Jump to content




yogijbear

Should I use SSL for patching DMZ servers?



Recommended Posts

We have a small number of servers in our DMZ all are in their own workgroups so no knowledge of each other. They are also not all internet connected so patches must be pushed from internal to DMZ.

I noticed this post https://nikifoster.wordpress.com/2011/01/31/installing-configmgr-clients-on-servers-in-a-dmz/ which states as long as I have firewall rules inplace I can manually install the clients and have them talk directly back to my site server internally no certificates required.

 

I was also looking at https://social.technet.microsoft.com/Forums/en-US/f8b1b51e-515e-41f6-bb1e-cdeeabb11f6f/configmgr-2012-design-for-dmz?forum=configmanagergeneral and their option 3 is to build a DP/MP/SUP box still internal and have that configured with SSL to then talk to the DZ boxes. If I were to build this design and enable SSL what effect will this have on my currently working internal environment. will every machine now have to use the new certifcates to talk to SCCM? or will it only be for boxes talking to the new Distribution Point which I can hopefully administer with boundary points.

Share this post


Link to post
Share on other sites


I personally would avoid HTTPS, it add a lot of complexity. you only need to open ports 80 and 8530 at a minimum.

 

I also would not put a in secondary site in DMZ, this will cause other issues.

Share this post


Link to post
Share on other sites

To add-on to Garth, in case you really would go for a scenario like that, the client would prefer a management point with HTTPS above HTTP. With the latest service pack you can use the boundary groups to add a preference for a management point. That preference goes above the HTTPS preference.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×