Skip to main content

Written by Brian Mason.

MNSCUG July 2015 Meeting Notes

Thanks so much to  Cyber Advisors for providing beverages and food

MNSCUG elections in October. We're always looking for fresh blood!

Thanks to Joe Kaster for answering the Powershell question on the MNSCUG site.

Next Month:  All day meeting on SCOM.  August 13th, 2015

MMS 2015 - Will sell out.  Register now!

If your company would like to sponsor MNSCUG please visit http://www.mnscug.org/misc/our-sponsors

Notes for July 2015 Topic:  Internet Based Client Management

Jason Sandy's - http://blog.configmgrftw.com/

https://technet.microsoft.com/en-us/gg699362.aspx

Internet Based Client Management (IBCM) allow the management of SCCM clients when they are not on your corporate network

  • SCCM Site Systems that can listen on HTTPS
  • MP
  • DP
  • SUP
  • Application Catalog (optional)
  • SSRS (optional)
  • SMP (optional)

OSX - Mac clients require HTTPS to be SCCM clients because the SCCM 2012 Mac client was built on the SCCM mobile client platform which required HTTPS

PKI

  • Can use an internal CA
  • one benefit of this is the auto-renewal of the certs
  • Can use an external - though this can get costly because each SCCM client requires a UNIQUE certificate to communicate with the SCCM server(s)
  • Keep in mind that there is no auto-renewal of the certs
  • The DP's will always use a certificate.  The default is self-signed.  All clients will have a self signed cert as well.  In order to PXE boot, a cert is required.  By default this is the self-signed cert.
  • When moving to PKI and importing a certificate into your DP, you will also need to add the certificate to your boot-media

https://technet.microsoft.com/en-us/hh397285.aspx

http://www.jamesbannanit.com/2012/05/how-to-build-and-capture-in-configuration-manager-2012-using-https/

To verify the type of communication a SCCM client is using look at

  • LocationServices.log
  • clientIDmanagerStartup

Once you have changed the SCCM system roles to HTTPS you will still need to right click the SCCM Site > Properties > Client Computer Communication

Check Use PKI client Cert

Check whether to use HTTPS only or HTTP or HTTPS

 

HTTP or HTTPS

  • Everything HTTPS
  • A mix of both
  • in this case you will need two MP's, DPs, SUPs, etc.  One that is listening for HTTP and another that is listening for HTTPS on the perimeter network
  • When creating the site systems for HTTPS communication you will need to go to the Site System properties for the machine(s) that is running the SCCM role and input a FQDN
  • For the Internet facing MP a SQL server replica would be preferred so that the Internet facing MP doesn't have to communicate so much to the internal SCCM SQL server

Place the SCCM replica DB on the same server as the MP or create another Internet facing server that has the SCCM replica DB

Client communication

  • By default the SCCM client will communicate using HTTP while connected to AD or HTTPS when not (if you have set up IBCM of course!)
  • To install a client for Internet only you need to manually install (or use a computer startup script) and specify some CCMSetup.exe switches
  • https://technet.microsoft.com/en-us/library/bb633167.aspx

Steps to implement IBCM

  • Setup PKI
  • Deploy the site systems that will use HTTPS. 
  • These site systems will be Internet facing

What can we use Azure for? A DP.

Remember, a Cloud DP cannot have Software Updates packages on it (and MU is already cloud based and won't eat your data)

We can instruct our Internet SCCM clients to download their Software Updates from Microsoft when connected to the Internet and not on your internal network

Options:

  • IBCM
    • SCCM only
    • PKI required
  • VPN
    • User initiated
    • Typically need to purchase a product
  • Direct Access
    • Always on
    • PKI required
    • This solution would do away with the need for IBCM and VPN
    • Requires Enterprise OS
  • Created on .