Example Scenarios for Implementing Internet-Based Client Management in Configuration Manager

Example Scenarios for Implementing ...

Topic last updated—March 2008

The following sections provide example scenarDiios of how Internet-based client management in Configuration Manager 2007 can be implemented to solve the following business requirements:

Continue to Manage Laptops that Regularly Move out of the Intranet and On to the Internet
Manage Home Computers That Never Connect to the Intranet
Support Internet-Based Clients and Intranet Clients in the Intranet on the Same Site System Server

Continue to Manage Laptops That Regularly Move Out of the Intranet and on to the Internet

This scenario demonstrates how you can extend an existing Configuration Manager site to support clients when they move from the intranet to the Internet, using Internet-based client management. The network design chosen incorporates the supported scenario of adding Internet-based site systems into the perimeter network and using a SQL Server replica in the perimeter network for additional security: Network Diagram for Internet-Based Servers - Scenario 1 with SQL Server Replica.

A. Datum Corporation has a number of sales people who regularly travel to see customers and only periodically return to the office. Managing their laptops so that they have all the required software updates and the latest applications is difficult, because either the sales staff have to find the time to come back into the office or they attempt a connection using the in-house VPN solution, which is slow and unreliable. Additionally, the audit department is requesting up-to-date weekly inventory reports to record application usage, and this requirement cannot be met for the laptops because their inventory data is not always returned every week.

To continue to manage these laptops when they leave the intranet, A. Datum Corporation decides on the course of action described in the following table.

Process	Reference
Tommy Hartono is the Configuration Manager administrator who manages a Configuration Manager 2007 site. He reads about Internet-based client management and how clients can continue to be managed when they move from the intranet to the Internet.	Overview of Internet-Based Client Management
Weighing up the advantages and disadvantages of implementing Internet-based client management or upgrading their existing VPN solution, he decides that Internet-based client management is the better solution because it does not rely on users making the connection.	Determine If You Should Use Internet-Based Client Management
Tommy discusses his proposal with his manager, who asks him to look into what dependencies Internet-based client management has, to make sure that these can be met, and engage the necessary people within the company that will be needed to support the implementation. Tommy checks the dependencies and identifies the people to contact who will be needed to be involved.	Prerequisites for Internet-Based Client Management Determine Administrator Roles and Processes for Internet-Based Client Management
Tommy realizes that Internet-based client management requires native mode, and the site is currently configured for mixed mode. The company already has a PKI solution for computers on the intranet and Internet, so he immediately talks to this team first to ensure that this requirement can be met and, if so, to initiate the process for deploying the required certificates.	Determine If You Can Use Your Existing PKI (Native Mode) Administrator Checklist: Deploying the PKI Requirements for Native Mode
Tommy then initiates design meetings with the company's networking infrastructure team to decide how the Internet connectivity will fit in with the existing networking infrastructure. They discuss supported scenarios, how many sites need to support Internet-based clients, and where servers should be placed.	Supported Scenarios for Internet-Based Client Management Determine Site Placement for Internet-based Client Management Determine Server Placement for Internet-Based Client Management
They decide to extend one site such that it has the following additional site systems in the perimeter network: Management point Software update point Fallback status point Distributions points	Network Diagram for Internet-Based Servers - Scenario 3 with No SQL Server Replica
They discuss the design with the company's security team, who approves it on condition that SQL connections initiated from the perimeter network do not traverse the security boundary into the intranet. The design is revised so that a SQL Server replica will be used in the perimeter network, and the database administrators are informed of this requirement.	Network Diagram for Internet-Based Servers - Scenario 3 with SQL Server Replica
When the network design is approved, Tommy involves the networking team that looks after firewalls and network devices in the perimeter network. They identify the network ports that will be used so they can make changes as required. Note This solution requires careful design for PKI certificate revocation, so that Configuration Manager clients can always locate the CRL listed in the site system native mode certificates and native mode site system servers can locate the CRL listed in the native mode client certificates. The PKI design of the CRL can require additional infrastructure configuration. For example, a Configuration Manager client on the Internet will make an http connection to access the CRL, which might require configuration on firewalls, proxy servers, and DNS.	Determine the Ports Required for Internet-Based Client Management See the Configuration Manager CRL dependency listed in the following topic: Prerequisites for Native Mode.
The company's Internet DNS servers are managed by an external company, so Tommy submits a Request for Change (RFC) to publish the Internet FQDNs of the Internet-based site systems in DNS. He supplies the information required.	Configuring DNS for Configuration Manager Site System Roles
With the PKI certificates now deployed, Tommy migrates the site to native mode and monitors it for a period of time to ensure that there are no problems.	How to Migrate the Site Mode from Mixed Mode to Native Mode How to Identify Client Certificate Issues in Native Mode
Additional servers are installed and hardened with security policies suitable for computers in the perimeter network. Tommy confirms that the networking infrastructure is configured as required.	Internal process that is company-specific
Tommy installs the Internet-based site system roles on the servers with the following configuration: Installation account that resides on the server. The Internet FQDN of the site system. The option Allow only site server initiated data transfers from this site system.	How to Configure the Site System Installation Account How to Configure the Internet FQDN of Site Systems that Support Internet-Based Client Management How to Configure Internet-Based Site Systems to Allow Only Site Server Initiated Data Transfers
Tommy configures the Internet-based software update point to synchronize software updates.	How to Synchronize Software Updates
The database administrators install and configure a SQL Server replica in the perimeter network.	How to Configure SQL Server Site Database Replication
Tommy configures the Internet-based site systems to accept connections from Internet clients only.	How to Configure a Management Point for Internet-Based Client Connections How to Configure a Distribution Point for Internet-Based Client Connections How to Configure a Fallback Status Point for Internet-Based Client Connections How to Configure a Software Update Point for Internet-Based Client Connections
Tommy configures the Internet-based distribution points so that they can transfer content over the Internet.	How to Configure a Distribution Point to Transfer Content Using BITS, HTTP, and HTTPS
Tommy runs a test pilot with a few machines, specifying the Internet-based management point FQDN on the client, using the Internet tab in Configuration Manager from the Control Panel.	How to Assign Configuration Manager Client Computers to the Internet-Based Management Point
When the preliminary tests are successful, Tommy then extends the pilot by sending a script to a few computers that reinstalls them with the following installation parameters: Assignment to the Internet site. Native mode communication and CRL checking. The FQDN of the Internet-based management point. The FQDN of the Internet-based fallback status point.	About Configuration Manager Client Installation Properties
Laptop users are informed about the changes that will be implemented, and the Help Desk is updated and given information on how to troubleshoot clients that experience problems installing applications or software updates when they are on the Internet.	Internal process that is company-specific
Satisfied with the pilot test results, Tommy sends the same installation script to the laptops. He monitors when the script is successfully sent to each client and tracks client deployment by using the reports generated by the fallback status point. He also identifies client configuration details by using the client hardware inventory data.	About the Fallback Status Point in Configuration Manager How to Identify Client Configuration Details for Native Mode and Internet-Based Client Management
After six weeks, Tommy notes that 95 percent of laptop computers have received the script, and inventory data from these computers are being sent as regularly as computers on the intranet. Additionally, the laptops are reporting the same level of compliance with software updates that are reported by computers on the intranet.	Report category of Software - Companies and Products report: Count all inventoried products and versions About Software Updates Reports
Tommy solicits feedback from the Help Desk and users to review the process for improvements or changes.	Internal process that is company-specific
Tommy is able to deliver the timely inventory reports as requested.	Internal process that is company-specific

