch/update deployment.

     

    Current SCCM setup in our Org:

     

    1.      We have Central SCCM implemented region wise. Each region (India, Philippines, AMR, EMEA, China) have their own independent Central SCCM hierarchy setup integrated to regional forest domain.

    2.      Each region has its own separate forest domain.

    3.      SCCM is setup in mixed mode (both Central and Primary servers), with no certificate authentication requirement and setup.

    4.      SCCM hierarchy includes Central  SCCM server per region, and primary servers in all facilities in the region, reporting to regional Central SCCM server.

    5.      Software distribution and Patch update features/functionality are enabled in SCCM setup.

    6.      SCCM internet facing server is not deployed, hence clients on internet are not updated with SCCM setup.

        

    My queries/questions:

    1.      Can we deploy a SCCM internet facing server in mixed mode, if yes, what are the pre-requisites/procedures for doing the same.   

    2.      Do we need to convert our Central SCCM server to native mode for deploying the Internet facing server.  

    3.      Do we require certificate authentication ( PKI server for issuing certificates ), when deploying SCCM internet facing server in mixed mode and updating clients on Internet (outside office).  

    4.      If we require certificate authentication for communications between SCCM internet facing server & clients on internet, so do we need to setup a PKI infra per region, or a single server can issue certificates to internet clients per region.  

    5.      Can we have Central SCCM and Internet facing server in Native mode. And deploy PKI (per region) for Central and Internet facing server, and for the clients on the internet, and rest primary servers (at regional locations) in mixed mode connected to Central server (Central server in Native Mode). We may not require PKI certificates for primary servers at regional locations, which are connecting to Central server in Native Mode.

    6.      Can we have separate SCCM setup for clients on internet, and not to change our existing SCCM setup in mixed mode.  Clients on internet will also come to office, so require both the SCCM access internet and intranet.

    7.      Any other information, you would like to share with regards to deploying SCCM internet facing server in our case.

     

    Thanks.


    • Edited by Shaukat Ali Wednesday, October 19, 2011 3:49 PM Company name
    Wednesday, October 19, 2011 10:00 AM

Answers

  • Native mode is site wide, so the same site cannot have a combination of native and mixed mode. However, the default behavior for a client that belongs to a native mode site with internet facing roles is that while on the internet, it uses the internet facing server, but while on the intranet, it will automatically use the internal servers. But this means that the entire site will have to be in native mode and all clients will need to have certificates deployed to them

    Complete Site mode must be upgrade to Native mode.

    If you update only central site and it's one of the Primary site to Native mode and left others running in the mixed mode leads to lot of  client issues when they move from one site to other or it will not be compatible for native mode (so not the IBCM clients).. Because clients in native mode will work with the Certificate based authentication.So what Microsoft PSS say's is correct. the below clients can't directly communicate with native mode. that's what we also suggesting....



    in the above picture clients are not compatible for IBCM

    However, the default behavior for a client that belongs to a native mode site with internet facing roles is that while on the internet, it uses the internet facing server, but while on the intranet, it will automatically use the internal servers. 

             for the above i have shared the client screenshot also.this is how exactly client will work.

     

    The only supported Scenarios for Internet-Based Client Management is these http://technet.microsoft.com/en-us/library/bb693824.aspx


    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Shaukat Ali Saturday, October 22, 2011 4:18 AM
    Friday, October 21, 2011 1:24 PM

All replies

  • 1.      Can we deploy a SCCM internet facing server in mixed mode, if yes, what are the pre-requisites/procedures for doing the same.   

            ANS:     NO. We can't Patch over the internet without Native mode, You need to have Native Site Infrastructure

        

    2.      Do we need to convert our Central SCCM server to native mode for deploying the Internet facing server.

    ANS: Please look into the possible Design scenarios http://technet.microsoft.com/en-us/library/bb693824.aspx

    3.      Do we require certificate authentication ( PKI server for issuing certificates ), when deploying SCCM internet facing server in mixed mode and updating clients on Internet (outside office).   

            ANS: PKI Server should issue the certificates for Native mode site

    Below are the required Certificate:

    1)  Site server signing certificate:    This certificate is installed on the server that will be the Configuration Manager 2007 site server. It is used to sign client policies.

    2) Web server certificate :This certificate is installed on servers that will be Configuration Manager 2007 site systems, with roles such as the management point and distribution point. It is used to encrypt data and authenticate the server to clients.

    3)Client certificate : This certificate is installed on computers that will be Configuration Manager 2007 clients, and it is installed on the management point. It is used to authenticate the client to site systems; on the management point it is used to monitor the server's operational status. 

    4.      If we require certificate authentication for communications between SCCM internet facing server & clients on internet, so do we need to setup a PKI infra per region, or a single server can issue certificates to internet clients per region.  


