Five key configuration steps for implementing Internet-based clients in ConfigMgr 2012

This blog post is about the key configuration steps for implementing Internet-based clients in ConfigMgr 2012. By key configuration steps, I’m talking about the configuration of the web server certificate, IIS, site systems, site system roles and client installations. To understand these steps, knowledge of certificates, IIS and ConfigMgr is required, because it’s not a step-by-step configuration guide.


Before going through these steps, there are a few important prerequisites that should be in place:

  • Site systems for Internet-based client management must have connectivity to the Internet and must be in an Active Directory domain.
  • A supporting public key infrastructure (PKI) has to be in place, that can deploy and manage the certificates that the clients require and that are managed on the Internet and the Internet-based site system servers.
  • The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers.

Configuration 1: Web server certificate

1_CertificateOne of the most important things with Internet-based client management is the web server certificate. This certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL). Based on the applicable scenario this certificate only needs the Internet FQDN, or the Internet and intranet FQDN. For Internet-based client management the following two scenario’s are possible:

  1. If the site system only accepts connections from the Internet, the Subject Name or Subject Alternative Name (SAN) must contain the Internet FQDN.
  2. If the site system accepts connections from the Internet and the intranet, both the Internet FQDN and the intranet FQDN must be specified in the SAN.

Configuration 2: Default web site

Even though I will make this a very small point for Internet-based client management, it is very important not to forget. After the certificate is created it needs to be configured, with the HTTPS Type, in the Site Bindings of the Default Web Site. In case WSUS is also running on the server, and needs to be used by the Internet-based clients, the same has to be done for the Windows Administration site.

2._SiteSystemConfiguration 3: Site system

The next key configuration for Internet-based client management is the Internet FQDN in the Site system properties of the Internet-based site system. The key here is that the Internet FQDN must be exactly the same as the Internet FQDN specified in the web server certificate. When those names don’t match, the client won’t be able to verify the identity of the site system. Of course that will keep the client for assigning to the site.

Configuration 4: Site role

3_SiteRoleAfter the Internet FQDN is configured, the Internet-based site system must be configured to accept client connections from the Internet. This is a configuration that must be done per role that’s supposed to communicate over the internet. For this configuration for Internet-based client management Allow Internet-only connections, or Allow intranet and Internet connections should be configured. The Management point, Distribution point, Fallback status point, Software update point, Application Catalog website point and Enroll proxy point are all able to be configured for accepting client connections from the Internet

Configuration 5: Client installation

imageThe last important configuration is the client installation. During the installation, clients must be directly assigned to the site and be configured with the Internet FQDN of the management point. For Internet-based client management this leaves two possible installation options:

  1. Internet-only clients: Ccmsetup.exe /UsePKICert CCMHOSTNAME=”<InternetFQDN>” SMSSITECODE=”<SiteCode>” CCMALWAYSINF=1
  2. Intranet and Internet clients: Ccmsetup.exe /UsePKICert SMSMP=”<IntrenatFQDN>” CCMHOSTNAME=”<InternetFQDN>” SMSSITECODE=”<SiteCode>”

Note: For lab environments and testing it might be easy to also us /NoCRLCheck. This prevents the client from checking the certificate revocation list (CRL), before establishing an HTTPS connection.

More information

How to Configure the WSUS Web Site to Use SSL.
Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority
About Client Installation Properties in Configuration Manager

16 thoughts on “Five key configuration steps for implementing Internet-based clients in ConfigMgr 2012”

  1. Hi! This is the first step-by-step guide I’ve seen at all. I’m only confused by one thing. In step 5, where it is your inputting these commands? Our CCM is installed automatically after imaging a client. We also only have one forests.. Are you using different collections and deploying seperate task sequences, or what is it that your doing where/when/why do you need to enter those commands?

  2. hi piter good post.. question in the last step is not necesary certificate in the clients computers??

  3. in the entity certifying internal (CA) what kind of template is used to generate the certificate that is installed on the computers to authenticate it’s (IBCM)

  4. piter Hello a question for the publication of the internet-based management point architecture do you recommend? point of administration in dmz, creation of rule with TMG?

    Thank you

  5. Hi Peter, thanks for you post, is it necesary config https only in the Client computer communication? currently I have many clients (23,000) in intranet and I need manage 200 clients by BCIM, I need install the certificate to all my clients?

    Thanks in advance, regards

  6. Hello Peter. Currently we use only Intranet based Clients (~10.000 Clients). We are planning to use Internet-based Client Management, so clients can also connect through Internet when they are not in corporate network. Is it neccassary to reinstall the Agent on all clients according to Configuration 5 to your blog?

    • Hi Khi,

      You only need to reinstall the client if you’re going to use Internet-only clients, or when your environment is pre-R2 (I thought). Since R2 or SP1 (the real SP1 before R2) the client will get the Internet-facing management point information as part of a normal policy.


  7. Hello Peter,
    Is it possible to implement a hybrid of internal PKI certificates and a third party certificate on the FQDN (eg digicert)?


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.