This deployment of Internet-based client management might impact users in the following ways when their computers are configured for Internet and intranet client management:

Laptop moves from intranet to the Internet:
Whenever the sales person has an Internet connection, the laptop continues to send inventory data and compliance information back to its site. Applications and software updates that are required are installed automatically, although they can sometimes take a while to download first. However, if the connection is broken, the download resumes when it next has an Internet connection.
The sales person does not receive software distributions that are targeted to her Windows user account, but these applications are optional and not required.
Laptop moves from Internet to intranet:
A sales person returns to the office after an absence of four weeks. She connects her laptop into the intranet and a download for a large software distribution package resumes where it left off, completing quickly with the faster network connection.
The user notices that two optional software distributions are available and decides to install them in case they are needed later.

Manage Home Computers That Never Connect to the Intranet

This scenario demonstrates how you can create a new Configuration Manager site to support clients on the Internet that never connect to the intranet, using Internet-based client management. The network design chosen incorporates the supported scenario of having a child site completely in the perimeter network: Network Diagram for Internet-Based Servers - Scenario 2 with Child Site.

Coho Winery has a number of contract users who work at home, using their own computers and communicating by e-mail. They do not have Windows user accounts on the intranet and so will never log in to the intranet. However, they sometimes need software applications to complete their work, and they would like tested software updates installed automatically to help keep their computers secure.

To offer this level of management to home workers, Coho Winery decides to install the Configuration Manager client on these computers with an Internet-only configuration. This allows the home computers to be managed, which will increase the home workers' efficiency and productivity. Jenni Merriam is the Configuration Manager administrator, and she takes the course of action described in the following table.

