This blog post is about the key configuration steps for implementing Internet-based clients in ConfigMgr 2012. By key configuration steps, I’m talking about the configuration of the web server certificate, IIS, site systems, site system roles and client installations. To understand these steps, knowledge of certificates, IIS and ConfigMgr is required, because it’s not a step-by-step configuration guide.
Before going through these steps, there are a few important prerequisites that should be in place:
- Site systems for Internet-based client management must have connectivity to the Internet and must be in an Active Directory domain.
- A supporting public key infrastructure (PKI) has to be in place, that can deploy and manage the certificates that the clients require and that are managed on the Internet and the Internet-based site system servers.
- The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers.
Configuration 1: Web server certificate
One of the most important things with Internet-based client management is the web server certificate. This certificate is used to authenticate these servers to the client and to encrypt all data transferred between the client and these servers by using Secure Sockets Layer (SSL). Based on the applicable scenario this certificate only needs the Internet FQDN, or the Internet and intranet FQDN. For Internet-based client management the following two scenario’s are possible:
- If the site system only accepts connections from the Internet, the Subject Name or Subject Alternative Name (SAN) must contain the Internet FQDN.
- If the site system accepts connections from the Internet and the intranet, both the Internet FQDN and the intranet FQDN must be specified in the SAN.
Configuration 2: Default web site
Even though I will make this a very small point for Internet-based client management, it is very important not to forget. After the certificate is created it needs to be configured, with the HTTPS Type, in the Site Bindings of the Default Web Site. In case WSUS is also running on the server, and needs to be used by the Internet-based clients, the same has to be done for the Windows Administration site.
The next key configuration for Internet-based client management is the Internet FQDN in the Site system properties of the Internet-based site system. The key here is that the Internet FQDN must be exactly the same as the Internet FQDN specified in the web server certificate. When those names don’t match, the client won’t be able to verify the identity of the site system. Of course that will keep the client for assigning to the site.
Configuration 4: Site role
After the Internet FQDN is configured, the Internet-based site system must be configured to accept client connections from the Internet. This is a configuration that must be done per role that’s supposed to communicate over the internet. For this configuration for Internet-based client management Allow Internet-only connections, or Allow intranet and Internet connections should be configured. The Management point, Distribution point, Fallback status point, Software update point, Application Catalog website point and Enroll proxy point are all able to be configured for accepting client connections from the Internet
Configuration 5: Client installation
The last important configuration is the client installation. During the installation, clients must be directly assigned to the site and be configured with the Internet FQDN of the management point. For Internet-based client management this leaves two possible installation options:
- Internet-only clients: Ccmsetup.exe /UsePKICert CCMHOSTNAME=”<InternetFQDN>” SMSSITECODE=”<SiteCode>” CCMALWAYSINF=1
- Intranet and Internet clients: Ccmsetup.exe /UsePKICert SMSMP=”<IntrenatFQDN>” CCMHOSTNAME=”<InternetFQDN>” SMSSITECODE=”<SiteCode>”
Note: For lab environments and testing it might be easy to also us /NoCRLCheck. This prevents the client from checking the certificate revocation list (CRL), before establishing an HTTPS connection.
How to Configure the WSUS Web Site to Use SSL.
Step-by-Step Example Deployment of the PKI Certificates for Configuration Manager: Windows Server 2008 Certification Authority
About Client Installation Properties in Configuration Manager