Export (0) Print
Expand All

Determine Server Placement for Internet-Based Client Management

Updated: March 1, 2009

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

A number of scenarios are supported for Internet-based client management, and each one has advantages and disadvantages. To determine whether servers should be in the perimeter network, or the intranet, you must decide which scenario is suitable for your environment and business requirements.

All server placement references below refer to a primary site only; secondary sites do not support Internet-based client management.

Server Placement for Sites that Do Not Need to Also Manage Intranet Client

If the Configuration Manager 2007 site does not need to support both Internet clients and intranet clients, Scenarios 1 and 2 in the following table are applicable. The following table lists the advantages and disadvantages of these scenarios and the related server placement.

 

Scenario to support Internet clients only Advantage Disadvantage Server Placement

Scenario 1: All the Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet. The site server is in the intranet:

  • The management point that supports Internet-based clients communicates directly with the SQL server in the intranet.

The site server is protected from Internet traffic by being in the intranet.

There is no SQL Server replica to configure and no associated replication latency.

The back-end firewall requires some configuration to allow SQL traffic and Server Message Block (SMB) traffic.

The SQL connection is initiated from the perimeter network to the intranet, which is a less secure configuration than if the connection is initiated from the intranet.

A server configured with the software update point role that needs to synchronize software update metadata with an active software update point in a parent site in the intranet requires that the back-end firewall is configured to allow inbound HTTPS/HTTP. To prevent these in-bound connections, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import.

Perimeter Network:

  • Internet-based management point

  • Internet-based fallback status point

  • Internet-based distribution points

  • Internet-based software update point

Intranet:

  • Site server

  • SQL Server (can be running on the site server)

Scenario 1: All the Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet. The site server is in the intranet:

  • The management point that supports Internet-based clients communicates with a SQL server replica in the perimeter network.

The site server is protected from Internet traffic by being in the intranet.

The SQL replica means that all the connections from the perimeter network to the intranet are initiated from the intranet, which is more secure than being initiated from the perimeter network.

The back-end firewall requires some configuration to allow SQL traffic and SMB traffic.

SQL replica requires a server with associated costs, and there will be some replication latency between the replica and the site server.

A server configured with the software update point role that needs to synchronize software update metadata with an active software update point in a parent site in the intranet requires that the back-end firewall is configured to allow inbound HTTPS/HTTP. To prevent these in-bound connections, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import.

Perimeter Network:

  • Internet-based management point

  • Internet-based fallback status point

  • Internet-based distribution points

  • Internet-based software update point

  • SQL Server configured for replication

Intranet:

  • Site server

  • SQL Server (can be running on the site server)

Scenario 2: The Internet-based site is contained within the perimeter network:

  • This site is a child site of your Configuration Manager 2007 hierarchy.

No Internet traffic is passing to the intranet.

Just one configuration is required on the back-end firewall from the child site server to parent site server.

Supports centralized management and reporting.

The site server is more vulnerable to attacks from the Internet than if it was located in the intranet.

Requires the back-end firewall to be configured to allow inbound SMB traffic.

A server configured with the software update point role that needs to synchronize software update metadata with an active software update point in the parent site requires that the back-end firewall is configured to allow inbound HTTPS/HTTP. Alternatively, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import.

Perimeter Network:

  • Internet-based management point

  • Internet-based fallback status point

  • Internet-based distribution points

  • Internet-based software update point

Intranet:

  • None

Scenario 2: The Internet-based site is contained within the perimeter network:

  • This site is the only site in your Configuration Manager 2007 hierarchy.

No Internet traffic is passing to the intranet.

Nothing to configure on the back-end firewall.

The site server is more vulnerable to attacks from the Internet than if it was located in the intranet.

No support for centralized management and reporting.

Perimeter Network:

  • Internet-based management point

  • Internet-based fallback status point

  • Internet-based distribution points

  • Internet-based software update point

Intranet:

  • None

Server Placement for Sites that Manages Clients on the Internet and the Intranet

If the Configuration Manager 2007 site needs to support both Internet clients and intranet clients, Scenarios 3 and 4 in the following table are applicable. The following table lists the advantages and disadvantages of these scenarios and the related server placement.

 

Scenario to support clients on the Internet and on the intranet Advantage Disadvantage Server Placement

Scenario 3: The site spans the perimeter network and intranet. All the Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet. There is a second management point (and second software update point and fallback status point, and additional distribution points) and other site systems that are in the intranet for clients connecting on the intranet:

  • The management point that supports Internet-based clients communicates directly with the SQL server in the intranet.

  • To prevent in-bound connections from the Internet-based software update point to the active software update point, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import.

