SCCM 2007 IBCM & Native Mode (July 24, 2007)
Chat Topic: SCCM 2007 IBCM & Native Mode
Date: Tuesday, July 24, 2007
**Please note:****Portions of this transcript have been edited for clarity
Experts:
Prabhu Padhi, Adam Meltzer, Sean Cannella, Brent Dunsire, Rick Duong , Dan Conley
Newsgroup:
https://connect.microsoft.com/messageboards/community.aspx?SiteID=16?
https://www.microsoft.com/technet/sms/2007/evaluate/default.mspx
Dan Conley [MSFT] (Moderator):
Hello, and welcome to the web chat on System Center Configuration Manager 2007 Internet Based Client Managment and Native Mode features.
Today, we have the IBCM and Native Mode Feature Team available to answer your questions.
I would also like to welcome our SMS/SCCM MVP's that are also in attendance.
Please remember to ensure that "Expert Chat" is selected when you ask a question so that our experts can see and respond to your questions.
Thanks and please ask away!
-Dan-
Start of Chat
Prabhu Padhi [MSFT] (Expert):
Q: native mode certificates, what is the recommended certificate key length? 2048?
A: It depends on your enterprise's PKI environment. However, for site server signing certificate, and client certificate the recommended key length is 2K, for web server certificate, it is 1K.
Prabhu Padhi [MSFT] (Expert):
Q: no problems with externally signed certificates like VeriSign ect, or certificates issued by non-Microsoft CAs..
A: it will work...we are agnostic of PKI (as long as customers comply with our certificate requirements).
Prabhu Padhi [MSFT] (Expert):
Q: what features in SCCM use the site server signing certificate? and how are they used?
A: site server signing certificate is required in Native Mode and will be used for signing policies.
Adam Meltzer [MSFT] (Expert):
Q: in regards to my previous question "what features in SCCM use the site server signing certificate? and how are they used?", do you have any more details to provide on this is used for validating client identity which I believe is done by the site server?
A: The site server signing cert is not used to validate clients against the site server. The site signing cert is only used to sign policies and for clients to perform validations against those signed policies. To answer your question about client identity validation, this is done on both the site server and on the MP and uses the client's certificate.
Adam Meltzer [MSFT] (Expert):
Q: does using Native mode with certificates assigned to the clients improve OSD? Can you describe the difference (right now we end up with duplicates systems running in our test environment in mixed mode)
A: I'm not an expert on OSD, but I don't believe you should end up with duplicate systems regardless of if you are in native mode or mixed mode. I've only heard of this happening when the system wasn't sysprepped so the disk images had old client certificates in them rather than new certificates being issued as part of the OSD process.
Adam Meltzer [MSFT] (Expert):
Q: does native mode by default require the management point to be SSL or does it matter? any benefit to using SSL vs HTTP for the MP in Native Mode vs. Mixed?
A: Native mode requires that management points are in SSL.
Prabhu Padhi [MSFT] (Expert):
Q: How will this interact with environments running 802.1x?
A: we are agnostic of client connectivity (wireless, wired etc)
Prabhu Padhi [MSFT] (Expert):
Q: Briefly scanned the documentation, but I am not sure exactly the procedure to upgrade from a mixed node environment to native mode (plan to upgrade SMS 2003 environment to SCCM top down as recommended, then change modes). Could you summarize the steps?
A: Here is the link to the checklist for switching the site over to Native Mode: https://www.microsoft.com/technet/prodtechnol/sms/smsv4/smsv4_help/5f4a7c5e-a2ab-49c3-886c-c9159dd49cf0.mspx.
Sean Cannella [MSFT] (Expert):
Q: what is the minimum ports required for client--server communication in native mode?
A: by default, 443 for MP, DP, SMP, SUP; 80 for FSP, SLP - you can change the HTTPS and HTTP ports if you wish.
Sean Cannella [MSFT] (Expert):
Q: Internet facing client support using NAP (and related quarantine/repair) will not be realized until release and subsequent deployment of Longhorn server, correct??
A: NAP is not supported for clients while they're on the internet. In general though, that's correct, NAP will not be officially supported until Windows Server 2008 is released.
Prabhu Padhi [MSFT] (Expert):
Q: Correct. I'd like to know what exposure we should have with an Internet facing MP, and what additional steps we would need to take to secure our MP?
A: From an SCCM standpoint, clients will communicate HTTPS with the MP. So, as long as you allow the HTTPS traffic to the MP, we should be fine. For securing servers (MP/DP etc), you may want to check with your enterprise's network security folks for any best practices.
