Export (0) Print
Expand All
3 out of 5 rated this helpful - Rate this topic

Benefits of Using Native Mode

Updated: December 1, 2009

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

Native mode is the recommended site configuration for new Configuration Manager 2007 sites because it offers a higher level of security by integrating with a public key infrastructure (PKI) to help protect client-to-server communication. Native mode is also a requirement for Internet-based client management.

In native mode, clients communicate over HTTPS to the following site systems:

  • Management points:

    • Default management point

    • Network load balanced management points

    • Proxy management point

    • Internet-based management point

  • Standard distribution points (not branch distribution points)

  • Software update points

  • State migration point

noteNote
There are some situations on the intranet where native mode clients can communicate with standard distribution points over server message blocks (SMB). These scenarios include if advertisements are configured for the option Run program from distribution point, if HTTPS fails, or if the distribution point is not configured with the option Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS (required for device clients and Internet-based clients).

In native mode, clients continue to communicate over HTTP to the fallback status point, so that any communication issues related to certificates can be reported back to the site so that the administrator can identify and resolve client communication problems. Additionally, if a native mode client is configured with the option Configure HTTP communication for roaming and site assignment, the client can communicate over HTTP to the following site systems:

  • Server locator point

  • Resident management point and distribution points in a mixed mode site

ImportantImportant
Native mode does not affect communication between site severs, or between sites in a Configuration Manager 2007 hierarchy. To help secure this communication, use IPsec. For more information, see Implementing IPsec for Configuration Manager 2007.

In native mode, client policies are signed by the site server, which adds an additional layer of defense to the Configuration Manager 2007 hierarchy to mitigate the security risk of a compromised management point sending policies that have been tampered with. This safeguard is particularly relevant if you are using Internet-based client management because this environment requires a management point that is exposed to Internet communication.

Mixed mode offers a lower level of security to support SMS 2003 clients, providing self-signed certificates if you do not have a supporting public key infrastructure (PKI) that can provide the certificates that are required for Configuration Manager 2007.

You cannot upgrade a SMS 2003 site directly to native mode, although you can migrate to native mode after the upgrade is complete.

When you migrate a primary site to native mode, this procedure automatically migrates any secondary sites that are attached to the primary site. It does not automatically migrate child primary sites.

Comparison of Mixed Mode and Native Mode

The following table compares the two site modes and the security features they offer.

 

Configuration Manager Operation Mixed Mode Native Mode

Use of certificates

Self-signed certificates that are generated and managed by Configuration Manager, and are used only within Configuration Manager.

Industry standard PKI certificates that are created and managed independently from Configuration Manager, and can be integrated with other business solutions.

Mutual authentication between client and site systems

Proprietary authentication between the client and management point, and between the client and state migration point. No other site systems use mutual authentication with clients.

SSL mutual authentication between the client and following site systems:

  • Management point

  • Distribution point (if not a server share or branch distribution point)

  • State migration point

SSL server authentication to the software update point.

Site system to site system authentication and encryption of traffic

No - IPsec is recommended to help secure this communication.

See Implementing IPsec for Configuration Manager 2007.

No - IPsec is recommended to help secure this communication.

See Implementing IPsec for Configuration Manager 2007.

WINS can be used for name resolution and service location.

Yes

Although WINS can be used for name resolution and locating a server locator point, WINS cannot be used in native mode to locate the default management point.

Default management points are located in Active Directory, DNS, or the server locator point. However, network load balanced management points can only be located in Active Directory or with a server locator point.

For more information about service location in native mode, see Configuration Manager and Service Location (Site Information and Management Points).

Policy is signed

Yes - by the management point

Yes - by the site server, and the management point.

Policy is encrypted over SSL

No

Yes

Content is signed

Yes, if advertisements are using the option of Download content from distribution point and run locally.

No, if advertisements are using the option Run program from distribution point.

Yes, if advertisements are using the option of Download content from distribution point and run locally

No, if advertisements are using the option Run program from distribution point (this option is not supported when the client is managed on the Internet)

Content is encrypted

No

Yes, using SSL if advertisements are using the option of Download content from distribution point and run locally. However, if HTTPS fails in the intranet, content is sent over SMB which is not encrypted.

No if advertisements are using the option Run program from distribution point because SMB will be used (this option is not supported when the client is managed on the Internet).

Inventory data and state messages are signed

Yes, using SHA1 if clients are running at least SMS 2003 Service Pack 1.

Yes. The one exception is state messages to the fallback status point, which are not signed.

Inventory data and state messages are encrypted

Optional, using 3DES

Yes, using SSL. The one exception is state messages to the fallback status point, which are not encrypted.

Status messages from clients are signed

No

Yes.

Status messages from clients are encrypted

No

Yes, using SSL.

Metering data from clients is signed

No

Yes

Metering data from clients is encrypted

No

Yes, using SSL

Client approval to be fully managed in the site

Requires configuration with one of the following options:

  • Manually approve each client

  • Automatically approve clients from trusted domains

  • Automatically approve all clients

  • Automatic because clients are authenticated through PKI

If the operating system deployment feature is used, state migration data is signed and encrypted

Yes

Yes, using SSL

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.