Technically, that would work, but I concur, simply forwarding the traffic, 
particularly to the primary site server, would be bad joo-joos. You would 
certainly want to reverse proxy it or at least only forward traffic to a 
separate site system hosting the MP, DP, and SUP roles where this site system 
is tightly controlled and well locked down.


From: [] On 
Behalf Of David Jones
Sent: Tuesday, September 20, 2016 6:32 AM
Subject: Re: [mssms] Current Branch (1606hf1) and the cloud

It was suggested to just put a rule in the netscaler to point the outside 
requests straight to the primary.  That probably makes a security risk.  Thanks 
for the reply Jason.

On Mon, Sep 19, 2016 at 10:18 AM, Jason Sandys 
<<>> wrote:
They don’t have to be straight outside. You can reverse proxy them (client 
traffic is just HTTPS traffic after all) and/or put these site systems in the 
DMZ – many folks do both.

As of CB, you could also host the site system in Azure IaaS (or another cloud 
provider’s IaaS although that won’t strictly be a supported configuration). 
This would also require a VPN or ExpressRoute to Azure (or the equivalent to 
another provider if you go down that route).

Hopefully in 1610, you’ll be able to use a cloud proxy point in Azure which 
won’t require IaaS at all – it’ll be just another role in ConfigMgr (somewhat 
similar to the cloud DP).

DirectAccess is another choice here as well as it simply provides a path for 
all external clients to get to your existing site systems.


On Behalf Of David Jones
Sent: Monday, September 19, 2016 8:35 AM
Subject: [mssms] Current Branch (1606hf1) and the cloud

I have never had an Internet facing MP/DP and I won't get one working here 
because they just won't put anything straight outside. So what are my options 
to get both MP/DP/App Catalog functions going just for PC's?

Reply via email to