System Center Configuration Manager 2007 : Planning for Internet-Based Clients

9/3/2012 3:19:28 AM
Most organizations have users working from home or remote offices without a direct connection to the enterprise network. Mobile workers will also use laptops at locations that are on the network and at remote locations. In other cases, systems such as kiosk computers or point-of-sale systems require remote management. As long as these computers have a connection to the Internet, Configuration Manager provides two options for managing them, using either a Virtual Private Network (VPN) or Internet-Based Client Management (IBCM), as discussed in the next sections.

Choosing a Solution for Internet-Based Clients

SMS 2003 and earlier versions required a VPN connection to manage computers without a direct physical connection to your enterprise network. To establish a VPN connection, client computers or other devices authenticate with a gateway on your network across an unsecure network, generally the Internet. Once the client is authenticated, it establishes an encrypted session (or tunnel) through which private communications can take place. You can use VPN connections to support all Configuration Manager 2007 features.

Configuration Manager 2007 provides a new capability called IBCM, which allows you to deliver certain services directly over the Internet without requiring a VPN connection. VPN services require a significant investment in infrastructure and support. Even if you have a VPN in place and available to all client systems, there are reasons why it may not be an ideal vehicle for delivering Configuration Manager services:

  • Client systems must make an additional connection to the gateway.

  • Challenges in managing the VPN address space as part of your site boundaries.

However, depending on your business requirements and existing infrastructure, a VPN-based solution may be the best way to manage computers that must connect through the Internet. VPN supports all of Configuration Manager’s features, whereas IBCM supports only a subset. IBCM also requires a PKI deployment and in most configurations requires deploying an additional server. You should consider the capabilities of both solutions when deciding how to meet the needs of your Internet-based clients.

IBCM Features and Requirements

IBCM supports the following Configuration Manager features:

  • Hardware and software inventory, including file collection

  • State and status reporting

  • Software Distribution

  • Software Updates

  • Software Metering

IBCM does not support other Configuration Manager features such as client deployment, OSD, Remote Tools, and Network Access Protection (NAP).

Sites supporting Internet-based clients must be primary sites in native mode with certificates deployed to servers and clients. The systems that directly support Internet-based clients must be accessible from the Internet via HTTP/HTTPS . Systems that may provide services for Internet clients include the following:

  • Management point— This is the only required role, providing policy to clients and receiving inventory, state, status, and other data from clients.

  • Distribution points— One or more standard distribution points are required for software deployment. These distribution points must be site systems rather than server shares. Internet-facing branch distribution points are not supported.

  • Fallback status point— The FSP is recommended to allow clients that are having problems contacting the management point to report status to the site.

  • Software update point— The SUP is required for software updates.

Each of these systems require configuration to accept connections from the Internet, and the site system properties must include a Fully Qualified Domain Name (FQDN) that is resolvable from the Internet. Internet-facing site systems cannot be protected site systems.

Deploying Servers to Support Internet-Based Clients

For security reasons, systems accessible to Internet-based clients should always be deployed in a DMZ (generally referred to in the product documentation as a perimeter network). Microsoft supports several scenarios for site and server placement:

  • A site that does not support intranet clients and spans the perimeter network and intranet. The site server is in the intranet. All Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet.

  • A site that does not support intranet clients and is in the perimeter network only.

  • A site supporting both Internet and intranet clients, which spans the perimeter network and intranet. All Internet-based site systems are in the perimeter network and support connections for clients connecting over the Internet. A second management point, SUP, FSP, and additional distribution points, along with other site systems, are in the intranet for those clients connecting over the intranet.

  • A site that supports both Internet and intranet clients, and bridges the perimeter network and the intranet. There is a single management point. This is both the site’s default management point and the Internet-based client’s management point.

These scenarios are described in detail in

When designing your solution, your primary consideration will be the level of security you need. Providing services through the Internet potentially exposes you to unauthorized access. You should involve any necessary resources to ensure that proper security risk management and secure network design principles are followed.

Each of the scenarios Microsoft supports involves three security zones:

  • The Internet (least secure)

  • The perimeter network (more secure)

  • The internal network (most secure)

The purpose of the perimeter network is to protect your internal network, where your most valuable systems and data reside. If a host in the perimeter network is compromised, it is the job of the inner firewall, the one between the perimeter network and the internal network, to protect your high-value assets. One basic principle of network security is that allowing any connections to be initiated from a less secure zone to a more secure zone is a risk. As you step through the supported scenarios, focus on the allowed protocols at the inner firewall. The options that allow inbound connections are likely to be less secure than those that do not.