The site server is protected from Internet traffic by being in the intranet.

The assigned management point, and other site systems that intranet clients connect to, are separated from Internet traffic.

There is no SQL Server replica to configure and no associated replication latency.

More servers are required for the Internet-based connections, with associated costs.

The manual export and import of software updates metadata incurs administrative overhead.

The back-end firewall requires some configuration to allow SQL traffic and SMB traffic.

The SQL connection is initiated from the perimeter network to the intranet, which is a less secure configuration than if the connection is initiated from the intranet.

Perimeter Network:

  • Internet-based management point

  • Internet-based fallback status point

  • Internet-based distribution points

  • Internet-based software update point

Intranet:

  • Site server

  • SQL Server (can be running on the site server)

  • Fallback status point

  • Distribution points

  • Software update point

  • All other site systems

Scenario 3: The site spans the perimeter network and intranet. All the Internet-based site systems are in the perimeter network and accept connections for clients connecting over the Internet. There is a second management point (and second software update point and fallback status point, and additional distribution points) and other site systems that are in the intranet for clients connecting on the intranet:

  • The management point that supports Internet-based clients communicates with a SQL server replica in the perimeter network.

  • To prevent in-bound connections from the Internet-based software update point to the active software update point, use the export and import method of synchronizing the software updates as described in the following topic: How to Synchronize Updates Using Export and Import.

The site server is protected from Internet traffic by being in the intranet.

The assigned management point, and other site systems that intranet clients connect to, are separated from Internet traffic.

The SQL replica means that all the connections from the perimeter network to the intranet are initiated from the intranet, which is more secure than being initiated from the perimeter network.

More servers are required for the Internet-based connections, with associated costs.

The manual export and import of software updates metadata incurs administrative overhead.

The back-end firewall requires some configuration to allow SQL traffic and SMB traffic.

Perimeter Network:

  • Internet-based management point

  • Internet-based fallback status point

  • Internet-based distribution points

  • Internet-based software update point

  • SQL Server

Intranet:

  • Site server

  • SQL Server (can be running on the site server)

  • Fallback status point

  • Distribution points

  • Software update point

  • All other site systems

Scenario 4: The site bridges the perimeter network and intranet:

  • Internet-based site systems have two network cards.

Fewer servers to configure and maintain for both intranet connections and Internet connections.

The site server is protected from Internet traffic by being in the intranet.

There is no SQL Server replica to configure and no associated replication latency.

There is no security boundary between the perimeter network and the intranet, which is not a recommended solution.

The SQL connection is initiated from the perimeter network to the intranet, which is a less secure configuration.

Perimeter Network:

  • Internet-based management point

  • Internet-based fallback status point

  • Internet-based distribution points

  • Internet-based software update point

Intranet:

  • Same site systems as on the perimeter network because they are on both networks

  • Site server

  • SQL Server (can be running on the site server)

  • All other site systems

Scenario 4: The site bridges the perimeter network and intranet:

  • Internet-based site systems are in the intranet and can accept both Internet connections and intranet connections.

Fewer servers to configure and maintain for both intranet connections and Internet connections.

The site server is protected from Internet traffic by being in the intranet.

There is no SQL Server replica to configure and no associated replication latency.

Requires a reverse proxy configuration between the perimeter network and the intranet so that the Internet-based site systems on the intranet are published to Internet clients.

Internet clients are traversing a security boundary to make connections to servers on the intranet. You can help mitigate this threat by using SSL bridging rather than SSL tunneling on the proxy server. For more information, see Determine Requirements for Proxy Web Servers to Use With Internet-Based Client Management.

Perimeter Network:

  • None

Intranet:

  • Internet-based management point

  • Internet-based fallback status point

  • Internet-based distribution points

  • Internet-based software update point

  • All other site systems

Scenario 4: The site bridges the perimeter network and intranet:

  • Internet-based site systems are in the perimeter network and can accept both Internet connections and intranet connections.

Fewer servers to configure and maintain for both intranet connections and Internet connections.

The site server is protected from Internet traffic by being in the intranet.

There is no SQL Server replica to configure and no associated replication latency.

Intranet clients are traversing a security boundary to make connections to servers that are exposed to Internet traffic.

The back-end firewall requires some configuration to allow SQL traffic and SMB traffic.

The SQL connection is initiated from the perimeter network to the intranet, which is a less secure configuration.

Perimeter Network:

  • Internet-based management point

  • Internet-based fallback status point

  • Internet-based distribution points

  • Internet-based software update point

Intranet:

  • Site server

  • SQL Server (can be running on the site server)

  • All other site systems

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft