Thanks, Jason. I am crystal clear up to "What happens between the client and MP could be a lot of different things."
Is this correct: A device like an F5 doesn't know where HINV data is supposed to go as opposed to SUP data and won't no matter what I tell it. If it were a simple route (if all data from internet FQDN x.com goes to intranet server ivanserver1.confused.local) that would be one thing and might be done through the F5. Based on the information I have on hand, the key is in the ISA SSL Bridging, then? "How to Configure ISA SSL Bridging for SCCM Internet-Based Client Management" is the document I have. The Web listener says this is traffic for the MP, send it there and so on for the other roles? And to make this all super simple (not) I am told to use certs from a public CA. I am aware I need a cert per HTTPS client because you and Carol B. wrote as much 12 times on social.microsoft.com (heh) and the documentation says "Computers must have a unique value in the Subject Name field or SAN." Ivan From: [email protected] [mailto:[email protected]] On Behalf Of Jason Sandys Sent: Monday, May 20, 2013 4:55 PM To: [email protected] Subject: [mssms] RE: IBCM with F5 and TMG Certs do not specify destinations. The client knows the MP's internet FQDN (that's part of the client agent's configuration) and sends traffic to that address. The traffic payload is encrypted using HTTPS/SSL. Also, the IIS web site hosting the MP requires client authentication via a client authentication certificate so when the connection is first establish, this exchange must happen before the IIS web site accepts the traffic and passes it to the MP. What happens between the client and MP could be a lot of different things. With TMG in the middle, the client certs need an additional subject name to authenticate themselves to TMG. What your F5 does with the traffic is up to you. Ultimately, the traffic is sent to the Internet FQDN of the MP though. J From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Lindenfeld, Ivan Sent: Monday, May 20, 2013 3:29 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: IBCM with F5 and TMG Thanks for the explanation, but it's still not clear to me. I have MP, SUP on their own servers, Site and DP on another. I do not intend to publish an MP to the internet in a DMZ, but use my existing hierarchy. My HTTPS client on the internet hits a scheduled cycle, let's say HINV. It attempts to send the delta hinv data to the MP. It has a client certificate that knows the internet FQDN to talk to. It sends the data to that address. The certificates installed at the ingress to the intranet (being technology agnostic this time in my description) authenticate the key from the client. How does that data get routed to the correct internal server? (MP or SUP or Site/DP) Clearly it needs to go to the MP in this example. Nothing but the external HTTPS client knows the target. Is that last sentence the answer? The packets know their destination is the MP ultimately because the client told them so. It knows this from CM policy? Thanks for tolerating such a detailed question. Ivan From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Troy Martin Sent: Monday, May 13, 2013 4:33 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] RE: IBCM with F5 and TMG ...its all about the certs and the SANs (in the certs) being used. Clients will only attempt to communicate with the FQDN associated with the CM service (e.g. MP/DP/SUP/CRL-DP/etc). Have you confirmed that the IBCM client is attempting to communicate with the correct FQDN for the service? TMG needs to be configured to allow SSL-bridging or tunneling so that the IBCM clients can communicate. I've only ever configured "tunneling" ... IBCM can be intimidating...but it's really a teddy bear :) Troy L. Martin | Principal Consultant 1E | Empowering Efficient IT US Mobile: +1 678-898-6147 UK Mobile : +44 208 326 9141 [email protected]<mailto:[email protected]> | www.1e.com<http://www.1e.com/> Facebook<http://www.facebook.com/1eglobal> | Twitter<https://twitter.com/1e_global/> | YouTube<http://www.youtube.com/1enews> | Blogs<http://blogs.1e.com/> | RSS<http://blogs.1e.com/index.php/feed/> Please consider the environment before printing this e-mail From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Lindenfeld, Ivan Sent: Monday, May 13, 2013 8:21 PM To: [email protected]<mailto:[email protected]> Subject: [mssms] IBCM with F5 and TMG Anyone have time to talk to me about the above scenario? The biggest piece I still don't understand is how the F5 or TMG server knows to send traffic to the MP when relevant, the SUP when relevant, etc? These are separate servers in my environment. I had hoped ICBM would become less intimidating as I delved deeper but it has not. Thanks. Ivan Lindenfeld ________________________________ DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of this email address. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