A special risk is introduced by solutions that bridge the perimeter network and the internal network. In this case, you do not have a dedicated inner firewall. If one of the bridging hosts is compromised, it could be used to attack the internal network. If you choose to implement this model, you should take special care to harden the systems as much as possible, monitor them closely, and verify that you have disabled routing between the network cards. Many organizations have security policies that forbid using servers to bridge security zones.

Take your own secure network architecture into account as you consider each of the scenarios Microsoft supports for deploying servers to support Internet clients, because you may need to adapt these scenarios to meet your own security requirements. Carefully consider the relative advantages of each model.

Using a Dedicated Site for Internet Clients

The first option to consider is whether to have a dedicated site for Internet clients. Using a dedicated site provides some options that simplify your security planning. If you use a dedicated Internet-only site, you should have only an Internet-based management point and not a default MP. The most secure configuration is a dedicated site, totally within the perimeter network, that is absolutely separate from the hierarchy supporting intranet clients. This configuration, shown in Figure 1, does not require connectivity between the Internet-accessible systems and your internal network.

Figure 1. Server placement and firewall configuration for Internet-based client management

Maintaining a Separate Active Directory Forest

For complete isolation, you would need a separate Active Directory forest in the perimeter network. This configuration does not support clients that connect both as Internet and intranet clients. Even if you have mobile clients that sometimes connect directly to your network, or clients that sometimes establish a VPN connection, you will need to configure them as Internet-only clients, which will have the more limited IBCM management capabilities.

Allowing Site-to-Site Communications Across an Inner Firewall

A dedicated site for Internet clients can also reside in the perimeter network but be joined to a parent site in your internal network. This configuration requires you to allow site-to-site communications across your inner firewall.

Having a Site Span the Internal Network and Perimeter Network

You can configure a site to span the internal network and the perimeter network. A site that spans these zones can be dedicated to Internet clients only or can have both Internet and intranet clients. In this configuration, the site server and SQL database server are in the internal network. You can provide services to intranet clients either by deploying separate client-facing systems in the internal network or by configuring site systems in your DMZ to accept connections from both intranet and Internet clients and then allowing outbound client connections though the internal firewall.

Configure Internet-facing systems using the option Allow only site server initiated data transfers from this site system. You can configure this setting on the site system properties page, found under System Center Configuration Manager -> Site Database -> Site Management -> <Site Code> <Site Name> -> Site Settings -> Site Systems -> <Site System> -> Site System, which is displayed in Figure 2. This configuration eliminates the need to allow inbound connections to the site server though the inner firewall.

Figure 2. Use the site system properties page to specify the site server will initiate communications

You can also eliminate the need for inbound SQL connections by deploying a SQL replica in the DMZ, which requires considerable configuration but can enhance security.
  •  Active Directory Domain Services 2008 : Automatically Populate a Migration Table from a Group Policy Object
  •  Active Directory Domain Services 2008 : Create a Migration Table
  •  Microsoft Content Management Server : Developing Custom Properties for the Web Part
  •  Microsoft Content Management Server : Building SharePoint Web Parts - Creating the Web Part, Defining Custom Properties for the Web Part
  •  Microsoft Content Management Server : Building SharePoint Web Parts - The SharePoint MCMS Navigation Control, Creating the Web Part Project
  •  Active Directory Domain Services 2008 : Search Group Policy Objects
  •  Active Directory Domain Services 2008 : Export a Starter GPO, Import a Starter GPO
  •  The Very Successful Hardware That Microsoft Has Ever Produced
  •  Xen Virtualization - Managing Xen : Virtual Machine Manager
  •  Xen Virtualization - Managing Xen : XenMan—Installing and Running
    Video tutorials
    - How To Install Windows 8

    - How To Install Windows Server 2012

    - How To Install Windows Server 2012 On VirtualBox

    - How To Disable Windows 8 Metro UI

    - How To Install Windows Store Apps From Windows 8 Classic Desktop

    - How To Disable Windows Update in Windows 8

    - How To Disable Windows 8 Metro UI

    - How To Add Widgets To Windows 8 Lock Screen
    programming4us programming4us