Jump to content


WoodyW

SCCM 2012 R2 SP1 Internet Based Client Management

Recommended Posts

Hi,

 

Firstly, thanks Niall and all the contributors for this great website, it's been a really useful resource over the years.

 

 

The Primary Site server has a DP, MP and SUP role which are set to Intranet client only using HTTP.

I'm looking at setting up a Remote Site System in the DMZ for management of Internet-Based clients -

Both servers are running Windows Server 2012 R2.

 

I've duplicated the certificate templates based on the Technet Step-by-Step guide and have enrolled them. (I left the Subject blank, and entered both the Intranet and Internet FQDN, despite this server only expecting to manage Internet-Clients).

 

The Site System Properties have been configured with both the servers Intranet FQDN and Internet FQDN (which has been registered in Public DNS).,

The Default website has the Web Server certificate bound to port 443.

 

The MP and DP roles have been installed and set to 'Allow Internet-Only Connections', and although I haven't had a chance to test with a client yet, judging by the logs they appear to be working as expected.

 

 

Despite this, I have some questions over configuring WSUS and the SUP for SSL.

 

Would someone be able to clarify the following, as the information I've found in various blogs and on Technet is useful but seems inconsistent -

 

 

  • I understand that I can use the same Web Server certificate which is bound to Default Website on the WSUS Administration website (on port 8531), but when requesting the Web Server certificate and entering the "More information is required to enroll for this certificate", should Subject have been populated with the Internal Server FQDN, the Internet FQDN or left blank?

 

  • If the SUP will only be servicing Internet Clients, what needed to go in the Alternative Name? Only Internet FQDN, or Internet FQDN and Intranet FQDN?

 

  • Given that the Internet FQDN and Intranet FQDN are different, when running the WSUSUTIL CONFIGURESSL command, should internal or external FQDN be entered?

 

Thanks.

Share this post


Link to post
Share on other sites

Woody,

 

It's been a couple years since I set up IBCM, but I posted a thread with some links and comments to help others:

 

https://www.windows-noob.com/forums/topic/10630-ibcm-deployment-results/?hl=ibcm

 

Hopefully this helps you out. I don't have direct access to the SCCM infrastructure that I helped to configure anymore, so I can't answer your questions specifically.

Share this post


Link to post
Share on other sites

  • You can use the same web server certificate;
  • The software update point requires the internal FQDN and the Internet FQDN, they can both be in the alternative name. They are both required, internal FQDN for configuration and the Internet FQDN for the clients;
  • To my knowledge, the Internet FQDN.

Share this post


Link to post
Share on other sites

Managed to test this -

 

Using the same Web Server Certificate I'd bound to the Default Website - Subject left blank, entered both the Intranet and Internet FQDN (Internet was first, not sure that this matters).

 

Ran WSUSUTIL CONFIGURESSL specifying the Internet FQDN and then added the SUP role.

 

The following was logged in the WCM.log:

Attempting connection to local WSUS server SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C)

System.Net.WebException: The request failed with HTTP status 401: Unauthorized.~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C)

Failed to set WSUS Local Configuration. Will retry configuration in 1 minutes SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C)

Attempting connection to local WSUS server SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C)

System.Net.WebException: The request failed with HTTP status 401: Unauthorized.~~ at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~ at Microsoft.UpdateServices.Administration.AdminProxy.GetUpdateServer()~~ at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber) SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C)

Failures reported during periodic health check by the WSUS Server servername.domain.com. Will retry check in 1 minutes SMS_WSUS_CONTROL_MANAGER 27/05/2016 16:23:58 2396 (0x095C)

 

Re-running the WSUSUTIL CONFIGURESSL specifying the Intranet FQDN allowed WSUS to be configured by the SUP and for a synchronisation to take place on the Internet Facing SUP.

Confirmed that Internet Based Clients could scan successfully against the SUP.

 

Thanks again for your help with this.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.