Prabhu Padhi [MSFT] (Expert):
Q: What IBCM configuration does SCCM2007 support, can I have my MP/DP facing internet directly?
A: Here is the link to the supported scenarios for Internet-Based Client Management (IBCM): https://www.microsoft.com/technet/prodtechnol/sms/smsv4/smsv4_help/849faa64-0e50-4798-a700-1238eb19b5ab.mspx.
Sean Cannella [MSFT] (Expert):
Q: What's the performance impact of native mode?
A: We're still working on our performance base lining, but in general, expect some CPU impact on the IIS-based site roles to handle the SSL / cryptographic overhead.
Prabhu Padhi [MSFT] (Expert):
Q: Are you planning on releasing a baseline DCM template for the IBCM and/or IIS/MP/DP?
A: we will provide one for MP/DP...but nothing specific to IBCM.
Ram SUNKARA [MSFT] (Expert):
Q: Are there any plans to create a publish Internet MP wizard with the ISA Server product team ? To enable more security in the SSL communication like there is for Exchange?
A: Yes we are working with ISA/Whale team but it's not going to like what Exchange Server does. Because client uses certificates which may not be issued to a domain identity.
Sean Cannella [MSFT] (Expert):
Q: What are the recommendations to deploying the client to Internet based clients?
A: For internet clients that ever enter the intranet (ex. consultant laptops), the recommendation is to install the clients while they're on the corporate network using the intranet deployment mechanisms. For clients that never enter the intranet boundary (ex. point of sale machines), there is no specific recommendation; mailing out a CD with the required binaries should work. Additionally, you'll need to deploy client certificates through some mechanism, which will depend on your PKI.
Prabhu Padhi [MSFT] (Expert):
Q: Can I do SSL-Bridging at the edge firewall to route the IBCM clients to my intranet MP/DP (they are shared)?
A: As long as your firewall supports SSL bridging, we will work fine.
Adam Meltzer [MSFT] (Expert):
Q: Do client side certificates also need to be deployed when running in native mode?
A: Yes, clients will require client certificates to communicate with the management point.
Sean Cannella [MSFT] (Expert):
Q: When sending the binaries out there is the problem with the needed admin-rights, correct?
A: Correct - the person using the CD would need to have administrative rights on the client computer. Depending on the kind of infrastructure you have (ex. at a purely internet-based branch office), you may be able to adopt one of the intranet deployment mechanisms (ex. using group policy.)
Adam Meltzer [MSFT] (Expert):
Q: Do client certificates get deployed automatically at client install provided the site is running in native mode? Is there any integration piece that ties in to SCCM or is that a feature of a PKI?
A: Certificate deployment is out of the scope of ConfigMgr, we leave it up to your PKI practices to deploy certificates.
Prabhu Padhi [MSFT] (Expert):
Q: Isn't SUP supported as an internet based role? If so, couldn't you deploy the client using SUP, since this is one of the new installation methods to deploying the client?
A: SUP is supported as an internet-based site role. However, client deployment via a SUP is currently unsupported on the internet.
Adam Meltzer [MSFT] (Expert):
Q: What are the recommendations to deploying the client to Internet based clients?
A: For more about client deployment while on the Internet, here's a good reference: https://www.microsoft.com/technet/prodtechnol/sms/smsv4/smsv4_help/ef1e81a2-33ec-4113-90d9-11e76c42bf81.mspx
Sean Cannella [MSFT] (Expert):
Q: MP does lot of logging but it's not structured, look at IIS logging for example it’s more structured , are there any plans to do more structured?
A: There are no plans to modify the overall logging scheme at this time. I'm not entirely sure what you're looking for in the MP logs that isn't there already - you can provide specific feedback to the product group using https://connect.microsoft.com.
Prabhu Padhi [MSFT] (Expert):
Q: couldn't add more text, had to split it, so there was a question: I guess there is no way around it to make sure the client is installed before getting of the LAN.. Everything else is risky. You're referring to that right?
A: For clients, who will never connect to the corpnet, you can always install the client via a CD (containing client binaries).
Brent Dunsire [MSFT] (Expert):
Q: How do I manage my none-windows based assets using SCCM?
A: Partners will/can provide non Windows based client support as they do for SMS 2003.
Adam Meltzer [MSFT] (Expert):
Q: What if my laptop is stolen?
A: There is some functionality that you can leverage in the stolen laptop scenario such as the ability to block clients from talking to your MP. However, there's no specific functionality to address that scenario.
Dan Conley [MSFT] (Moderator):
Ok, thanks everyone for attending today's chat. Look for the transcript for this chat posted to TechNet in about 2 weeks!