Good afternoon, Been doing mostly Service Manager/SCORCH for a while and now have a new gig where I need to swing back to SCCM more. Current environment consists of SCCM 2012 site managing only clients on the intranet. In the next month we are migrating all server clients (who are currently managed via BigFix) to SCCM. The question is the best architecture.
At previous employers, we took path of least resistance - allowed port 80 from DMZ servers back into the intranet for communication with SCCM/WSUS. Worked fine - just needed manual client installation and a combination of 'hosts' file entries or DMZ DNS to find the internal site servers. Here they want something more secure but I'm still going to argue for the simplest possible setup. Right before I started the current admins built a completely separate SCCM 2012 environment sitting in the DMZ. It's working but seems complex. They installed AD into the 'Front' DMZ and the 'Back' DMZ along with DNS and etc. etc. To make a long story short, the way they did it still required a site server sitting in the 'Trusted' internal intranet (and a PKI server for client/server communications) that could receive traffic on port 80. Yes, this isolates other types of traffic to remain in the DMZ and allows DNS/AD etc but .... If we are just letting in AD anyway, why not just go with the design I'm used to? Looking for feedback because as I mentioned in the past I found it much easier to manage by allowing port 80 into the site server from the DMZ. Yes, the server solution they built only allows port 80 from the site server system(s) in the 2 DMZ's but the same could just be done for specific DMZ hosts too (we are talking like 8 or 9 DMZ systems total). Thanks, Casey Robertson IT Systems Engineer San Diego County Superior Court
