Managing Internet-facing clients
Depending on the environment, you may have clients that:
- Regularly move between the Internet and the intranet
- Are home computers, and never connect to the intranet
Managing clients that are not always connected to the internal network can be a challenge. If remote computers use Virtual Private Networking (VPN) to connect to the corporate network on a regular basis, Internet-facing support may not be required. But if we know that clients may use some type of remote desktop to connect to the corporate network, or maybe they don't have to connect to the corporate network at all to do their job, then Internet-facing support should be considered to ensure proper patch and asset management.
If "Native Mode for CM07" rings a bell, we have good news for you. CM12 does not have a "Mixed Mode" and "Native Mode". It simply has two client communication methods: "HTTPS" only and "HTTPS or HTTP". One CM12 site can support both HTTPS and HTTP communication if required.
Getting ready
Public Key Infrastructure (PKI) certificates are required for Internet-based client communication. Engage with the team that owns PKI in your infrastructure. If a PKI infrastructure doesn't currently exist, follow Microsoft's step-by-step example of deploying PKI http://technet.microsoft.com/en-us/library/gg682023.aspx. Once you have all valid certificates, proceed to the next section.
How to do it...
To enable Internet-facing clients, perform the following steps:
- In the CM12 admin console, navigate to Administration | Site Configuration | Sites, and select the desired site to support Internet-based clients. Right-click on the site and select Properties.
- From the Client Computer Communication tab, select either HTTPS only if you only want to support HTTPS, or HTTPS or HTTP as required.
- Enable the checkbox to Use PKI client certificate, and then click on the Modify button to select the client certification selection criteria, as well as the store name, and then click on OK.
- Click on the Set button to specify the Trusted Root Certification Authorities, and then select the starburst to browse to a new certificate file.
- Select OK to save changes to Site Properties.
- From the Servers and Site System Roles node, select the desired site in the top pane. Select the desired roles from the bottom pane (Management Point, Distribution Point, Software Update Point, as well as Application catalog Point, if required).
- Specify HTTPS for client communications types.
- As long as the new site systems are accessible from the Internet at this point, the infrastructure configuration is complete. Follow the client installation instructions at http://technet.microsoft.com/en-us/library/gg699356.aspx to install the CM client properly.
How it works...
Unlike CM07, CM12 allows clients assigned to the same primary site to use either HTTP or HTTPS communications. If a client has the PKI cert, it can be set to use HTTP for the intranet and HTTPS for the Internet.
See also
- Review the document PKI certificate requirements for Configuration Manager clients and site servers at http://technet.microsoft.com/en-us/library/gg699362.aspx
- Review the client installation properties document at http://technet.microsoft.com/en-us/library/gg699356.aspx