Technically, that would work, but I concur, simply forwarding the traffic,
particularly to the primary site server, would be bad joo-joos. You would
certainly want to reverse proxy it or at least only forward traffic to a
separate site system hosting the MP, DP, and SUP roles where this site system
is tightly controlled and well locked down.
From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On
Behalf Of David Jones
Sent: Tuesday, September 20, 2016 6:32 AM
Subject: Re: [mssms] Current Branch (1606hf1) and the cloud
It was suggested to just put a rule in the netscaler to point the outside
requests straight to the primary. That probably makes a security risk. Thanks
for the reply Jason.
On Mon, Sep 19, 2016 at 10:18 AM, Jason Sandys
They don’t have to be straight outside. You can reverse proxy them (client
traffic is just HTTPS traffic after all) and/or put these site systems in the
DMZ – many folks do both.
As of CB, you could also host the site system in Azure IaaS (or another cloud
provider’s IaaS although that won’t strictly be a supported configuration).
This would also require a VPN or ExpressRoute to Azure (or the equivalent to
another provider if you go down that route).
Hopefully in 1610, you’ll be able to use a cloud proxy point in Azure which
won’t require IaaS at all – it’ll be just another role in ConfigMgr (somewhat
similar to the cloud DP).
DirectAccess is another choice here as well as it simply provides a path for
all external clients to get to your existing site systems.
On Behalf Of David Jones
Sent: Monday, September 19, 2016 8:35 AM
Subject: [mssms] Current Branch (1606hf1) and the cloud
I have never had an Internet facing MP/DP and I won't get one working here
because they just won't put anything straight outside. So what are my options
to get both MP/DP/App Catalog functions going just for PC's?