Export (0) Print
Expand All
1 out of 2 rated this helpful - Rate this topic

Determine Requirements for Proxy Web Servers to Use With Internet-Based Client Management

Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2

If you are using proxy Web servers with Internet-based client management in Configuration Manager 2007, the requirements for these servers are listed in the following sections.

If you are using Microsoft Internet Security and Acceleration (ISA) Server as your proxy Web server, refer to the following information:

Support for Secure Sockets Layer (SSL)

noteNote
SSL termination with authentication using bridging technology is recommended, although SSL tunneling is also supported if your proxy Web server cannot support bridging with authentication. For more information, see the Microsoft Internet Security and Acceleration Server documentation about the differences between bridging and tunneling (http://go.microsoft.com/fwlink/?LinkId=80311).

  • SSL bridging to SSL:

    The recommended configuration when using proxy Web servers with Configuration Manager 2007 Internet-based client management is SSL bridging to SSL, using termination with authentication. Client computers must be authenticated using machine authentication, and client mobile devices are authenticated using user authentication.

    The benefit of SSL termination at the proxy Web server is that packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy Web server authenticates the connection from the client, terminates it, and then opens a new authenticated connection to the Internet-based site systems. When Configuration Manager clients use a proxy Web server, the client identity (client GUID) is securely contained within the packet payload so that the management point does not consider the proxy Web server to be the client. Bridging is not supported in Configuration Manager 2007 with HTTP to HTTPS, or from HTTPS to HTTP.

  • Tunneling:

    If your proxy Web server cannot support the requirements for SSL bridging, SSL tunneling is also supported. This is a less secure option because the SSL packets from the Internet are forwarded to the site systems without termination, so they cannot be inspected for malicious content. When using SSL tunneling, there are no certificate requirements for the proxy Web server.

Certificates Requirements for SSL Bridging

  • Web server certificate for server authentication and SSL if you are using bridging:

    • The certificate must chain to a root authority that is trusted by client computers.

    • The certificate must contain the Internet fully qualified domain names (FQDNs) of all the Internet-based site systems in the Subject Alternative Name field.

  • Client machine certificate for authentication if you are using bridging for client computers:

    • The certificate must chain to a root certification authority that is trusted by the site system servers.

    • The certificate must have a unique value in the Subject field or the Subject Alternative Name field.

  • Client user certificate for authentication if you are using bridging for client mobile devices:

    • The certificate must chain to a root certification authority that is trusted by the site system servers.

    • The certificate must have a unique value in the Subject field or the Subject Alternative Name field.

Fallback Status Point Requirements

  • Support for HTTP:

    • If you are using an Internet-based fallback status point, the proxy Web server must accept HTTP traffic.

DNS Requirements

  • The Internet-based site systems must be configured with an Internet FQDN in Configuration Manager 2007, which is also registered on public Internet DNS servers with the IP address of your proxy Web server.

  • The Internet-based site systems must be published on the proxy Web server with the Internet FQDN they are configured to use in Configuration Manager 2007.

Application Level Inspection

If the Proxy Web server performs application level inspection, it must allow the following communication between Configuration Manager clients and Internet-based site systems:

  • HTTP version 1.1

  • HTTP content type of multipart MIME attachment

  • Required verbs and HTTP headers

For more information, see the external dependencies listed in Prerequisites for Internet-Based Client Management

See Also

For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.
Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.