Fed

Hi guys, I'm running through different topics and technet document in order to properly make my SCCM 2012 R2 infrastructure available to internet based clients. Here the background of the beast: Single Site Setup (All roles on the same machine and additional DP's on the intranet side) PKI Certificates implementation is complete and all server roles have been moved to HTTP communication Now comes the question of the Internet availability and it gets tricky. I currently have a TMG 2010 reverse proxy with a single NIC in a DMZ and not joined to AD. According to Microsoft’s documentation, TMG/ISA servers can do SSL Bridging (which needs to access to AD and specific certificates installed) or SSL Tunneling (this one doesn't work with TMG and is simply forwarding requests to the destination host. It can be done by my firewall but it's also the least secure way of working). I also have seen that installing a dedicated MP/DP in the DMZ is a solution but I’m wondering what the best solution is. In my case, I’d rather avoid messing up with TMG and make ADLDS available in the DMZ while setting up a dedicated MP/DP in the same network. Can some of you let me know what their experience is with IBCM implementation, the solution chosen, etc? Thanks for sharing, Fed

Hi All, I'm currently having a few issues with my SCCM infrastructure. Asa little background, I have a main site site server which runs MP, DP, Asset Intelligence, WSUS, OSD, PXE, a dedicated SQL server for Reporting and 5 DP's I upgrade to SP1 in June 2013 and started to deploy PKI certificates in order to activate https communication only eraly in October. Everything was running fine but I rolled back from https only communication when I noticed that OSD was not working anymore. A few weeks later, I noticed that newly installed or restaged machines where having an incorrect Software Center content, after a lot of log digging I found different kind of errors but basically the new clients can't retrieve completely their Machine Policy. In the end, clients show Packages and TS deployed to a collection they are members of but have a hard time with Applications, They even display Applications that are no longer available to them. Not that this doesn't impacte machines on which I'm reinstalling the client from the console for now, the only workaround I have is to delete a deployment and to recreate it on this big collection (which contains all laptops and desktop from the company, +/-800 machines). Nevertheless, when I deploy a new machine, the same workaround needs to be applied. My guess is that this is linked to my PKI certificates installation and that my rollback didn't work properly. Based on forum searches, I'm thinking to remove the MP role from my main server but I'm a bit affraid of doing so. I've already done similar things with Distribution Points and Reporting roles without any issues. According to you, should I fear this operation? If some logs details are of interest, I can post them but rather keep this post clear until needed. Thanks for your help, Fed

Thank you very much, it's been part of the answer to my issue. In a nutshell, I have to upgrade the previous version of that msi package, even the deinstallation was looking for the network access. I have modified the the new msi to use a local path while compiling it as an exe file, in which I put other modifications required. The task sequence helped me to remove the old version. again, Thanks a lot

Hi all, I'm new to SCCM, only been working with the beast for 3 months full time and, following Windows-noob guides, I've been able to get the infrastructure running pretty fine. Right now, I have to deploy a bunch of msi packages that require both local admin rights to be installed and network access to a UNC path. I know it's not a good way of a msi but that's not in my hands at the moment. My problem is that if I choose to deploy the package for the system, it will fail to access the network share. If I try to install the package as the logged in user, I lack the required admin rights. Is there any way to specify a different user account for a deployment? Right now I'm trying to use psexec in the install program command of the Application deployment Type but I'm still blocking. Anyone here who fought a similar issue? Thanks for your help, Fed