This blog post is about the key configuration steps for implementing Internet-based clients in ConfigMgr 2012. By key configuration steps, I’m talking about the configuration of the web server certificate, IIS, site systems, site system roles and client installations. To understand these steps, knowledge of certificates, IIS and ConfigMgr is required, because it’s not a step-by-step configuration guide.
Prerequisites
Before going through these steps, there are a few important prerequisites that should be in place:
- Site systems for Internet-based client management must have connectivity to the Internet and must be in an Active Directory domain.
- A supporting public key infrastructure (PKI) has to be in place, that can deploy and manage the certificates that the clients require and that are managed on the Internet and the Internet-based site system servers.
- The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers.
Configuration 1: Web server certificate
One of the most important things with Internet-based client management is the web server certificate. This certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL). Based on the applicable scenario this certificate only needs the Internet FQDN, or the Internet and intranet FQDN. For Internet-based client management the following two scenario’s are possible:
- If the site system only accepts connections from the Internet, the Subject Name or Subject Alternative Name (SAN) must contain the Internet FQDN.
- If the site system accepts connections from the Internet and the intranet, both the Internet FQDN and the intranet FQDN must be specified in the SAN.
Configuration 2: Default web site
Even though I will make this a very small point for Internet-based client management, it is very important not to forget. After the certificate is created it needs to be configured, with the HTTPS Type, in the Site Bindings of the Default Web Site. In case WSUS is also running on the server, and needs to be used by the Internet-based clients, the same has to be done for the Windows Administration site.
Configuration 3: Site system
The next key configuration for Internet-based client management is the Internet FQDN in the Site system properties of the Internet-based site system. The key here is that the Internet FQDN must be exactly the same as the Internet FQDN specified in the web server certificate. When those names don’t match, the client won’t be able to verify the identity of the site system. Of course that will keep the client for assigning to the site.
Configuration 4: Site role
After the Internet FQDN is configured, the Internet-based site system must be configured to accept client connections from the Internet. This is a configuration that must be done per role that’s supposed to communicate over the internet. For this configuration for Internet-based client management Allow Internet-only connections, or Allow intranet and Internet connections should be configured. The Management point, Distribution point, Fallback status point, Software update point, Application Catalog website point and Enroll proxy point are all able to be configured for accepting client connections from the Internet
Configuration 5: Client installation
The last important configuration is the client installation. During the installation, clients must be directly assigned to the site and be configured with the Internet FQDN of the management point. For Internet-based client management this leaves two possible installation options:
- Internet-only clients: Ccmsetup.exe /UsePKICert CCMHOSTNAME=”<InternetFQDN>” SMSSITECODE=”<SiteCode>” CCMALWAYSINF=1
- Intranet and Internet clients: Ccmsetup.exe /UsePKICert SMSMP=”<IntrenatFQDN>” CCMHOSTNAME=”<InternetFQDN>” SMSSITECODE=”<SiteCode>”
Note: For lab environments and testing it might be easy to also us /NoCRLCheck. This prevents the client from checking the certificate revocation list (CRL), before establishing an HTTPS connection.
More information
How to Configure the WSUS Web Site to Use SSL.
Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority
About Client Installation Properties in Configuration Manager
Hi! This is the first step-by-step guide I’ve seen at all. I’m only confused by one thing. In step 5, where it is your inputting these commands? Our CCM is installed automatically after imaging a client. We also only have one forests.. Are you using different collections and deploying seperate task sequences, or what is it that your doing where/when/why do you need to enter those commands?
Those commands are for manual client installation. In case your machine will be on the domain first, or the client is pushed, then you can forget about this step.
hi piter good post.. question in the last step is not necesary certificate in the clients computers??
Yes, those client computers need to have a certificate already.
in the entity certifying internal (CA) what kind of template is used to generate the certificate that is installed on the computers to authenticate it’s (IBCM)
I’m using the Workstation Authentication template. For a nice step-by-step, see: http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_client2008_cm2012
piter Hello a question for the publication of the internet-based management point architecture do you recommend? point of administration in dmz, creation of rule with TMG?
Thank you
It depends on a lot of different things, but TMG is definitely an option. One thing is for sure, it’s the best documented option.
Are wildcard certificates supported with Configuration Manager 2012 R2 IBCM
thank you
I have to say that I never used any of them in combination with ConfigMgr. I would *think* that they should work fine with the different site roles (configured in IIS).
Hi Peter, thanks for you post, is it necesary config https only in the Client computer communication? currently I have many clients (23,000) in intranet and I need manage 200 clients by BCIM, I need install the certificate to all my clients?
Thanks in advance, regards
Hi Luis, Sorry for the late reply. I completely missed out on the notification email. Yes, your clients need to have a client authentication certificate.
Peter
Hello Peter. Currently we use only Intranet based Clients (~10.000 Clients). We are planning to use Internet-based Client Management, so clients can also connect through Internet when they are not in corporate network. Is it neccassary to reinstall the Agent on all clients according to Configuration 5 to your blog?
Hi Khi,
You only need to reinstall the client if you’re going to use Internet-only clients, or when your environment is pre-R2 (I thought). Since R2 or SP1 (the real SP1 before R2) the client will get the Internet-facing management point information as part of a normal policy.
Peter
Hello Peter,
Is it possible to implement a hybrid of internal PKI certificates and a third party certificate on the FQDN (eg digicert)?
Hi Juan,
Sure. With certificates it’s all about trusting the publisher of the certificate, and being able to verify the certificates.
Regards, Peter