IBCM Implementation

[Fed]

Hi guys,

 

I'm running through different topics and technet document in order to properly make my SCCM 2012 R2 infrastructure available to internet based clients.

 

Here the background of the beast:

 

Single Site Setup (All roles on the same machine and additional DP's on the intranet side)

 

PKI Certificates implementation is complete and all server roles have been moved to HTTP communication

 

Now comes the question of the Internet availability and it gets tricky. I currently have a TMG 2010 reverse proxy with a single NIC in a DMZ and not joined to AD. According to Microsoft’s documentation, TMG/ISA servers can do SSL Bridging (which needs to access to AD and specific certificates installed) or SSL Tunneling (this one doesn't work with TMG and is simply forwarding requests to the destination host. It can be done by my firewall but it's also the least secure way of working).

 

I also have seen that installing a dedicated MP/DP in the DMZ is a solution but I’m wondering what the best solution is.

 

In my case, I’d rather avoid messing up with TMG and make ADLDS available in the DMZ while setting up a dedicated MP/DP in the same network.

 

Can some of you let me know what their experience is with IBCM implementation, the solution chosen, etc?

 

Thanks for sharing,

Fed

[wilbywilson]

Fed,

 

I'm about to go through a similar process (I need to deploy an internet-facing MP/DP/SUP in the DMZ.) Did you end up setting up a dedicated SCCM site server in the DMZ? If so, was that server in the same domain as the SCCM primary? It doesn't seem like that would be good security practice, but I also don't know what all of the implications are if the DMZ site server is in a workgroup (or another domain altogether).

[Peter van der Woude]

I would indeed create a separate site system in the DMZ in a separate domain. No problem from a ConfigMgr perspective.

[dverbern]

So glad you are deploying IBCM and not an ICBM.

 

[wilbywilson]

 

I would indeed create a separate site system in the DMZ in a separate domain. No problem from a ConfigMgr perspective.

 

Thanks for the info, Peter. Do I need to do anything special with this type of setup (Management Point / Distribution Point / SUP installed on a server in a separate domain?) I do not need to manage any clients in this separate domain; I just need a functioning MP/DP/SUP which will service internet-based clients (laptops when they are off the corporate network, but already have a functioning SCCM client on the currently existing domain.) Therefore, my guess would be that I don't need to establish domain/forest trusts for this type of scenario, but then the question becomes account-related. Would I need to add the SCCM Primary computer account to the administrators group on the site server in the DMZ (is that even possible if they are in separate domains)? And in the newly created/different domain, do I need to extend the schema for SCCM 2012, create a Systems Management container, and add this new site server to it? Or should I be trying to add the DMZ site server to the Systems Management container in the current/existing domain?

Lastly, is there any (good) documentation that covers the necessary ports that need to be open between the SCCM Primary and this internet-facing MP/DP/SUP? I've found some good tutorials on setting up the PKI infrastructure and required certificates, but I have not been able to find much on port requirements, nor the steps to install an MP/DP/SUP roles on a server that's in a separate domain.

Thanks again for your input on this thread.

[wilbywilson]

Does anyone know the answers to these questions? For a DMZ management point that's installed in a "separate" forest/domain (which will be used to manage internet-based laptops, which already have a functioning SCCM client):

 

1) Do I need to extend the schema for SCCM 2012 in this new forest/domain, create a Systems Management container, and give full rights to this DMZ site server on that container?

2) Does the SCCM Primary computer account need to be an administrator on the new DMZ site server (if that's possible, give that the new site server in another forest/domain)?

3) On the existing/functioning domain, should I be adding rights for the new DMZ site server on the Systems Management container?

 

Thanks for any advice.

Chris

[Peter van der Woude]

1. No, but It can be usefull when you are also managing clients in that forest/domain.
2. No. In this case I would use a site system installation account (see also: http://technet.microsoft.com/en-us/library/hh427337.aspx)

3. No. I wouldn't want to publish that MP in your existing domain.

[wilbywilson]

Thanks for the reply, Peter.

 

I will come back and update this thread as I go through the process of implementing IBCM in my environment. Hopefully my trials and tribulations will help others down the road.

[wilbywilson]

I've run into a bit of stumbling block. I'm trying to issue 2 certificates (IIS and Distribution Point signing) to the DMZ server. This is required for the PKI implementation, which is in turn necessary to support internet-based clients.

 

So anyway, I'm trying to issue these 2 certs from my internal CA server, but the DMZ server is in another (non-trusted domain), and I can't add the DMZ server to the "Security" tab in the certificate issuing template. How do I go about issuing these certs correctly? I thought about issuing the certificates to an internal domain machine, and then exporting them to the DMZ server, but I'm concerned about DNS and other incorrect information getting exported, and ultimately the certs not working correctly.

 

Any tips or links to documentation on issuing certificates to a DMZ server that is in another domain?

 

Thanks

[Peter van der Woude]

Issue them on an internal domain machine, but make sure that your certificate template requires you to input a DNS name. This way you can request a certificate with the FQDN of the DMZ server.