RE: [mssms] SCCM 2012, PKI and ICBM
This is the direction my company decided to go. 1 Primary Site on our internal domain that will host several site roles including (MP/DP/SUP/Application Catalog WebSite/WebService Portal. etc.). SQL is installed locally. 1 Site System in the DMZ that will be the FSP and CRL Website1 Site System in the DMZ that will be a secondary MP/DP/SUP I'm trying to gather/collect a list of the needed certs I will need in this case. 1) SSL Cert needed for my Primary Site as well as my Site System in the DMZ hosting the MP/DP/SUP? If they are on separate servers?2) A SQL cert? SQL is local install 3) DMZ Site System requires the cert installed with the Internet FQDN and an external DNS entry is needed at my company's external DNS server.4) Deploy DMZ FQDN cert to each system that may need it (GPO for auto-enrollment) What am I missing? :) Thanks,Brian Date: Mon, 3 Feb 2014 10:50:03 -0800 Subject: Re: [mssms] SCCM 2012, PKI and ICBM From: bmonrad@gmail.com To: mssms@lists.myitforum.com We are currently using one of those published options requiring fewer servers. If I had it to do over again (and I may get that opportunity this year), I would probably choose Troy's recommendation of Scenario 3. On Sat, Feb 1, 2014 at 3:45 AM, Troy Martin troy.mar...@1e.com wrote: …there are several options to consider, with – I believe - Scenario 3 with SQL Server Replica being the most secure and the one I’ve successfully implemented at several customers. Don’t worry about the documentation being for ConfigMgr 2007…everything still applies to 2012. Microsoft did not include the IBCM supported scenarios documentation in 2012. Troy L. Martin | Principal Consultant 1E | Empowering Efficient IT US Mobile: +1 (678) 898-6147 UK Mobile : +44 782 655 0296 troy.mar...@1e.com | www.1e.com Facebook | Twitter | YouTube | Blogs | RSS Please consider the environment before printing this e-mail From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 31, 2014 10:36 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM So, it's official. The decision has been made PKI and ICBM. :( I have two domains. 1 internal Domain ABC.domain and 1 DMZ ABC0.domain. The requirement is to be able to leverage PKI and ICBM for internet clients. Therefore, my requirements would be: 1) PKI Infrastructure 2) Would I absolutely have to have a Standalone DP in my DMZ? I do not have any workgroup clients in the DMZ? Seems to me there would be another way or methods to accomplish this w/o having to install a DP in the DMZ. Please correct me if I'm wrong. Thanks, Brian From: t3chn...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Sun, 26 Jan 2014 13:32:01 -0700 Another good resource that I keep on hand … http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 24, 2014 8:05 AM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian From: eric.morri...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I’ve configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn’t have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You’ll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you’re going to do Software Distribution, Software Updates, and App Catalog, then you’ll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it’s just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route… J Thanks, Eric Morrison From: listsad
RE: [mssms] SCCM 2012, PKI and ICBM
I had a hell of a time getting TMG working. I had a limited understanding of certificates so unless you know how they work (particularly between SCCM/TMG), I'd recommend against using TMG simply because there isn't a lot of documentation on how to configure it. The process on Technet is for configuring ISA which didn't work for me. Plus, I believe if they haven't already, Microsoft will soon no longer offer support for TMG. It was discontinued in 2012. If I had to do it all over again, I probably would've gone with a SQL replica in the DMZ. Or I'd look into a MP with two NICs.http://technet.microsoft.com/en-us/library/bb680966.aspx From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Benjamin Monrad Sent: Friday, January 31, 2014 6:40 PM To: mssms@lists.myitforum.com Subject: Re: [mssms] SCCM 2012, PKI and ICBM You could place TMG in the DMZ and use that to proxy client traffic to an MP/DP/SUP on an internal network. On Fri, Jan 31, 2014 at 2:36 PM, Brian McDonald mcdonald...@hotmail.commailto:mcdonald...@hotmail.com wrote: So, it's official. The decision has been made PKI and ICBM. :( I have two domains. 1 internal Domain ABC.domain and 1 DMZ ABC0.domain. The requirement is to be able to leverage PKI and ICBM for internet clients. Therefore, my requirements would be: 1) PKI Infrastructure 2) Would I absolutely have to have a Standalone DP in my DMZ? I do not have any workgroup clients in the DMZ? Seems to me there would be another way or methods to accomplish this w/o having to install a DP in the DMZ. Please correct me if I'm wrong. Thanks, Brian From: t3chn...