locked
SCCM 2012 Client Installation in DMZ for Workgroup and Untrusted Forest RRS feed

  • Question

  • I am running SCCM 2012 on a single server (Primary Site Server) and have the need to install/manage clients in our DMZ.  Most of the hosts are connected to a DMZ domain/forest and a couple are workgroup servers.  I have installed clients on a few servers from the Domain and workgroup and when I go to find the Site, Configuration manager cannot find the site.

    My Install command was ccmsetup.exe /mp:<SCCMSERVER.domain.com> /logon SMSSITECODE=001.  For the Domain, I have DNS able to resolve the SCCM server's FQDN and with the workgroup I have edited the HOSTS file to provide the same DNS resolution.

    I am looking for steps to take to get the clients managed without worrying about FW ports at this time.  I have an ANY rule in place to allow all communication and have monitoring setup to see the traffic to lock down later.

    I also have setup a Subnet boundry to cover the IPs that these hosts have assigned and also have tried a network discovery to these hosts.  The site is carved out of 10.69.0.0/16 with 10.69.1.0/22 being the Internal Domain that SCCM sits on and 10.69.6.0/24 being the DMZ domain.


    Jason Apt, Microsoft Certified Master | Exchange 2010 My Blog

    Monday, October 1, 2012 8:22 PM

Answers

  • I'm not sure you received an answer on this Jason.  However, if I understand your question correctly, yes, you can still manage the systems in a DMZ domain/workgroup.

    Make sure you have borders set up with the IP subnet(s) of your DMZ's.  You still have several choices as to how you wish to install the SCCM agent.  My suggestion is a manual install.  The key is to watch your log files (ccmsetup.log being your biggest one to watch) for hints/errors.

    If you use the command-line properly, and you have your ports open from your DMZ to your DP, then you should be ok.  Look for the server in your device list after 5-10 minutes after starting the ccmsetup with the commandline switches.  You should see the system in your device list.  Right click and manually approve.  Once approved, the SCEP install should also complete and it will be managed.

    After you install SCCM, when deploying anything from the DP, make sure you have the access account set up.  Additionally, if you use any external sources for Windows definition files (Microsoft Update, Microsoft Malware Protection Center) in your antimalware policy make may also want to make sure your DMZ systems can at least get to these.

    Ted

    • Marked as answer by JasonApt Tuesday, January 15, 2013 1:18 PM
    Tuesday, January 15, 2013 12:37 PM

All replies

  • I didn't see that thread but I have already read through the TechNet article and I have followed those steps.  Also I have opened all Firewall ports as I had specified ports in the beginning and decided to leave the door wide open between this specific DMZ host and SCCM primary site server to rule out the Firewall issue for now.

    For the DMZ domain, even though it isn't trusted by the internal domain, do I need to go through the same setup that I would do for other domains that are trusted?


    Jason Apt, Microsoft Certified Master | Exchange 2010 My Blog

    Monday, October 1, 2012 8:50 PM
  • I'm not sure you received an answer on this Jason.  However, if I understand your question correctly, yes, you can still manage the systems in a DMZ domain/workgroup.

    Make sure you have borders set up with the IP subnet(s) of your DMZ's.  You still have several choices as to how you wish to install the SCCM agent.  My suggestion is a manual install.  The key is to watch your log files (ccmsetup.log being your biggest one to watch) for hints/errors.

    If you use the command-line properly, and you have your ports open from your DMZ to your DP, then you should be ok.  Look for the server in your device list after 5-10 minutes after starting the ccmsetup with the commandline switches.  You should see the system in your device list.  Right click and manually approve.  Once approved, the SCEP install should also complete and it will be managed.

    After you install SCCM, when deploying anything from the DP, make sure you have the access account set up.  Additionally, if you use any external sources for Windows definition files (Microsoft Update, Microsoft Malware Protection Center) in your antimalware policy make may also want to make sure your DMZ systems can at least get to these.

    Ted

    • Marked as answer by JasonApt Tuesday, January 15, 2013 1:18 PM
    Tuesday, January 15, 2013 12:37 PM
  • Hi Ted -

    I had lost this conversation and forogt to reply.  I ended up getting it to work.  My setup basically had a 10.10.0.0/16 network with 10.10.4.0/23 being LAN and 10.10.3.0/24 being the DMZ.  I was initially thinking that this would also allow me to see the DMZ servers from the System Discovery but that was not the case.  I added another rule to system discovery for the DMZ range and was able to manually install the client from command line with the proper switches and they appeared.  All is good now.

    Thanks for the help


    Jason Apt, Microsoft Certified Master | Exchange 2010 My Blog

    Tuesday, January 15, 2013 1:18 PM
  • Hey Jason,  please help.   i have close to the same scenario and i can't get the dmz servers to talk with my sccm server.  can you give more detail as to your setup?  what was your ccmsetup command line? what extra rule for the discovery or boundary?   i have a network discovery setup for 10.99.100.x where our dmz servers are and it's empty.  i can't get the dmz servers to see the site as well.   if i type P01 in the site on configuration/control panel on the dmz client it won't find the site.   the dmz server currently communicate with my tsm server on the inside as well as landesk.  the host entries are in  the hosts file.   i don't get it?????

    thanks for any guidance.

    keith

    Tuesday, February 5, 2013 1:54 AM