locked
Reverse Proxy, Secondary Site and Internet Clients RRS feed

  • Question

  • My customer and I are going through the options of setting up IBCN.  Unfortunately there doesn't seem to be any real solid, step by step setup of the servers in the DMZ and exactly what has to be configured.  We could probably handle it setting up a server with the specific roles on it and opening ports in the internal firewall to allow them to communicate.  The security people however prefer we use a reverse proxy on the Internet and put a server in the DMZ that preferably has as few ports as possible open to the intranet.  The intranet can initiate conversations to the server in the DMZ. The DMZ area they have setup has a domain connection with the production domain, so in many ways that seems the way to go.  As I was thinking about it, this sounded pretty good for something like a secondary site server in the DMZ with site role set to "Require the site server to initiate connections to this site system". 

    Naturally, the next step was to set it up in the lab.  The secondary installed just fine, but it appeared that replication wasn't happening since the secondary can't find the primary.  When I moved the secondary to the primary replication everything took off.  After everything settles down I'll try moving the secondary back to the DMZ and figure out what ports need to be opened, in theory it should be just the site to site replication, or will once all the settings replicate will everything come from the primary without opening ports?

    Still outstanding questions:

      • The DMZ server will have a copy of WSUS for software updates, will ports have to be open for that?  I know WSUS data is replicated, but I haven't seen anything yet to indicate if SCCM is doing the replication or WSUS.
      • The security group would like to terminate the HTTPS at the reverse proxy, and already has the Microsoft web certs called out. Would that mean that the DMZ server should use HTTP, or should it be setup for HTTPS still?
      • I haven't seen anything that marks the server as Internet facing, other than the fallback point, am I missing something?
      • I can't see any way of setting up the Application Catalog to be exposed to the Internet except by setting up a server with ports opened up on the intranet.  And apparently it can't be installed on the secondary.

    I've found a few blogs, and a few other things, but nothing that gives any really comprehensive guidance on how this stuff should be setup. It would be really useful if the product group could do a white paper that explains this in detail with a couple of the common scenarios. 


    Bob

    Monday, September 24, 2012 1:30 AM

Answers

  • Are you installing a single site system server in the DMZ for all Internet-based roles (including the software update point), or multiple servers for different roles?  The setup for an Internet-based software update point is slightly different from the other Internet-based roles - see http://technet.microsoft.com/en-us/library/gg712312.aspx for more details, but you configure this by using the Internet-based tab on the Software Update Point Component Properties.

    From the link, search for:

    After you complete the software update point installation on the site system server, consider the following additional settings available only from Software Update Point Component Properties:

    ......

    Internet-based software update point: When the active software update point is configured not to accept communications from clients on the Internet, you can specify an Internet-based software update point that is accessible from clients on the Internet.

    ...

    5. On the Internet-based tab, configure the following settings:

    • Marked as answer by Bob Panick Wednesday, September 26, 2012 5:01 PM
    Wednesday, September 26, 2012 1:08 PM

All replies

  • I think I found at least part of my answers on the port configuration page at http://technet.microsoft.com/en-us/library/hh427328.aspx


    Bob

    Monday, September 24, 2012 2:45 AM
  • Have you seen this blog post and related links: http://blogs.technet.com/b/configmgrteam/archive/2012/05/25/system-center-2012-configuration-manager-r-i-p-native-mode.aspx

    Secondary sites can't support client connections from the Internet - has to be from primary site system servers.

    Tuesday, September 25, 2012 1:21 PM
  • I had seen that, I wasn't aware that a secondary couldn't be used.  So the recommendation would be to put the distinct rules on the server in the DMZ as part of the primary site.

    Bob

    Tuesday, September 25, 2012 7:03 PM
  • The only issue is how do the Internet clients access the SUP/WSUS?  We can setup a WSUS on the server in the DMZ, but I just discovered that it won't setup as a replica of the existing WSUS in the site, at least using the SUP role.  I'm getting to the point where I think we should have set this thing up as a CAS with a primary in the intranet and one in the Internet.

    Bob

    Wednesday, September 26, 2012 3:41 AM
  • More specifically, we have a primary site already that has a SUP configured that is not visible to the Internet.  When we try and setup the DMZ based SUP in that same site it comes up with the option to create the downstream SUP disabled. 

    Bob

    Wednesday, September 26, 2012 10:23 AM
  • Are you installing a single site system server in the DMZ for all Internet-based roles (including the software update point), or multiple servers for different roles?  The setup for an Internet-based software update point is slightly different from the other Internet-based roles - see http://technet.microsoft.com/en-us/library/gg712312.aspx for more details, but you configure this by using the Internet-based tab on the Software Update Point Component Properties.

    From the link, search for:

    After you complete the software update point installation on the site system server, consider the following additional settings available only from Software Update Point Component Properties:

    ......

    Internet-based software update point: When the active software update point is configured not to accept communications from clients on the Internet, you can specify an Internet-based software update point that is accessible from clients on the Internet.

    ...

    5. On the Internet-based tab, configure the following settings:

    • Marked as answer by Bob Panick Wednesday, September 26, 2012 5:01 PM
    Wednesday, September 26, 2012 1:08 PM
  • Thank you Carol, the Internet tab on the site SUP configuration was the key that I was missing. 


    Bob

    Wednesday, September 26, 2012 3:55 PM