@hotmail.commailto:t3chn...@hotmail.com To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Sun, 26 Jan 2014 13:32:01 -0700 Another good resource that I keep on hand ... http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 24, 2014 8:05 AM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian From: eric.morri...@hotmail.commailto:eric.morri...@hotmail.com To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I've configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn't have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You'll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you're going to do Software Distribution, Software Updates, and App Catalog, then you'll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it's just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route... :) Thanks, Eric Morrison From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com; mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks
Re: [mssms] SCCM 2012, PKI and ICBM
We are currently using one of those published options requiring fewer servers. If I had it to do over again (and I may get that opportunity this year), I would probably choose Troy's recommendation of Scenario 3. On Sat, Feb 1, 2014 at 3:45 AM, Troy Martin troy.mar...@1e.com wrote: ...there are several optionshttp://technet.microsoft.com/en-us/library/bb693824.aspxto consider, with - I believe - Scenario 3 with SQL Server Replicahttp://technet.microsoft.com/en-us/library/bb694250.aspxbeing the most secure and the one I've successfully implemented at several customers. Don't worry about the documentation being for ConfigMgr 2007...everything still applies to 2012. Microsoft did not include the IBCM supported scenarios documentation in 2012. *Troy L. Martin* | Principal Consultant *1E | Empowering Efficient IT* US Mobile: +1 (678) 898-6147 UK Mobile : +44 782 655 0296 troy.mar...@1e.com | www.1e.com Facebook http://www.facebook.com/1eglobal | Twitterhttps://twitter.com/1e_global/| YouTube http://www.youtube.com/1enews | Blogs http://blogs.1e.com/ | RSS http://blogs.1e.com/index.php/feed/ Please consider the environment before printing this e-mail *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Brian McDonald *Sent:* Friday, January 31, 2014 10:36 PM *To:* mssms@lists.myitforum.com *Subject:* RE: [mssms] SCCM 2012, PKI and ICBM So, it's official. The decision has been made PKI and ICBM. :( I have two domains. 1 internal Domain ABC.domain and 1 DMZ ABC0.domain. The requirement is to be able to leverage PKI and ICBM for internet clients. Therefore, my requirements would be: 1) PKI Infrastructure 2) Would I absolutely have to have a Standalone DP in my DMZ? I do not have any workgroup clients in the DMZ? Seems to me there would be another way or methods to accomplish this w/o having to install a DP in the DMZ. Please correct me if I'm wrong. Thanks, Brian -- From: t3chn...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Sun, 26 Jan 2014 13:32:01 -0700 Another good resource that I keep on hand ... http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx *From:* listsad...@lists.myitforum.com [ mailto:listsad...@lists.myitforum.com listsad...@lists.myitforum.com] *On Behalf Of *Brian McDonald *Sent:* Friday, January 24, 2014 8:05 AM *To:* mssms@lists.myitforum.com *Subject:* RE: [mssms] SCCM 2012, PKI and ICBM Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian -- From: eric.morri...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I've configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn't have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You'll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you're going to do Software Distribution, Software Updates, and App Catalog, then you'll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it's just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route... J Thanks, Eric Morrison *From:* listsad...@lists.myitforum.com [ mailto:listsad...@lists.myitforum.com listsad...@lists.myitforum.com] *On Behalf Of *Brian McDonald *Sent:* Tuesday, January 21, 2014 2:52 PM *To:* mssms@lists.myitforum.com; mssms@lists.myitforum.com *Subject:* [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea
Re: [mssms] SCCM 2012, PKI and ICBM