    ANS: Since Your hierarchy has multi-forest and not a centralized Management with the site to site relationships, you need to configure internetbased sccm server per Forest. http://technet.microsoft.com/en-us/library/bb693824.aspx

     

    5.      Can we have Central SCCM and Internet facing server in Native mode. And deploy PKI (per region) for Central and Internet facing server, and for the clients on the internet, and rest primary servers (at Accenture regional locations) in mixed mode connected to Central server (Central server in Native Mode). We may not require PKI certificates for primary servers at Accenture regional locations, which are connecting to Central server in Native Mode.

    ANS: Simple, if you know what are the client required internetbased management Map those Clients to Native Mode

    site where the one of this supported scenario enabled  http://technet.microsoft.com/en-us/library/bb693824.aspx

     6.      Can we have separate SCCM setup for clients on internet, and not to change our existing SCCM setup in mixed mode.  Clients on internet will also come to office, so require both the SCCM access internet and intranet.

    ANS: If i correctly understood your quetion what you are looking is you need to manage the same clientover the internet

    and Intranet. If that is your quetion. Yes you can do that. Fo doing that you need to install the client by specifying the

    Internet MP Public FQDN and intranet MP FQDN Name.Please look at other options from client installation properties

    link.

    http://technet.microsoft.com/en-us/library/bb680980.aspx 

    7.      Any other information, you would like to share with regards to deploying SCCM internet facing server in our case. 

    Yes, There is lot of info you need have handy before jump in like Native mode setup requirements and possible Design scenarios & securing the site over the internet and limitation of features.

    Check list for migrating to Native mode http://technet.microsoft.com/en-us/library/bb632727.aspx

    Certificate requirement http://technet.microsoft.com/en-us/library/bb680844.aspx 

    Benefits of Using Native Mode

                    http://technet.microsoft.com/en-us/library/bb632573.aspx

    Prerequisites for Native Mode
                    http://technet.microsoft.com/en-us/library/bb680464.aspx

    Certificate Requirements for Native Mode

                    http://technet.microsoft.com/en-us/library/bb680733.aspx

    You need to think about possible Supported Scenarios for Internet-Based Client Management

                    http://technet.microsoft.com/en-us/library/bb693824.aspx

    SCCM Tips, Tricks & Hints for Native Mode and Internet-Based Client Management http://blogs.technet.com/b/wemd_ua_-_sms_writing_team/archive/2008/01/15/tips-tricks-hints-for-native-mode-and-internet-based-client-management-part-1-of-3.aspx


    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Edited by PaddyMaddy Wednesday, October 19, 2011 12:30 PM
    Wednesday, October 19, 2011 12:03 PM
  •   

    2.      Do we need to convert our Central SCCM server to native mode for deploying the Internet facing server.  

     


    Hello - It's always top-down approach.

    Anoop C Nair - Twitter @anoopmannur

    MY BLOG:  http://anoopmannur.wordpress.com

    SCCM Professionals

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, October 19, 2011 12:37 PM
  •  

      6.      Can we have separate SCCM setup for clients on internet, and not to change our existing SCCM setup in mixed mode.  Clients on

    internet will also come to office, so require both the SCCM access internet and intranet.

    ANS: If i correctly understood your quetion what you are looking is you need to manage the same clientover the internet

    and Intranet. If that is your quetion. Yes you can do that. Fo doing that you need to install the client by specifying the Internet MP Public

    FQDN and intranet MP FQDN Name.Please look at other options from client installation properties link.

    Thanks, Yes your understanding is correct; I am looking to manage the same client over the internet and intranet.

    I like this option, as it will not hamper my existing SCCM setup (in mixed) and we may not require PKI certificates all SCCM server clients. (The

    numbers are huge)

    Can you provide more details on this option, to how to proceed in our setup?

    Following is my understanding to proceed with two options, please correct/suggest

    Option #1

    1.      We need to convert our Central server to Native Model (only Central server, and not the primary sites in locations. Primary sites in

    locations will still be in mixed mode.

    2.      We need to build a new server and configure the internetbased sccm server per forest (primary site for internet based clients).

    3.      New Interterbased SCCM server will act as internet MP and DP, and will connect to Central server in native mode. And will also

    connect to clients on internet.

    4.      We need to build a PKI server for issuing certificates to Central server, Interterbased SCCM server, and clients on internet.