Process	Reference
Jenni reads about Internet-based client management and how clients can be configured for Internet-only, and be able to receive software distributions and software updates.	Overview of Internet-Based Client Management
Jenni discusses her proposal with her manager, who asks her to look into what dependencies Internet-based client management has, to make sure that these can be met, and to engage the necessary people within the company who will be needed to support the implementation. Jenni checks the dependencies and identifies the people who will need to be involved.	Prerequisites for Internet-Based Client Management Determine Administrator Roles and Processes for Internet-Based Client Management
Jenni realizes that Internet-based client management requires native mode, and the hierarchy is currently configured for mixed mode. The company doesn't have a PKI solution, so she makes this her first priority to investigate. After discussions with management, they are willing to engage PKI consultants to implement a PKI solution that is suitable for Configuration Manager, and that can be expanded to support other business requirements in the future. PKI consultants are brought in with the design of migrating to native mode the central site in the Configuration Manager hierarchy, which will allow a new child site to be created for native mode that will support the Internet-only clients. Jenni hands them the list of certificate requirements for native mode that must be in place for the central site and the new child site.	Certificate Requirements for Native Mode Administrator Checklist: Deploying the PKI Requirements for Native Mode
Jenni then initiates design meetings with the company's networking infrastructure team to decide how the Internet connectivity will fit in with the existing networking infrastructure. They discuss supported scenarios, how many sites need to support Internet-based clients, and where servers should be placed.	Supported Scenarios for Internet-Based Client Management Determine Site Placement for Internet-based Client Management Determine Server Placement for Internet-Based Client Management
They decide to create one new site in the perimeter network.	Network Diagram for Internet-Based Servers - Scenario 2 with Child Site
They discuss the design with the company's security team, who approves it on condition that the SMB traffic that traverses the security boundary of the perimeter network is secured with IPsec. The PKI consultants incorporate this request into their design.	Implementing IPsec in Configuration Manager 2007
When the network design is approved, Jenni involves the networking team that looks after firewalls and network devices in the perimeter network. They identify the ports that will be used so they can make changes as required.	Determine the Ports Required for Internet-Based Client Management
The company's Internet DNS servers are managed internally in the perimeter network, so Jenni submits a Request for Change (RFC) to publish the Internet FQDNs of the Internet-based site systems in DNS. She supplies the information required.	Configuring DNS for Configuration Manager Site System Roles
With the PKI certificates now deployed, Jenni migrates the central site to native mode and monitors it for a period of time to ensure that there are no problems.	How to Migrate the Site Mode from Mixed Mode to Native Mode
Additional servers are installed and hardened with security policies suitable for computers in the perimeter network. Jenni confirms that the networking infrastructure is configured as required.	Internal process that is company-specific
Jenni installs a new child site in the perimeter network, configuring the Internet-based site system roles on the servers with the Internet FQDN of the site systems registered in the Internet DNS servers.	How to Configure the Internet FQDN of Site Systems that Support Internet-Based Client Management
Jenni configures the Internet-based software update point to synchronize software updates.	How to Synchronize Software Updates
Jenni configures the Internet-based site systems to accept connections from Internet clients only.	How to Configure a Management Point for Internet-Based Client Connections How to Configure a Distribution Point for Internet-Based Client Connections How to Configure a Fallback Status Point for Internet-Based Client Connections How to Configure a Software Update Point for Internet-Based Client Connections
Jenni configures the Internet-based distribution points so that they can transfer content over the Internet.	How to Configure a Distribution Point to Transfer Content Using BITS, HTTP, and HTTPS
Jenni runs a test pilot with a few machines, specifying the Internet-based management point FQDN on the Internet tab of Configuration Manager in the client Control Panel.	How to Assign Configuration Manager Client Computers to the Internet-Based Management Point
When the operational tests prove successful, Jenni then creates and tests an installation package with all the source files. This installation installs the Configuration Manager client with the following installation parameters: Assignment to the Internet site. Internet-only configuration Native mode communication. The FQDN of the Internet-based management point. The FQDN of the Internet-based fallback status point. Copy of the site server signing certificate.	About Configuration Manager Client Installation Properties
The PKI team constructs a Web portal in the perimeter network, to which the home users can connect and request the certificates they need.	Internal process that is company-specific
Home workers are informed about the new service and told that installation is a two-step process: They must connect to the certificate Web portal to request a certificate. They must run the installation package from the CD that will arrive in the mail.	Internal process that is company-specific
The Help Desk is updated and given information on how to troubleshoot clients that experience problems requesting the certificates or installing the client.	Internal process that is company-specific
After a pilot test with a few home workers, Jenni is satisfied with the results, and the installation CD is mailed to the remaining home workers.	Internal process that is company-specific
After six weeks, Jenni notes 100 percent of the home workers' computers are successfully assigned to the site and receiving software distributions and software updates.	About the Fallback Status Point in Configuration Manager
Jenni solicits feedback from the Help Desk and users to review the process for improvements or changes.	Internal process that is company-specific

