Jason - thanks again. I'll be sure to join the webinar! Can you recommend any documentation on properly deploying site systems in the DMZ as well as IBCM? Cheers! Brian From: [email protected] To: [email protected] Subject: RE: [mssms] Where are my clients? Date: Sun, 16 Feb 2014 23:36:20 +0000
Using IBCM is a common path for your DMZ clients – there are still potential traps and gotchas though like MP location if you have more than one HTTPS MP. Your role layout is also pretty typical – make sure of course you properly configure and test CRL accessibility from the CDP *before* you issue any permanent certs because the CDP is statically listed in each and every issued cert and thus if you change the CDP you will have to reissue the certs to update the CDP list. No, the DNS lookup is not configurable in any way. If a system listed in AD and in-scope of the AD discovery fails the DNS A record lookup, then the DDR simply is not created. You will have to discover those systems in another way. Shameless plug here for you to watch my Secunia webcast this Tuesday as I will be discussing a possible work-around. J From: [email protected] [mailto:[email protected]] On Behalf Of Brian McDonald Sent: Saturday, February 15, 2014 5:15 PM To: [email protected] Subject: RE: [mssms] Where are my clients? Jason - thanks for taking the time to respond. My primary goal is to utilize the IBCM feature. Is there a setting I need to configure in DNS to be able to properly discover my clients in the DMZ? I have one primary site in my internal domain. My intention is to utilize IBCM. I am therefore planning on configuring site systems in the DMZ as follows. I am intending on putting the FSP and CRL website on the same server and on the second server a MP/DP/SUP. The reason is the FSP will accept non-encrypted traffic on port 80. Thanks, Brian From: [email protected] To: [email protected] Subject: RE: [mssms] Where are my clients? Date: Sat, 15 Feb 2014 21:02:43 +0000 First note that your boundaries have nothing to do with discovery. AD System Discovery does do an explicit DNS name lookup though and if that fails, a DDR is not generate. Without knowing more, that would be my guess of why those systems are not being discovered. As for placing an MP in the DMZ, you will have issues with this because clients do not use MPs based on location. Without knowing more about your environment, I can’t recommend a perfect course of action though aside from saying that no solution will be perfect because this scenario was just never explicitly planned for in the product design. J From: [email protected] [mailto:[email protected]] On Behalf Of Brian McDonald Sent: Friday, February 14, 2014 5:59 PM To: [email protected] Subject: [mssms] Where are my clients? Hey all, I recently configured a new IP ranges boundary for my DMZ clients. I then assigned that range to a new boundary group called "DMZ clients". :) Moving on, I have System Discovery pointing at my DMZ OU. I have ran a full discovery and currently waiting to gain visibility into the DMZ, however, I cannot. My main goal right now is to install a MP/DP/SUP as well as a FSP. However, I cannot see these clients. What am I missing? Thanks to all! Brian aka 'workin hard'
