Re: [mssms] SCCM 2012, PKI and ICBM

[Troy Martin]

Scenario 4: Internet connections into the intranet - 
http://technet.microsoft.com/en-us/library/bb632529.aspx

...but is also arguably the least secure, because your allowing IBCM clients to 
communicate directly with site systems over the Internet.  Intranet clients are 
also communicating with the same.

I prefer Scenario 3 with SQL Server 
Replica<http://technet.microsoft.com/en-us/library/bb694250.aspx> because IBCM 
client traffic is isolated/restricted to communicating only with site systems 
in the DMZ.  Also in this scenario, site systems in the DMZ (should be) are 
restricted from initiating communications with the site server and site 
database sever on the intranet.  This is achieved in three ways:

- no firewall rules should be configured allowing inbound traffic originating 
from the site systems in the DMZ

- All site systems should be configured to Allow site server initiated 
communications with this site system

- SQL Server Replication should be configured for Push Replication, where the 
SQL Server (on the intranet) hosting the site database initiates communication 
with the SQL Server in the DMZ that is hosting the replica copy of the site 
database.  The MP site system in the DMZ communicates with directly with the 
SQL Server in the DMZ when reading the replica site database.

When dealing with traffic initiated (from devices) over the Internet, it's not 
about what's the easiest, but what is the most secure.

Sent from my iPad

On Feb 1, 2014, at 5:39 PM, "Brian McDonald" 
<mcdonald...@hotmail.com<mailto:mcdonald...@hotmail.com>> wrote:

Thanks Troy - any recommendations on which one is the 'easiest' to setup?

Brian
________________________________
From: troy.mar...@1e.com<mailto:troy.mar...@1e.com>
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] SCCM 2012, PKI and ICBM
Date: Sat, 1 Feb 2014 11:45:28 +0000


…there are several 
options<http://technet.microsoft.com/en-us/library/bb693824.aspx> to consider, 
with – I believe - Scenario 3 with SQL Server 
Replica<http://technet.microsoft.com/en-us/library/bb694250.aspx> being the 
most secure and the one I’ve successfully implemented at several customers.



Don’t worry about the documentation being for ConfigMgr 2007…everything still 
applies to 2012.



Microsoft did not include the IBCM supported scenarios documentation in 2012.



Troy L. Martin | Principal Consultant

1E | Empowering Efficient IT

US Mobile: +1 (678) 898-6147

UK Mobile : +44 782 655 0296

troy.mar...@1e.com<mailto:troy.mar...@1e.com> | www.1e.com<http://www.1e.com/>



Facebook<http://www.facebook.com/1eglobal> | 
Twitter<https://twitter.com/1e_global/> | 
YouTube<http://www.youtube.com/1enews> | Blogs<http://blogs.1e.com/> | 
RSS<http://blogs.1e.com/index.php/feed/>

Please consider the environment before printing this e-mail



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Friday, January 31, 2014 10:36 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] SCCM 2012, PKI and ICBM



So, it's official. The decision has been made PKI and ICBM. :(

I have two domains. 1 internal Domain ABC.domain and 1 DMZ ABC0.domain.

The requirement is to be able to leverage PKI and ICBM for internet clients.

Therefore, my requirements would be:

1) PKI Infrastructure
2) Would I absolutely have to have a Standalone DP in my DMZ? I do not have any 
workgroup clients in the DMZ?

Seems to me there would be another way or methods to accomplish this w/o having 
to install a DP in the DMZ. Please correct me if I'm wrong.
Thanks,

Brian


________________________________

From: t3chn...@hotmail.com<mailto:t3chn...@hotmail.com>
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] SCCM 2012, PKI and ICBM
Date: Sun, 26 Jan 2014 13:32:01 -0700

Another good resource that I keep on hand …



http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx





From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Friday, January 24, 2014 8:05 AM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] SCCM 2012, PKI and ICBM



Discussing this with my counterpart now.



No, we do not have a PKI infrastructure. I came across this recently. There may 
be other sources out there but this does seem fairly straight forward.



http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx



I'm entirely new to PKI, so any direction would be nice.



Thanks,

Brian

________________________________

From: eric.morri...@hotmail.com<mailto:eric.morri...@hotmail.com>
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: RE: [mssms] SCCM 2012, PKI and ICBM
Date: Wed, 22 Jan 2014 09:29:09 -0600

Setting up IBCM in 2012 is a breeze compared to the 2007 days.



I’ve configured IBCM in both versions and as long as you have basic PKI 
understanding, you shouldn’t have too many roadblocks.



In the environment you are going to use to set it up, do you already have PKI 
setup with machine certificates deployed, specifically workstations to be 
managed over the internet? You’ll also need to either stand up a new site 
system server in your DMZ, or have the ports reverse proxy to your primary site 
server. If you’re going to do Software Distribution, Software Updates, and App 
Catalog, then you’ll need to make sure those roles are setup as HTTPS and the 
appropriate web server cert in IIS and make sure the roles allow intranet and 
internet. After that it’s just a matter of making sure the clients have the 
public fqdn configured for IBCM and that the firewall ports are open.



Now, if DA is the option like so many suggested, definitely go that route… :)



Thanks,



Eric Morrison



From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> 
[mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald
Sent: Tuesday, January 21, 2014 2:52 PM
To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>; 
mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>
Subject: [mssms] SCCM 2012, PKI and ICBM



Hey everyone,



Just out of curiosity, how many hours would you estimate it would take to setup 
a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to 
implement and I have no idea what to guestimate for hours. Looking for someone 
who has experience with implementing both PKI and ICBM that might be able to 
give me a rough idea of how many hours this would take. From what I've read 
ICBM is complex to setup, but that was back in CM07. Not sure how much has 
changed with CM12.



Thanks,

Brian











________________________________


DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of 
this email address. If you are not the intended recipient, please delete 
without copying and kindly advise us by e-mail of the mistake in delivery. 
NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any 
order or other contract unless pursuant to explicit written agreement or 
government initiative expressly permitting the use of e-mail for such purpose.