I concur with your thinking. I also submit that opening the ports on the firewall between the hosts in the DMZ and a single (or single set) or internal systems as long as it's constrained and controlled is in no way a violation of any security principles. The internal firewall is not meant to be an end-all be able that inhibits all communication. <soapbox>Security folks IMO have become zealots for high-level principles without understanding reality or the actual low-level technical implementation of the protocols and services involved.</soapbox>
J From: [email protected] [mailto:[email protected]] On Behalf Of Robertson, Casey Sent: Thursday, June 5, 2014 5:49 PM To: [email protected] Subject: [mssms] DMZ design for SCCM 2012 Good afternoon, Been doing mostly Service Manager/SCORCH for a while and now have a new gig where I need to swing back to SCCM more. Current environment consists of SCCM 2012 site managing only clients on the intranet. In the next month we are migrating all server clients (who are currently managed via BigFix) to SCCM. The question is the best architecture. At previous employers, we took path of least resistance - allowed port 80 from DMZ servers back into the intranet for communication with SCCM/WSUS. Worked fine - just needed manual client installation and a combination of 'hosts' file entries or DMZ DNS to find the internal site servers. Here they want something more secure but I'm still going to argue for the simplest possible setup. Right before I started the current admins built a completely separate SCCM 2012 environment sitting in the DMZ. It's working but seems complex. They installed AD into the 'Front' DMZ and the 'Back' DMZ along with DNS and etc. etc. To make a long story short, the way they did it still required a site server sitting in the 'Trusted' internal intranet (and a PKI server for client/server communications) that could receive traffic on port 80. Yes, this isolates other types of traffic to remain in the DMZ and allows DNS/AD etc but .... If we are just letting in AD anyway, why not just go with the design I'm used to? Looking for feedback because as I mentioned in the past I found it much easier to manage by allowing port 80 into the site server from the DMZ. Yes, the server solution they built only allows port 80 from the site server system(s) in the 2 DMZ's but the same could just be done for specific DMZ hosts too (we are talking like 8 or 9 DMZ systems total). Thanks, Casey Robertson IT Systems Engineer San Diego County Superior Court
