Other than “not supported”, do you know of a legitimate reason why site systems in the DMZ are required to be domain-joined in IBCM?
Troy L. Martin | Product Manager, Endpoint Automation Provision software, not infrastructure US Mobile: +1 (678) 898-6147 UK Phone : +44 208 326 9141 [email protected]<mailto:[email protected]> | www.1e.com<http://www.1e.com/> [Blog_Bling_Connect]<http://ignite.microsoft.com/> [cid:[email protected]]<http://www.1e.com/> [cid:[email protected]]<https://www.facebook.com/1Eglobal>[cid:[email protected]]<https://twitter.com/1E_Global/>[cid:[email protected]]<http://www.linkedin.com/company/1e>[cid:[email protected]]<http://www.1e.com/blogs/index.php>[cid:[email protected]]<http://blogs.1e.com/feed/>[cid:[email protected]]<https://plus.google.com/+1EGlobal/posts> From: [email protected] [mailto:[email protected]] On Behalf Of Merenda, Kenneth Sent: Wednesday, April 29, 2015 11:31 AM To: [email protected] Subject: RE: [mssms] SCCM 2012 R2 IBCM The trust requirement really depends on what roles you want to publish to internet. While your IBCM server needs to be domain joined, I think the only role that would require your DMZ domain to trust your production domain would be the app catalog role, so it can authenticate users. We had planned to publish App Cat, DP, MP and SUP as part of IBCM. We were going to use SSL bridging capabilities of our F5 BIG-IP 3900/3600 load balancers and have them bridge internet client connections into a SCCM server dedicated to internet clients. This F5’s would terminate the SSL connection from the internet client, inspect the client’s certificate and packets, and then create a new connection to the IBCM server. This would allow us to keep the IBCM server on the production domain. We vetted the idea with F5 and Microsoft engineers, along with our in-house security team. MSFT says this is the most common deployment scenario they see for IBCM. In the end, though, we dropped the project and decided to work on a DirectAccess deployment instead. Kenneth Merenda From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Sean Pomeroy Sent: Wednesday, April 29, 2015 9:49 AM To: [email protected]<mailto:[email protected]> Subject: [mssms] SCCM 2012 R2 IBCM How is everyone doing IBCM? We tried to leverage our netscalers, but they do not allow offloading and verifying the certificate and security won't allow a tunnel without inspection. We do not currently have a domain in our DMZ, it seems that is the next route we are going to go down. However, security will not allow a trust between the two domains. Now that MS has sunsetted TMG, what other options is everyone using/considering? Thanks, Sean ________________________________ Legal Notice: This email is intended only for the person(s) to whom it is addressed. If you are not an intended recipient and have received this message in error, please notify the sender immediately by replying to this email or calling +44(0) 2083269015 (UK) or +1 866 592 4214 (USA). This email and any attachments may be privileged and/or confidential. The unauthorized use, disclosure, copying or printing of any information it contains is strictly prohibited. The opinions expressed in this email are those of the author and do not necessarily represent the views of 1E Ltd. Nothing in this email will operate to bind 1E to any order or other contract.