Scenario 4: Internet connections into the intranet - http://technet.microsoft.com/en-us/library/bb632529.aspx ...but is also arguably the least secure, because your allowing IBCM clients to communicate directly with site systems over the Internet. Intranet clients are also communicating with the same. I prefer Scenario 3 with SQL Server Replicahttp://technet.microsoft.com/en-us/library/bb694250.aspx because IBCM client traffic is isolated/restricted to communicating only with site systems in the DMZ. Also in this scenario, site systems in the DMZ (should be) are restricted from initiating communications with the site server and site database sever on the intranet. This is achieved in three ways: - no firewall rules should be configured allowing inbound traffic originating from the site systems in the DMZ - All site systems should be configured to Allow site server initiated communications with this site system - SQL Server Replication should be configured for Push Replication, where the SQL Server (on the intranet) hosting the site database initiates communication with the SQL Server in the DMZ that is hosting the replica copy of the site database. The MP site system in the DMZ communicates with directly with the SQL Server in the DMZ when reading the replica site database. When dealing with traffic initiated (from devices) over the Internet, it's not about what's the easiest, but what is the most secure. Sent from my iPad On Feb 1, 2014, at 5:39 PM, Brian McDonald mcdonald...@hotmail.commailto:mcdonald...@hotmail.com wrote: Thanks Troy - any recommendations on which one is the 'easiest' to setup? Brian From: troy.mar...@1e.commailto:troy.mar...@1e.com To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Sat, 1 Feb 2014 11:45:28 + …there are several optionshttp://technet.microsoft.com/en-us/library/bb693824.aspx to consider, with – I believe - Scenario 3 with SQL Server Replicahttp://technet.microsoft.com/en-us/library/bb694250.aspx being the most secure and the one I’ve successfully implemented at several customers. Don’t worry about the documentation being for ConfigMgr 2007…everything still applies to 2012. Microsoft did not include the IBCM supported scenarios documentation in 2012. Troy L. Martin | Principal Consultant 1E | Empowering Efficient IT US Mobile: +1 (678) 898-6147 UK Mobile : +44 782 655 0296 troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/ Facebookhttp://www.facebook.com/1eglobal | Twitterhttps://twitter.com/1e_global/ | YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | RSShttp://blogs.1e.com/index.php/feed/ Please consider the environment before printing this e-mail From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 31, 2014 10:36 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM So, it's official. The decision has been made PKI and ICBM. :( I have two domains. 1 internal Domain ABC.domain and 1 DMZ ABC0.domain. The requirement is to be able to leverage PKI and ICBM for internet clients. Therefore, my requirements would be: 1) PKI Infrastructure 2) Would I absolutely have to have a Standalone DP in my DMZ? I do not have any workgroup clients in the DMZ? Seems to me there would be another way or methods to accomplish this w/o having to install a DP in the DMZ. Please correct me if I'm wrong. Thanks, Brian From: t3chn...@hotmail.commailto:t3chn...@hotmail.com To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Sun, 26 Jan 2014 13:32:01 -0700 Another good resource that I keep on hand … http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 24, 2014 8:05 AM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian From: eric.morri...@hotmail.commailto:eric.morri...@hotmail.com To: mssms
RE: [mssms] SCCM 2012, PKI and ICBM
...there are several optionshttp://technet.microsoft.com/en-us/library/bb693824.aspx to consider, with - I believe - Scenario 3 with SQL Server Replicahttp://technet.microsoft.com/en-us/library/bb694250.aspx being the most secure and the one I've successfully implemented at several customers. Don't worry about the documentation being for ConfigMgr 2007...everything still applies to 2012. Microsoft did not include the IBCM supported scenarios documentation in 2012. Troy L. Martin | Principal Consultant 1E | Empowering Efficient IT US Mobile: +1 (678) 898-6147 UK Mobile : +44 782 655 0296 troy.mar...@1e.commailto:troy.mar...@1e.com | www.1e.comhttp://www.1e.com/ Facebookhttp://www.facebook.com/1eglobal | Twitterhttps://twitter.com/1e_global/ | YouTubehttp://www.youtube.com/1enews | Blogshttp://blogs.1e.com/ | RSShttp://blogs.1e.com/index.php/feed/ Please consider the environment before printing this e-mail From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 31, 2014 10:36 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM So, it's official. The decision has been made PKI and ICBM. :( I have two domains. 1 internal Domain ABC.domain and 1 DMZ ABC0.domain. The requirement is to be able to leverage PKI and ICBM for internet clients. Therefore, my requirements would be: 1) PKI Infrastructure 2) Would I absolutely have to have a Standalone DP in my DMZ? I do not have any workgroup clients in the DMZ? Seems to me there would be another way or methods to accomplish this w/o having to install a DP in the DMZ. Please correct me if I'm wrong. Thanks, Brian From: t3chn...