The trust requirement really depends on what roles you want to publish to internet. While your IBCM server needs to be domain joined, I think the only role that would require your DMZ domain to trust your production domain would be the app catalog role, so it can authenticate users.
We had planned to publish App Cat, DP, MP and SUP as part of IBCM. We were going to use SSL bridging capabilities of our F5 BIG-IP 3900/3600 load balancers and have them bridge internet client connections into a SCCM server dedicated to internet clients. This F5’s would terminate the SSL connection from the internet client, inspect the client’s certificate and packets, and then create a new connection to the IBCM server. This would allow us to keep the IBCM server on the production domain. We vetted the idea with F5 and Microsoft engineers, along with our in-house security team. MSFT says this is the most common deployment scenario they see for IBCM. In the end, though, we dropped the project and decided to work on a DirectAccess deployment instead. Kenneth Merenda From: [email protected] [mailto:[email protected]] On Behalf Of Sean Pomeroy Sent: Wednesday, April 29, 2015 9:49 AM To: [email protected] Subject: [mssms] SCCM 2012 R2 IBCM How is everyone doing IBCM? We tried to leverage our netscalers, but they do not allow offloading and verifying the certificate and security won't allow a tunnel without inspection. We do not currently have a domain in our DMZ, it seems that is the next route we are going to go down. However, security will not allow a trust between the two domains. Now that MS has sunsetted TMG, what other options is everyone using/considering? Thanks, Sean
