First of all you don't need a separate site server in the DMZ just to manage internet facing clients. Without knowing more about the environment along with business/technical goals it would be hard to give a fair and accurate recommendation.
Is this a true DMZ/WG clients? is there an external domain? Are these separate forests/domains? Are there two way trust setup? Is there a current PKI infra. In place? Do you want Internet clients going back to the Internet facing DP to get updates or do you want those clients to go to Microsoft update? Which the later, is by default in CM12 I believe. Generally speaking, you would deploy a site system in the DMZ to host the Internet facing roles MP/DP/SUP. I typically put all HTTP roles on one Site System and all HTTPS roles on another. Rich Sent from my iPhone On Jun 5, 2014, at 5:49 PM, "Robertson, Casey" <[email protected]<mailto:[email protected]>> wrote: Good afternoon, Been doing mostly Service Manager/SCORCH for a while and now have a new gig where I need to swing back to SCCM more. Current environment consists of SCCM 2012 site managing only clients on the intranet. In the next month we are migrating all server clients (who are currently managed via BigFix) to SCCM. The question is the best architecture. At previous employers, we took path of least resistance – allowed port 80 from DMZ servers back into the intranet for communication with SCCM/WSUS. Worked fine – just needed manual client installation and a combination of ‘hosts’ file entries or DMZ DNS to find the internal site servers. Here they want something more secure but I’m still going to argue for the simplest possible setup. Right before I started the current admins built a completely separate SCCM 2012 environment sitting in the DMZ. It’s working but seems complex. They installed AD into the ‘Front’ DMZ and the ‘Back’ DMZ along with DNS and etc. etc. To make a long story short, the way they did it still required a site server sitting in the ‘Trusted’ internal intranet (and a PKI server for client/server communications) that could receive traffic on port 80. Yes, this isolates other types of traffic to remain in the DMZ and allows DNS/AD etc but …. If we are just letting in AD anyway, why not just go with the design I’m used to? Looking for feedback because as I mentioned in the past I found it much easier to manage by allowing port 80 into the site server from the DMZ. Yes, the server solution they built only allows port 80 from the site server system(s) in the 2 DMZ’s but the same could just be done for specific DMZ hosts too (we are talking like 8 or 9 DMZ systems total). Thanks, Casey Robertson IT Systems Engineer San Diego County Superior Court CONFIDENTIALITY NOTICE: This electronic mail transmission (including any accompanying attachments) is intended solely for its authorized recipient(s), and may contain confidential and/or legally privileged information. If you are not an intended recipient, or responsible for delivering some or all of this transmission to an intended recipient, be aware that any review, copying, printing, distribution, use or disclosure of the contents of this message is strictly prohibited. If you have received this electronic mail message in error, please delete it from your system without copying it, and contact sender immediately by Reply e-mail, or by calling 913-307-2300, so that our address records can be corrected. Although this e-mail and any attachments are believed to be free of any virus or other defect that might negatively affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by the sender for any loss or damage arising in any way in the event that such a virus or defect exists.