This deployment of Internet-based client management might impact the home workers in the following ways when their computers are configured for Internet-only management:

Software updates are automatically installed.
Some home workers remember to run Windows Update, but many forget or get confused about which updates to install. Having critical software updates automatically installed for them helps to keep their computers more secure.
Software applications are made available.
To complete a project, a specific application is often needed. Instead of trying to install it as an e-mail attachment or having to wait for it to arrive in the mail, it now appears as an available application that home workers can select when it's needed.

Support Internet-Based Clients and Intranet Clients in the Intranet on the Same Site System Server

This scenario demonstrates how you can add Internet-based client management to an existing Configuration Manager site in the intranet, without having to add new site system servers in the perimeter network. Because this configuration bridges the security boundary of the perimeter network into the intranet, it is not a security best practice. However, as in this scenario, it does offer an efficient way to quickly test the Internet-based client management feature without having to install and configure additional servers. It also disables certificate revocation checking on clients, to save the additional configuration that would be required on a production network to publish a certificate revocation list that is accessible from the Internet.

The network design involves the supported scenario of the Configuration Manager 2007 site contained on the intranet, and the site systems that are configured for Internet-based client management can accept both Internet connections and intranet connections. (Network Diagram for Internet-Based Servers - Scenario 4 with Internet Connections into the Intranet.)

The administrators at Trey Research are interested in implementing Internet-based client management to supplement their computer management strategy for their existing Configuration Manager hierarchy. They have had problems keeping laptops up-to-date with important security software updates and application updates when staff spends extended time away from their offices to attend worldwide conferences. However, Trey Research does not currently have a PKI in place, which is a requirement for Internet-based client management. Before management will agree to resource this project, they require confirmation that Internet-based client management works and will provide the business benefits that they require.

The Configuration Manager administrator, Terry Adams, takes the course of action described in the following table.