    5.      We need to install the client by specifying the Internet MP Public FQDN and intranet MP FQDN Name. example below.  (do we also need to

    specify the site code, please correct the syntax below , if required)

    CCMSetup.exe CCMHOSTNAME="ABC.XYZ.COM” CCMHOSTNAME="123.000.COM”  

    ABC.XYZ.COM - Internet MP Public FQDN Name

    123.000.COM -  Intranet MP FQDN Name

    Doing the above option, will have separate setup for Internet facing server, and we can manage and provide updates to same client over  

    internetand intranet. (Intranet is in mixed mode)

    Option #2

    1.      We need to build a separate (per forest) single Central/Primary Interterbased SCCM server for Internetbased clients.

    2.      No change in existing SCCM setup, Central and Primary sites will be in mixed mode.

    3.      New Interterbased SCCM server will act as internet MP and DP, and will connect to clients on internet.

    4.      We need to build a PKI server for issuing certificates Interterbased SCCM server, and clients on internet.

    5.      We need to install the client by specifying the Internet MP Public FQDN and intranet MP FQDN Name. example below.  (do we also need to

    specify the site code, please correct the syntax below , if required)

    CCMSetup.exe CCMHOSTNAME="ABC.XYZ.COM” CCMHOSTNAME="123.000.COM”  

    ABC.XYZ.COM - Internet MP Public FQDN Name

    123.000.COM -  Intranet MP FQDN Name

    Doing the above option, will have separate setup for Internet facing server, and we can manage and provide updates to same client over internet

    and intranet. (Intranet is in mixed mode)

     Please suggest on options above, which is practically possible and suits the requirement.

     

    Wednesday, October 19, 2011 3:47 PM
  • The best option I can see is that with NEW single native mode primary serverfor internet clients with Central server (native)

    Anoop C Nair - Twitter @anoopmannur

    MY BLOG:  http://anoopmannur.wordpress.com

    SCCM Professionals

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, October 19, 2011 5:21 PM
  • I Agree with An00p
    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Wednesday, October 19, 2011 6:51 PM
  • Thanks Paddy and Anoop.  Appreciate your help.

    I would require one more help.  I have prepared a diagram below for the option suggested. Please have a look and provide your comments/recommendation.  

    The Key Solution which I want from this option is, same client can be managed over the Intranet and Internet. When client is in office/Intranet, it should get the updates/patches from SCCM Primary server at Intranet location, and when the same client is on Internet, it should get the updates/patches from SCCM Primary site/server (Internet Facing). 

    Wednesday, October 19, 2011 11:42 PM
  • I would suggest you to do some testing in the LABs before implementing this so that you can get more details.

    Anoop C Nair - Twitter @anoopmannur

    MY BLOG:  http://anoopmannur.wordpress.com

    SCCM Professionals

    This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Thursday, October 20, 2011 2:01 AM
  • Yes you can manage in intranet and internet.

    When the client is conencted to internet (not to your corporate network) you will get like this which i marked

    in Yellow.

    a)


    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Thursday, October 20, 2011 7:22 PM
  • Hi Anoop and Paddy

    I am confused… I just had a discussion with MS guy here in India and provided him the above designed diagram for suggestion. And he said, Native mode is site wide, so the same site cannot have a combination of native and mixed mode. However, the default behavior for a client that belongs to a native mode site with internet facing roles is that while on the internet, it uses the internet facing server, but while on the intranet, it will automatically use the internal servers. But this means that the entire site will have to be in native mode and all clients will need to have certificates deployed to them

    I thought we could have combination of both, native mode (for Central/Parent & IBCM) and mixed mode (for rest primary server in office/intranet) Please suggest.

     

    Friday, October 21, 2011 11:41 AM
  • Native mode is site wide, so the same site cannot have a combination of native and mixed mode. However, the default behavior for a client that belongs to a native mode site with internet facing roles is that while on the internet, it uses the internet facing server, but while on the intranet, it will automatically use the internal servers. But this means that the entire site will have to be in native mode and all clients will need to have certificates deployed to them

    Complete Site mode must be upgrade to Native mode.

    If you update only central site and it's one of the Primary site to Native mode and left others running in the mixed mode leads to lot of  client issues when they move from one site to other or it will not be compatible for native mode (so not the IBCM clients).. Because clients in native mode will work with the Certificate based authentication.So what Microsoft PSS say's is correct. the below clients can't directly communicate with native mode. that's what we also suggesting....



    in the above picture clients are not compatible for IBCM

    However, the default behavior for a client that belongs to a native mode site with internet facing roles is that while on the internet, it uses the internet facing server, but while on the intranet, it will automatically use the internal servers. 

             for the above i have shared the client screenshot also.this is how exactly client will work.

     

    The only supported Scenarios for Internet-Based Client Management is these http://technet.microsoft.com/en-us/library/bb693824.aspx


    This posting is provided "AS IS" with no warranties or guarantees, and confers no rights. |Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    • Marked as answer by Shaukat Ali Saturday, October 22, 2011 4:18 AM
    Friday, October 21, 2011 1:24 PM