Most organizations have users
working from home or remote offices without a direct connection to the
enterprise network. Mobile workers will also use laptops at locations
that are on the network and at remote locations. In other cases, systems
such as kiosk computers or point-of-sale systems require remote
management. As long as these computers have a connection to the
Internet, Configuration Manager provides two options for managing them,
using either a Virtual Private Network (VPN) or Internet-Based Client
Management (IBCM), as discussed in the next sections.
Choosing a Solution for Internet-Based Clients
SMS 2003 and
earlier versions required a VPN connection to manage computers without a
direct physical connection to your enterprise network. To establish a
VPN connection, client computers or other devices authenticate with a
gateway on your network across an unsecure network, generally the
Internet. Once the client is authenticated, it establishes an encrypted
session (or tunnel)
through which private communications can take place. You can use VPN
connections to support all Configuration Manager 2007 features.
Configuration
Manager 2007 provides a new capability called IBCM, which allows you to
deliver certain services directly over the Internet without requiring a
VPN connection. VPN services require a significant investment in
infrastructure and support. Even if you have
a VPN in place and available to all client systems, there are reasons
why it may not be an ideal vehicle for delivering Configuration Manager
services:
However,
depending on your business requirements and existing infrastructure, a
VPN-based solution may be the best way to manage computers that must
connect through the Internet. VPN supports all of Configuration
Manager’s features, whereas IBCM supports only a subset. IBCM also
requires a PKI deployment and in most configurations requires deploying
an additional server. You should consider the capabilities of both
solutions when deciding how to meet the needs of your Internet-based
clients.
IBCM Features and Requirements
IBCM supports the following Configuration Manager features:
IBCM does not
support other Configuration Manager features such as client deployment,
OSD, Remote Tools, and Network Access Protection (NAP).
Sites supporting
Internet-based clients must be primary sites in native mode with
certificates deployed to servers and clients. The systems that directly support Internet-based clients must
be accessible from the Internet via HTTP/HTTPS . Systems that may provide services for Internet clients include the following:
Management point—
This is the only required role, providing policy to clients and
receiving inventory, state, status, and other data from clients.
Distribution points—
One or more standard distribution points are required for software
deployment. These distribution points must be site systems rather than
server shares. Internet-facing branch distribution points are not
supported.
Fallback status point— The FSP is recommended to allow clients that are having problems contacting the management point to report status to the site.
Software update point— The SUP is required for software updates.
Each of these systems
require configuration to accept connections from the Internet, and the
site system properties must include a Fully Qualified Domain Name (FQDN)
that is resolvable from the Internet. Internet-facing site systems
cannot be protected site systems.
Deploying Servers to Support Internet-Based Clients
For security
reasons, systems accessible to Internet-based clients should always be
deployed in a DMZ (generally referred to in the product documentation as
a perimeter network). Microsoft supports several scenarios for site and server placement:
A site that
does not support intranet clients and spans the perimeter network and
intranet. The site server is in the intranet. All Internet-based site
systems are in the perimeter network and accept connections for clients
connecting over the Internet.
A site that does not support intranet clients and is in the perimeter network only.
A
site supporting both Internet and intranet clients, which spans the
perimeter network and intranet. All Internet-based site systems are in
the perimeter network and support connections for clients connecting
over the Internet. A second management point, SUP, FSP, and additional
distribution points, along with other site systems, are in the intranet
for those clients connecting over the intranet.
A
site that supports both Internet and intranet clients, and bridges the
perimeter network and the intranet. There is a single management point.
This is both the site’s default management point and the Internet-based
client’s management point.
These scenarios are described in detail in http://technet.microsoft.com/en-us/library/bb693824.aspx.
When
designing your solution, your primary consideration will be the level of
security you need. Providing services through the Internet potentially
exposes you to unauthorized access. You should involve any necessary
resources to ensure that proper security risk management and secure
network design principles are followed.
Each of the scenarios Microsoft supports involves three security zones:
The Internet (least secure)
The perimeter network (more secure)
The internal network (most secure)
The
purpose of the perimeter network is to protect your internal network,
where your most valuable systems and data reside. If a host in the
perimeter network is compromised, it is the job of the inner firewall,
the one between the perimeter network and the internal network, to
protect your high-value assets. One basic principle of network security
is that allowing any connections to be initiated from a less secure zone
to a more secure zone is a risk. As you step through the supported
scenarios, focus on the allowed protocols at the inner firewall. The
options that allow inbound connections are likely to be less secure than
those that do not.
A special risk is
introduced by solutions that bridge the perimeter network and the
internal network. In this case, you do not have a dedicated inner
firewall. If one of the bridging hosts is compromised, it could be used
to attack the internal network. If you choose to implement this model,
you should take special care to harden the systems as much as possible,
monitor them closely, and verify that you have disabled routing between
the network cards. Many organizations have security policies that forbid
using servers to bridge security zones.
Take your own
secure network architecture into account as you consider each of the
scenarios Microsoft supports for deploying servers to support Internet
clients, because you may need to adapt these scenarios to meet your own
security requirements. Carefully consider the relative advantages of
each model.
Using a Dedicated Site for Internet Clients
The first option to
consider is whether to have a dedicated site for Internet clients. Using
a dedicated site provides some options that simplify your security
planning. If you use a dedicated Internet-only site, you should have
only an Internet-based management point and not a default MP. The most
secure configuration is a dedicated site, totally within the perimeter
network, that is absolutely separate from the hierarchy supporting
intranet clients. This configuration, shown in Figure 1, does not require connectivity between the Internet-accessible systems and your internal network.
Maintaining a Separate Active Directory Forest
For complete
isolation, you would need a separate Active Directory forest in the
perimeter network. This configuration does not support clients that
connect both as Internet and intranet clients. Even if you have mobile
clients that sometimes connect directly to your network, or clients that
sometimes establish a VPN connection, you will need to configure them
as Internet-only clients, which will have the more limited IBCM
management capabilities.
Allowing Site-to-Site Communications Across an Inner Firewall
A dedicated site
for Internet clients can also reside in the perimeter network but be
joined to a parent site in your internal network. This configuration
requires you to allow site-to-site communications across your inner
firewall.
Having a Site Span the Internal Network and Perimeter Network
You
can configure a site to span the internal network and the perimeter
network. A site that spans these zones can be dedicated to Internet
clients only or can have both Internet and intranet clients. In this
configuration, the site server and SQL database server are in the
internal network. You can provide services to intranet clients either by
deploying separate client-facing systems in the internal network or by
configuring site systems in your DMZ to accept connections from both
intranet and Internet clients and then allowing outbound client
connections though the internal firewall.
Configure
Internet-facing systems using the option Allow only site server
initiated data transfers from this site system. You can configure this
setting on the site system properties page, found under System Center
Configuration Manager -> Site Database -> Site Management ->
<Site Code> <Site Name> -> Site Settings -> Site Systems -> <Site System> -> Site System, which is displayed in Figure 2. This configuration eliminates the need to allow inbound connections to the site server though the inner firewall.
You
can also eliminate the need for inbound SQL connections by deploying a
SQL replica in the DMZ, which requires considerable configuration but
can enhance security. 