Process	Reference
For testing purposes, Terry uses a nonproduction Active Directory forest on an isolated section of the intranet that also has access to the Internet. The Internet namespace for the company is treyresearch.net, and the internal Active Directory namespace on the test network is testnet.treyresearch.net.	Internal process.
For rapid deployment and with limited testing equipment, Terry decides to use just one server for all his Configuration Manager site systems that will host the following site system roles: Site server Management point Distribution point Software update point Terry decides not to deploy a fallback status point for this proof of concept, because although it would be useful for identifying client communication issues, it is not needed to test basic site operation. After reading through the server placement options for Internet-based site systems, Terry realizes that a single site system can support intranet clients and Internet-based clients. Although this is not a security best practice, the advantages for Terry are that he needs to install and configure fewer servers. This strategy allows Terry to test the Internet-based client management feature more quickly than if he had to install and configure multiple servers. The security risks of hosting multiple site system roles on a single server and of accepting Internet traffic into the intranet are mitigated by the test network's isolation from the production network.	About the Fallback Status Point in Configuration Manager Determine Server Placement for Internet-Based Client Management
Terry installs a new server running Windows Server 2003 Service Pack 1 (which he names IBCMServer) and joins it to the domain. This server will be his single site system server. On it, he also installs IIS and all other prerequisites for Configuration Manager 2007. He then extends the Active Directory schema for Configuration Manager 2007 and enables publishing by creating the System Management container and configuring the permissions on it for the IBCMServer computer. Terry then installs a laptop computer running Windows Vista and joins it to the domain.	Prerequisites for Installing Configuration Manager How to Extend the Active Directory Schema for Configuration Manager
Terry next discusses his proof of concept design with the networking team that manages the company's Internet connectivity requirements. After reading the external dependencies for Internet-based client management, Terry realizes that he will need their help with the following: The front-end firewall must be configured to allow traffic for Internet-based client management. The company Internet DNS servers must be configured with a public host entry for the test Internet-based site system. They decide to use the same host name of IBCMServer, so the Internet FQDN is IBCMServer.treyresearch.net. The back-end Microsoft ISA Server must publish the Internet-based site systems to the intranet.	Prerequisites for Internet-Based Client Management
The networking team requires acceptance from the security team before they can make changes to the existing Internet infrastructure. The security team reviews the plan and raises concerns about the server being in the intranet and exposed to traffic from the Internet. Terry explains that this design is only for a proof of concept on an isolated network and shows them the different supported designs for production networks. In these, the site server is never exposed to Internet traffic, and although the Internet-based site systems can support Internet connections and intranet connections, there are other designs that offer stronger security. The security team agrees to the design of the proof of concept on the understanding that Terry works with them for a more extensive review of the final design if the project is approved.	Supported Scenarios for Internet-Based Client Management
Terry confirms that his member server has automatically registered the computer name of IBCMServer in his internal Active Directory DNS zone of testnet.treyresearch.net. The networking team manually adds a DNS A record for IBCMServer in the public DNS zone of treyresearch.net. Because ISA Server will be publishing this Internet-based site system, this record is configured with a public IP address that belongs to one of the external adapters on the ISA Server and that is not currently in use. This external IP address must be dedicated to Internet-based client management connections. Note If Terry had used more than one server for all his Internet-based site system roles, each internal site system that accepts connections over the Internet would require its own dedicated external IP address, even though all connections are through the same ISA Server computer.	Configuring DNS for Configuration Manager Site System Roles
Terry turns his attention to the PKI requirements and checks which certificates are needed for his test network. He references the documentation topics that cover the certificate requirements with guidance about how to install them. Because of the limited scope of the testing environment, Terry needs only the following certificates: Root certification authority Site server signing certificate Web server certificate (which must have both the intranet FQDN and Internet FQDN) Client certificates	Certificate Requirements for Native Mode Deploying the PKI Certificates Required for Native Mode
Terry realizes that the easiest way to deploy the required certificates is by using a Microsoft enterprise root certification authority, using the Enterprise Edition of Windows Server 2003. This solution provides the following benefits: The root certification authority is automatically deployed to all computers in the Active Directory forest. Web-based enrollment can be used to request custom certificates, with automatic approval. Auto-enrollment is supported with Group Policy. Terry confirms that his single Active Directory domain controller in the test network is running the Enterprise Edition of Windows Server 2003 and has Internet Information Services (IIS) installed. Terry then installs on his domain controller Microsoft Certificate Services (with the subcomponents of Certificate Services CA and Certificate Services Web Enrollment Support) and configures an enterprise root certification authority. After reading the topic about deploying the Web server certificate to site system servers, he realizes that he needs to enable support for the Subject Alternative Name (SAN) certificate attribute so that he can specify both the intranet FQDN and the Internet FQDN. He follows the procedure referenced in the article to enable SAN support on his root certification authority (CA), which, in his test environment, will also issue the certificates.	Determine If You Can Use Your Existing PKI (Native Mode) Deploying the Web Server Certificates to Site System Servers Information about how to add support for Subject Alternative Names with a Microsoft certification authority: http://go.microsoft.com/fwlink/?LinkId=93692
Terry has little PKI experience, so he references the step-by-step example deployment guide in the Configuration Manager library. He follows the procedures exactly for the site server signing certificate and for deploying client certificates. However, he has to modify the procedure for specifying his Web server certificate for this Internet-based site system, because this requires both the intranet FQDN and the Internet FQDN in the Subject Alternative Name: He uses the Web server certificate template without modification, confirming that the option Supplied in the request is enabled on the Subject Name tab. He uses the Web enrollment method to request the Web server certificate from his member server, just as he did for the site server signing certificate. In the certificate form, he specifies the intranet FQDN as the Subject Name, and in the Attributes box, he specifies both the intranet FQDN and the Internet FQDN as follows: san:dns=IBCMServer.testnet.research.net&dns=IBCMServer.research.net. Terry submits the certificate, it is immediately approved, and Terry installs it on the default Web site. Terry returns to the step-by-step example deployment guide for information about how to configure IIS to use the Web server certificate.	Step-By-Step Example Deployment of the PKI Certificates Required for Configuration Manager Native Mode: Windows Server 2003 Certification Authority Information about how to add support for Subject Alternative Names with a Microsoft certification authority: http://go.microsoft.com/fwlink/?LinkId=93692
After checking the prerequisites for native mode, Terry realizes that because his issuing certification authority is on the intranet, clients on the Internet will not, by default, be able to access the certificate revocation list (CRL). An intranet CRL is published by default with his certification authority. Terry reads the planning topic on CRL checking and realizes that if clients on the Internet attempt to locate the CRL and this fails, connections to the Internet-based site system roles will fail. Rather than publish a CRL on the Internet, which would be required for a production network, Terry decides to disable CRL checking on clients within his test environment so that he minimizes additional configuration requirements.	Prerequisites for Native Mode Determine If You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode)
Terry then runs Configuration Manager 2007 Setup on the member server with the following selections: Simple Setup The same site code in the site server's signing certificate Subject Name. Native mode, successfully browsing to the deployed site server signing certificate. When setup is complete, Terry performs the following post setup tasks: Configures an Active Directory boundary. Configures the site system server with an intranet FQDN of IBCMServer.testnet.treyresearch.net and an Internet FQDN of IBCMServer.treyresearch.net. Disables CRL checking on clients as a site property, to support the test network environment.	Simple Setup Overview How to Deploy a Site Using Simple Setup How to Configure Configuration Manager Boundaries How to Configure the Intranet FQDN of Site Systems How to Configure the Internet FQDN of Site Systems that Support Internet-Based Client Management How to Enable or Disable Certificate Revocation Checking (CRL) on Clients
Terry now installs the Configuration Manager client on the laptop, configures software updates, and confirms standard Configuration Manager operation on the intranet.	Tasks for Installing Configuration Manager Clients Software Updates in Configuration Manager
With intranet operation in native mode confirmed, Terry then configures the site system roles to allow intranet and Internet client connections. He also confirms that the distribution point is configured to transfer content using BITS and HTTP.	How to Configure a Management Point for Internet-Based Client Connections How to Configure a Software Update Point for Internet-Based Client Connections How to Configure a Distribution Point for Internet-Based Client Connections How to Configure a Distribution Point to Transfer Content Using BITS, HTTP, and HTTPS
On the laptop computer, Terry specifies IBCM.treyresearch.com as the Internet-based client management point on the Internet tab of Configuration Manager in Control Panel.	How to Assign Configuration Manager Client Computers to the Internet-Based Management Point
The networking team makes the final required configurations to allow the Internet traffic into both the perimeter network and the intranet: The back-end Microsoft ISA Server is configured with a server publishing rule so that incoming HTTPS requests using port 443 to IBCMServer.treyresearch.net maps to HTTPS requests using port 443 to IBCMServer.testnet.treyresearch.net. This configuration uses SSL tunneling, which does not require additional certificates on the ISA Server. The front-end firewall is confirmed as already configured to allow incoming traffic of port 443 to the ISA Server.	Determine the Ports Required for Internet-Based Client Management Determine Requirements for Proxy Web Servers to Use With Internet-Based Client Management
Terry disconnects his test laptop from the test network and, using the software updates feature in Configuration Manager, creates a new optional software update deployment. Terry then takes the test laptop home, connects to the Internet, manually initiates client policy, receives notification of the optional software update, and is able to successfully install it.	How to Initiate Policy Retrieval for a Configuration Manager Client About the Software Updates End User Experience Available Software Updates Dialog Box on Clients

