Five supported options (that I can think of):
- Stand-up a new domain in the DMZ. - Extend your internal domain to the DMZ (most security folks don’t like this for mostly good reasons). - Use a reverse proxy in the DMZ to forward traffic to internal site systems. - Use a Cloud Management Gateway (new feature in 1610 that eliminates any additional on-prem infrastructure for IBCM). - Stand up an Internet enabled site system in IaaS on the cloud provider of your choice (only Azure would be technical supported here). This would require extending your domain to the cloud hosted VM but that should be easier than to your DMZ. J From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Marcum, John Sent: Thursday, December 1, 2016 8:19 AM To: mssms@lists.myitforum.com Subject: [mssms] RE: Current Branch - Internet Based CLients - Internet facing Site Server Need to be on domain? Just upgrade to 1610 and get rid of all the DMZ servers. Your security guys will love you! From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Thursday, December 1, 2016 7:47 AM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Current Branch - Internet Based CLients - Internet facing Site Server Need to be on domain? [External Email] Now that I’ve brought this up, our Microsoft rep agrees and is suggesting a separate domain be added into our DMZ. Is that generally what you’ve seen? I would imagine you would have mentioned it or the article would have. From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Jason Sandys Sent: November-30-16 4:47 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] RE: Current Branch - Internet Based CLients - Internet facing Site Server Need to be on domain? The below is correct, current, and applicable to ConfigMgr CB: it must be domain joined. I’ve heard of this being side-stepped through some creative work, but that wouldn’t be supported (or advisable IMO). J From: listsad...@lists.myitforum.com<mailto:listsad...@lists.myitforum.com> [mailto:listsad...@lists.myitforum.com] On Behalf Of Burke, John Sent: Wednesday, November 30, 2016 1:45 PM To: mssms@lists.myitforum.com<mailto:mssms@lists.myitforum.com> Subject: [mssms] Current Branch - Internet Based CLients - Internet facing Site Server Need to be on domain? Hi We are setting this up now and it’s in a dmz and a workgroup. I happened to read this via this link. Hoping it’s not the case. It’s Couple years old, and is Configmgr 2012 but I thought recalled something somewhere. I’m guessing Reza would be able to answer this off the top of his head. I’m sure he would have let us know if a workgroup wouldn’t work. Feel free to ignore if this isn’t applicable now. https://www.petervanderwoude.nl/post/five-key-configuration-steps-for-implementing-internet-based-clients-in-configmgr-2012/ “Prerequisites Before going through these steps, there are a few important prerequisites that should be in place: * Site systems for Internet-based client management must have connectivity to the Internet and must be in an Active Directory domain. * A supporting public key infrastructure (PKI) has to be in place, that can deploy and manage the certificates that the clients require and that are managed on the Internet and the Internet-based site system servers. * The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers. ________________________________ Confidentiality Notice: This e-mail is from a law firm and may be protected by the attorney-client or work product privileges. If you have received this message in error, please notify the sender by replying to this e-mail and then delete it from your computer.
