Internet Based Client Management
June 1, 2016 | Author: Roy MacLachlan | Category: N/A
Short Description
Download Internet Based Client Management...
Description
Internet-Based Client Management Configuration Manager 2007 extends the traditional boundaries of the internet network, and allows management of client devices over the internet. Because of the need for higher security requirements, IBCN does require an understanding of the Configuration Manager prerequisites, or how to configure settings to ensure an effective and secure management solution IBCN allows you to manage Configuration Manager 2007 clients over the Internet without the client having to first initiate a virtual private network (VPN). A managed client can send inventory date, status information, and state message over the internet, to its assigned site. A managed client can also received policy over the internet with instructions for installing software updates, or installing software distribution packages. Comparing IBCM to VPN Management Although Configuration Manager supports both VPN and IBCM, there are advantages and disadvantages to each as outlined in the following table
Management Solution VPN
Advantages -
Configuration Manager IBCM
-
No Change to the Configuration Manager infrastructure All Configuration Manager features are supported Does not require native mode or a PKI environment Does not require a VPN infrastructure More suitable for slow or unreliable connections
Disadvantages -
-
-
-
Relies on a VPN connection, which may require additional management and user overhead May not be suitable for slow or unreliable connections Requires changes to the Configuration Manager infrastructure, including server placement and PKI requirements Not all Configuration Manager features are supported
Features That Are Not Supported with IBCM Any features that relies on AD DS is not supported with IBCM. Specifically, the following features are not supported: -
Client deployment over the Internet Auto-site assignement Wake On LAN Operating System deployment Remote Control Software distribution targeted to users Task sequences Out of band management Client status reporting client ping functionality Network Access Protection (NAP) Branch Distribution points
Managing a client over the Internet involves dependencies external to Configuration Manager 2007, as well as prerequisites that are specific to Configuration Manager External dependencies include the following: -
Internet connectivity must exist between external clients and site systems that support IBCM A PKI is required to support Configuration Manager native mode The Internet FQDN of any site systems that support IBCM must be registered on public Domain Name System (DNS) servers Firewalls and routers must support HTTP 1.1, and allow HTTP multipart Multipurpose Internet Mail Extensions (MIME) attachments
Dependencies specific to Configuration Manager 2007 include the following: - The Configuration Manager 2007 primary site must be in native mode - Site Systems that support IBCM must be configured with a FQDN that is registered on a public Domain Name Server (DNS) - Site systems that support IBCM must be configured to support Internet-based clients - Clients must be configured to use both native mode and the Internet-based management point from their assigned site. - Web server certificates must contain the Subject Name of the FQDN that is registered on the public DNS Server Site system roles that support IBCM include - Management point - Distribution point - Software update point - Fallback status point For clients to communicate with the appropriate site systems over the internet, public DNS servers need to be registered with the FQDN for each site system that will support the Internet-based client. The same FQDNs also need to be configured on the site systems that support the Internet clients/
To configure the Internet FQDN on site systems that will support IBCM, perform the following tasks 1.) 2.) 3.) 4.)
In the Configuration Manager console, navigate to the Site Systems node. Right-click ConfigMgr Site System, and then click Properties. Select the Specify an internet-based fully qualified domain name for this site system check box In the Internet FQDN text box, provide the FQDN that is registered on the public DNS servers
Note: - The ConfigMgr site system Properties dialog box has an option to Allow only site server initiated data transfers from this site system. This option should be enabled if the Internet-based site system is located in a perimeter network, and the site server is located on the internal network. This option will ensure that the internal site server will initiate communication with the site system that is located in the perimeter network. By default, site systems initiate the communication with the site server in order to send status information to the site, which is not ideal in a perimeter network scenario.
Configuring Site System Roles for Internet Based Client Management You must configure each Configuration Manager site system role that supports IBCM, to specifically support Internetbased clients You can configure each site system role as indicated in the following table. Site System Role Management point properties
Distribution point properties
Fallback status point properties Software Update point component properties
Configuration Allow intranet-only client connections Allow internet-only client connections Allow both intranet and Internet client connections Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS (required for device client and Internet-based clients) Allow intranet-only client connections Allow Intranet-only client connections Allow both intranet and Internet client connections If the site is in native mode, and the site system contains an Internet FQDN, then the Allow both intranet and Internet client connections option is automatically configured. Allow intranet-only client connections Allow both intranet and Internet client connections
Note: - If the Internet options are not available, confirm that the site is in native mode, and that an Internet FQDN is specified for the site server. There are a number of tasks that you may have to perform to manage clients over the Internet. The specific tasks depend upon the services that you will provide over the internet, and your network infrastructure. These tasks include: -
-
Installing new clients to support native mode, and ensuring that all certificates have been enrolled as necessary. You can use CCMSetup.exe with the /native property to enable native mode support Assigning client computers to the site and to their Internet-based management point. You can manually assign computers to their Internet-based management point by entertaining the FQDN of the Internet-based management point on the Internet tab of the Configuration Manager control panel application. You can also use the CCMHOSTNAM property with CCMSetup.exe if you are installing a new client. You can set the appropriate site code on the Advanced tab, if it was not set during client installation. Configuration Proxy settings. The Internet tab also provides several options if you use a proxy server. Options include proxy server name, port, and credentials. Determining if the client will always be Internet-based, and will never connect to the intranet. If you need to ensure that a specific client will always be Internet-based, you can use the CCMALWAYSINF property set to 1, when installing the client
An example setup syntax for an Internet-based client is as follows: CCMSetup.exe /native CCMALWAYSINF=1 CCMHOSTNAME=ConfigMgmtPnt.Contoso.com SMSSITECODE-NYC
You can determine if a client computer is currently managed on the intranet or the internet y viewing the General tab of the client’s Configuration Manager control panel application. The value for the ConfigMgr Connection Type property will contain one of the following. -
Currently Internet: The client is configured for Internet or Intranet management, and is currently managed on the Internet Currently intranet: The client is configured for Internet or intranet management, and is currently managed on the internet Always Internet. The client is configured for Internet-only connections Always Intranet. The client is configured for intranet-only connections
View more...
Comments