Process

Reference

For testing purposes, Terry uses a nonproduction Active Directory forest on an isolated section of the intranet that also has access to the Internet.

The Internet namespace for the company is treyresearch.net, and the internal Active Directory namespace on the test network is testnet.treyresearch.net.

Internal process.

For rapid deployment and with limited testing equipment, Terry decides to use just one server for all his Configuration Manager site systems that will host the following site system roles:

Site server
Management point
Distribution point
Software update point

Terry decides not to deploy a fallback status point for this proof of concept, because although it would be useful for identifying client communication issues, it is not needed to test basic site operation.

After reading through the server placement options for Internet-based site systems, Terry realizes that a single site system can support intranet clients and Internet-based clients. Although this is not a security best practice, the advantages for Terry are that he needs to install and configure fewer servers. This strategy allows Terry to test the Internet-based client management feature more quickly than if he had to install and configure multiple servers. The security risks of hosting multiple site system roles on a single server and of accepting Internet traffic into the intranet are mitigated by the test network's isolation from the production network.

About the Fallback Status Point in Configuration Manager

Determine Server Placement for Internet-Based Client Management

Terry installs a new server running Windows Server 2003 Service Pack 1 (which he names IBCMServer) and joins it to the domain. This server will be his single site system server. On it, he also installs IIS and all other prerequisites for Configuration Manager 2007.

He then extends the Active Directory schema for Configuration Manager 2007 and enables publishing by creating the System Management container and configuring the permissions on it for the IBCMServer computer.

Terry then installs a laptop computer running Windows Vista and joins it to the domain.

