Should I use SSL for patching DMZ servers?

[yogijbear]

We have a small number of servers in our DMZ all are in their own workgroups so no knowledge of each other. They are also not all internet connected so patches must be pushed from internal to DMZ.

I noticed this post https://nikifoster.wordpress.com/2011/01/31/installing-configmgr-clients-on-servers-in-a-dmz/ which states as long as I have firewall rules inplace I can manually install the clients and have them talk directly back to my site server internally no certificates required.

 

I was also looking at https://social.technet.microsoft.com/Forums/en-US/f8b1b51e-515e-41f6-bb1e-cdeeabb11f6f/configmgr-2012-design-for-dmz?forum=configmanagergeneral and their option 3 is to build a DP/MP/SUP box still internal and have that configured with SSL to then talk to the DZ boxes. If I were to build this design and enable SSL what effect will this have on my currently working internal environment. will every machine now have to use the new certifcates to talk to SCCM? or will it only be for boxes talking to the new Distribution Point which I can hopefully administer with boundary points.

[GarthMJ]

I personally would avoid HTTPS, it add a lot of complexity. you only need to open ports 80 and 8530 at a minimum.

 

I also would not put a in secondary site in DMZ, this will cause other issues.

[Peter van der Woude]

To add-on to Garth, in case you really would go for a scenario like that, the client would prefer a management point with HTTPS above HTTP. With the latest service pack you can use the boundary groups to add a preference for a management point. That preference goes above the HTTPS preference.