I typically setup a MP to only take connection from the Internet only not Intranet and Internet this MP is typically in a DMZ.
Boundaries have nothing to do with setting the client to Intranet or Internet mode it's based on the client being able to communicate with AD internally. That's why your internet clients are still Intranet. Here's a TechNet article going over the cert templates to create: http://technet.microsoft.com/en-us/library/gg682023 I also presented at a user group that goes over creating and issuing the templates you may find helpful: http://memug.wordpress.com/2014/08/08/replay-july-2014-memug/ Thanks, Justin Chalfant Premier Field Engineer - Configuration Manager Public Sector Microsoft Services Tel : (303) 846-2701 Email: [email protected]<mailto:[email protected]> If you have any feedback about my work, please let either myself or my manager Rusty Gray know at [email protected]<mailto:[email protected]> From: [email protected] [mailto:[email protected]] On Behalf Of Kent, Mark Sent: Monday, September 29, 2014 9:31 AM To: [email protected] Subject: [mssms] Couple questions on IBCM We are looking at putting IBCM into production into the near future and I have two questions. The first involves communication. Our production environment has 3 MP's. I know that as you phase IBCM in that you should set them to both HTTP and HTTPS, and that the client will choose HTTPS first if it's available. Eventually I'd like to set all three to HTTPS only. My question is, I still want the clients to take advantage of intranet only communications while on the LAN (full SCCM features). I am assuming that when the client comes online, if it finds its IP in the normal boundaries, it assumes Intranet. In my test lab with a single MP and it set to HTTPs only, I noticed that the connection type is "Currently intranet" so I assume that's what it means. So if a client then comes in from the Internet, it will see its IP is not in a boundary and switch its connection to Internet (limited set of features). Does this make sense and is it correct? My second question is really about PKI and SCCM in general. I have been reading over some blog articles and the Technet pages on this, but just wondered if anyone had any links they can swear by. I know a little about PKI and I am not our PKI admin (we do have an Enterprise CA). I would like to understand a bit more about the passing of the certs, how they are used by SCCM, etc. Any additional insights are appreciated. Thanks! Mark Kent (MCP) Sr. Desktop Systems Engineer Computing & Technology Services - SUNY Buffalo State