Prerequisites for Installing Configuration Manager

How to Extend the Active Directory Schema for Configuration Manager

Terry next discusses his proof of concept design with the networking team that manages the company's Internet connectivity requirements. After reading the external dependencies for Internet-based client management, Terry realizes that he will need their help with the following:

The front-end firewall must be configured to allow traffic for Internet-based client management.
The company Internet DNS servers must be configured with a public host entry for the test Internet-based site system.
They decide to use the same host name of IBCMServer, so the Internet FQDN is IBCMServer.treyresearch.net.
The back-end Microsoft ISA Server must publish the Internet-based site systems to the intranet.

Prerequisites for Internet-Based Client Management

The networking team requires acceptance from the security team before they can make changes to the existing Internet infrastructure.

The security team reviews the plan and raises concerns about the server being in the intranet and exposed to traffic from the Internet.

Terry explains that this design is only for a proof of concept on an isolated network and shows them the different supported designs for production networks. In these, the site server is never exposed to Internet traffic, and although the Internet-based site systems can support Internet connections and intranet connections, there are other designs that offer stronger security.

The security team agrees to the design of the proof of concept on the understanding that Terry works with them for a more extensive review of the final design if the project is approved.

Supported Scenarios for Internet-Based Client Management

Terry confirms that his member server has automatically registered the computer name of IBCMServer in his internal Active Directory DNS zone of testnet.treyresearch.net.

The networking team manually adds a DNS A record for IBCMServer in the public DNS zone of treyresearch.net. Because ISA Server will be publishing this Internet-based site system, this record is configured with a public IP address that belongs to one of the external adapters on the ISA Server and that is not currently in use. This external IP address must be dedicated to Internet-based client management connections.

Note

If Terry had used more than one server for all his Internet-based site system roles, each internal site system that accepts connections over the Internet would require its own dedicated external IP address, even though all connections are through the same ISA Server computer.

Configuring DNS for Configuration Manager Site System Roles

Terry turns his attention to the PKI requirements and checks which certificates are needed for his test network. He references the documentation topics that cover the certificate requirements with guidance about how to install them.

Because of the limited scope of the testing environment, Terry needs only the following certificates:

Root certification authority
Site server signing certificate
Web server certificate (which must have both the intranet FQDN and Internet FQDN)
Client certificates

Certificate Requirements for Native Mode

Deploying the PKI Certificates Required for Native Mode

Terry realizes that the easiest way to deploy the required certificates is by using a Microsoft enterprise root certification authority, using the Enterprise Edition of Windows Server 2003. This solution provides the following benefits:

The root certification authority is automatically deployed to all computers in the Active Directory forest.
Web-based enrollment can be used to request custom certificates, with automatic approval.
Auto-enrollment is supported with Group Policy.

Terry confirms that his single Active Directory domain controller in the test network is running the Enterprise Edition of Windows Server 2003 and has Internet Information Services (IIS) installed.

Terry then installs on his domain controller Microsoft Certificate Services (with the subcomponents of Certificate Services CA and Certificate Services Web Enrollment Support) and configures an enterprise root certification authority.

After reading the topic about deploying the Web server certificate to site system servers, he realizes that he needs to enable support for the Subject Alternative Name (SAN) certificate attribute so that he can specify both the intranet FQDN and the Internet FQDN. He follows the procedure referenced in the article to enable SAN support on his root certification authority (CA), which, in his test environment, will also issue the certificates.

Determine If You Can Use Your Existing PKI (Native Mode)

Deploying the Web Server Certificates to Site System Servers

Information about how to add support for Subject Alternative Names with a Microsoft certification authority: http://go.microsoft.com/fwlink/?LinkId=93692

Terry has little PKI experience, so he references the step-by-step example deployment guide in the Configuration Manager library.

He follows the procedures exactly for the site server signing certificate and for deploying client certificates. However, he has to modify the procedure for specifying his Web server certificate for this Internet-based site system, because this requires both the intranet FQDN and the Internet FQDN in the Subject Alternative Name:

He uses the Web server certificate template without modification, confirming that the option Supplied in the request is enabled on the Subject Name tab.
He uses the Web enrollment method to request the Web server certificate from his member server, just as he did for the site server signing certificate.
In the certificate form, he specifies the intranet FQDN as the Subject Name, and in the Attributes box, he specifies both the intranet FQDN and the Internet FQDN as follows: san:dns=IBCMServer.testnet.research.net&dns=IBCMServer.research.net.
Terry submits the certificate, it is immediately approved, and Terry installs it on the default Web site.
Terry returns to the step-by-step example deployment guide for information about how to configure IIS to use the Web server certificate.

