I had a hell of a time getting TMG working. I had a limited understanding of certificates so unless you know how they work (particularly between SCCM/TMG), I'd recommend against using TMG simply because there isn't a lot of documentation on how to configure it. The process on Technet is for configuring ISA which didn't work for me. Plus, I believe if they haven't already, Microsoft will soon no longer offer support for TMG. It was discontinued in 2012. If I had to do it all over again, I probably would've gone with a SQL replica in the DMZ. Or I'd look into a MP with two NICs.<http://technet.microsoft.com/en-us/library/bb680966.aspx>
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Benjamin Monrad Sent: Friday, January 31, 2014 6:40 PM To: mssms@lists.myitforum.com Subject: Re: [mssms] SCCM 2012, PKI and ICBM You could place TMG in the DMZ and use that to proxy client traffic to an MP/DP/SUP on an internal network. On Fri, Jan 31, 2014 at 2:36 PM, Brian McDonald <mcdonald...@hotmail.com<mailto:mcdonald...@hotmail.com>> wrote: So, it's official. The decision has been made PKI and ICBM. :( I have two domains. 1 internal Domain ABC.domain and 1 DMZ ABC0.domain. The requirement is to be able to leverage PKI and ICBM for internet clients. Therefore, my requirements would be: 1) PKI Infrastructure 2) Would I absolutely have to have a Standalone DP in my DMZ? I do not have any workgroup clients in the DMZ? Seems to me there would be another way or methods to accomplish this w/o having to install a DP in the DMZ. Please correct me if I'm wrong. Thanks, Brian ________________________________ From: t3chn...@hotmail.com<mailto:t3chn...@hotmail.com> To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Sun, 26 Jan 2014 13:32:01 -0700 Another good resource that I keep on hand ... http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com>] On Behalf Of Brian McDonald Sent: Friday, January 24, 2014 8:05 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] SCCM 2012, PKI and ICBM Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian ________________________________ From: eric.morri...@hotmail.com<mailto:eric.morri...@hotmail.com> To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I've configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn't have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You'll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you're going to do Software Distribution, Software Updates, and App Catalog, then you'll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it's just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route... :) Thanks, Eric Morrison From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com>; mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian ________________________________ IRS Compliance: Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties imposed under the Internal Revenue Code or applicable state or local tax law or (ii) promoting, marketing, or recommending to another party any transaction or matter addressed herein. ________________________________ Confidentiality Notice: This e-mail is intended only for the addressee named above. It contains information that is privileged, confidential or otherwise protected from use and disclosure. If you are not the intended recipient, you are hereby notified that any review, disclosure, copying, or dissemination of this transmission, or taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please reply to the sender listed above immediately and permanently delete this message from your inbox. Thank you for your cooperation.