Correct. During the PE boot, it pulls the image (the PE boot image) from the network. I'm told we can put a certificate on that image. We're going to test to ensure that the PE image does in fact use the certificate. If so, does our infrastructure support this method, we'll test whether using Dot1X authentication will preclude them from getting an IPAddress if they're submitting the wrong certificate (using a cert from Network A, no Network B)
Make sense? ON paper it seems feasible, just have to test it now. -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Friday, December 12, 2008 7:43 PM To: NT System Admin Issues Subject: Re: Image deployment to two disparate networks On Fri, Dec 12, 2008 at 8:57 AM, Fogarty Rick MR - CONTR - Team EITC <[email protected]> wrote: > However, two of the networks sometimes share the same computer. > A switch box allows the user to switch between Network A and Network > B by using a different HD (they're removable). > During the PE boot process it obviously sends a broadcast out > looking for an IP address. How do I ensure a machine from network A does > not request an address from network B? I don't know anything about MS-SMS, so perhaps I'm misunderstanding, but you're doing an network boot with PXE, right? If so, I don't think you'll be able to do anything about it at that point. PXE sends a DHCP request with its unique ID, but that ID is based on the MAC address and/or motherboard firmware, not the hard disk drive. Indeed, you don't even need a hard disk drive for PXE to work. Once WinPE is up and running, then certificates maybe could come into play (or not; I dunno), but by that time, the computer has already received the DHCP lease from "the wrong network". You might be able to detect that the hard drive's serial number belongs on Network B when you've booted on Network A, and prevent things from going further. That would involve some WinPE/MS-SMS magic way outside my experience, though. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