Step-By-Step Example Deployment of the PKI Certificates Required for Configuration Manager Native Mode: Windows Server 2003 Certification Authority

Information about how to add support for Subject Alternative Names with a Microsoft certification authority: http://go.microsoft.com/fwlink/?LinkId=93692

After checking the prerequisites for native mode, Terry realizes that because his issuing certification authority is on the intranet, clients on the Internet will not, by default, be able to access the certificate revocation list (CRL). An intranet CRL is published by default with his certification authority.

Terry reads the planning topic on CRL checking and realizes that if clients on the Internet attempt to locate the CRL and this fails, connections to the Internet-based site system roles will fail.

Rather than publish a CRL on the Internet, which would be required for a production network, Terry decides to disable CRL checking on clients within his test environment so that he minimizes additional configuration requirements.

Prerequisites for Native Mode

Determine If You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode)

Terry then runs Configuration Manager 2007 Setup on the member server with the following selections:

Simple Setup
The same site code in the site server's signing certificate Subject Name.
Native mode, successfully browsing to the deployed site server signing certificate.

When setup is complete, Terry performs the following post setup tasks:

Configures an Active Directory boundary.
Configures the site system server with an intranet FQDN of IBCMServer.testnet.treyresearch.net and an Internet FQDN of IBCMServer.treyresearch.net.
Disables CRL checking on clients as a site property, to support the test network environment.

Simple Setup Overview

How to Deploy a Site Using Simple Setup

How to Configure Configuration Manager Boundaries

How to Configure the Intranet FQDN of Site Systems

How to Configure the Internet FQDN of Site Systems that Support Internet-Based Client Management

How to Enable or Disable Certificate Revocation Checking (CRL) on Clients

Terry now installs the Configuration Manager client on the laptop, configures software updates, and confirms standard Configuration Manager operation on the intranet.

Tasks for Installing Configuration Manager Clients

Software Updates in Configuration Manager

With intranet operation in native mode confirmed, Terry then configures the site system roles to allow intranet and Internet client connections.

He also confirms that the distribution point is configured to transfer content using BITS and HTTP.

How to Configure a Management Point for Internet-Based Client Connections

How to Configure a Software Update Point for Internet-Based Client Connections

How to Configure a Distribution Point for Internet-Based Client Connections

How to Configure a Distribution Point to Transfer Content Using BITS, HTTP, and HTTPS

On the laptop computer, Terry specifies IBCM.treyresearch.com as the Internet-based client management point on the Internet tab of Configuration Manager in Control Panel.

How to Assign Configuration Manager Client Computers to the Internet-Based Management Point

The networking team makes the final required configurations to allow the Internet traffic into both the perimeter network and the intranet:

The back-end Microsoft ISA Server is configured with a server publishing rule so that incoming HTTPS requests using port 443 to IBCMServer.treyresearch.net maps to HTTPS requests using port 443 to IBCMServer.testnet.treyresearch.net. This configuration uses SSL tunneling, which does not require additional certificates on the ISA Server.
The front-end firewall is confirmed as already configured to allow incoming traffic of port 443 to the ISA Server.

Determine the Ports Required for Internet-Based Client Management

Determine Requirements for Proxy Web Servers to Use With Internet-Based Client Management

Terry disconnects his test laptop from the test network and, using the software updates feature in Configuration Manager, creates a new optional software update deployment.

Terry then takes the test laptop home, connects to the Internet, manually initiates client policy, receives notification of the optional software update, and is able to successfully install it.

How to Initiate Policy Retrieval for a Configuration Manager Client

About the Software Updates End User Experience

Available Software Updates Dialog Box on Clients

After this initial successful test, Terry conducts further tests with automatic software updates and software distributions, and he confirms that hardware inventory and desired configuration management compliance information is still reported when the laptop is on the Internet. He also confirms that a content download can seamlessly continue when he moves the laptop from the Internet to the intranet and vice versa.

Terry documents his findings and two weeks later presents his findings to the management team. The successful conclusion convinces the management team that Internet-based client management offers a seamless user experience that provides an effective method of managing laptops even when they are away from the company network. In turn, this helps to keep the laptops secure, so the investment required in a PKI solution is seen to be cost justified.

The company does not have the internal resources or experience to implement an internal PKI, so the proof of concept provides the cost justification to outsource this project so that Internet-based client management can be implemented in the near future.

Product Families

Resources

About Microsoft

Popular Places

Popular Searches

Popular Downloads

Continue to Manage Laptops That Regularly Move Out of the Intranet and on to the Internet

Manage Home Computers That Never Connect to the Intranet

Support Internet-Based Clients and Intranet Clients in the Intranet on the Same Site System Server

See Also

Concepts