@hotmail.commailto:t3chn...@hotmail.com To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Sun, 26 Jan 2014 13:32:01 -0700 Another good resource that I keep on hand ... http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 24, 2014 8:05 AM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian From: eric.morri...@hotmail.commailto:eric.morri...@hotmail.com To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I've configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn't have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You'll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you're going to do Software Distribution, Software Updates, and App Catalog, then you'll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it's just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route... :) Thanks, Eric Morrison From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com; mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
RE: [mssms] SCCM 2012, PKI and ICBM
Thanks Troy - any recommendations on which one is the 'easiest' to setup? Brian From: troy.mar...@1e.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Sat, 1 Feb 2014 11:45:28 + …there are several options to consider, with – I believe - Scenario 3 with SQL Server Replica being the most secure and the one I’ve successfully implemented at several customers. Don’t worry about the documentation being for ConfigMgr 2007…everything still applies to 2012. Microsoft did not include the IBCM supported scenarios documentation in 2012. Troy L. Martin | Principal Consultant 1E | Empowering Efficient IT US Mobile: +1 (678) 898-6147 UK Mobile : +44 782 655 0296 troy.mar...@1e.com | www.1e.com Facebook | Twitter | YouTube | Blogs | RSS Please consider the environment before printing this e-mail From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 31, 2014 10:36 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM So, it's official. The decision has been made PKI and ICBM. :( I have two domains. 1 internal Domain ABC.domain and 1 DMZ ABC0.domain. The requirement is to be able to leverage PKI and ICBM for internet clients. Therefore, my requirements would be: 1) PKI Infrastructure 2) Would I absolutely have to have a Standalone DP in my DMZ? I do not have any workgroup clients in the DMZ? Seems to me there would be another way or methods to accomplish this w/o having to install a DP in the DMZ. Please correct me if I'm wrong. Thanks, Brian From: t3chn...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Sun, 26 Jan 2014 13:32:01 -0700 Another good resource that I keep on hand … http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 24, 2014 8:05 AM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian From: eric.morri...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I’ve configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn’t have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You’ll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you’re going to do Software Distribution, Software Updates, and App Catalog, then you’ll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it’s just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route… J Thanks, Eric Morrison From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.com; mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian DISCLAIMER: This is a PRIVATE AND CONFIDENTIAL message for the ordinary user of this email address. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind 1E to any order
Re: [mssms] SCCM 2012, PKI and ICBM
You could place TMG in the DMZ and use that to proxy client traffic to an MP/DP/SUP on an internal network. On Fri, Jan 31, 2014 at 2:36 PM, Brian McDonald mcdonald...@hotmail.comwrote: So, it's official. The decision has been made PKI and ICBM. :( I have two domains. 1 internal Domain ABC.domain and 1 DMZ ABC0.domain. The requirement is to be able to leverage PKI and ICBM for internet clients. Therefore, my requirements would be: 1) PKI Infrastructure 2) Would I absolutely have to have a Standalone DP in my DMZ? I do not have any workgroup clients in the DMZ? Seems to me there would be another way or methods to accomplish this w/o having to install a DP in the DMZ. Please correct me if I'm wrong. Thanks, Brian -- From: t3chn...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Sun, 26 Jan 2014 13:32:01 -0700 Another good resource that I keep on hand ... http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx *From:* listsad...@lists.myitforum.com [mailto: listsad...@lists.myitforum.com] *On Behalf Of *Brian McDonald *Sent:* Friday, January 24, 2014 8:05 AM *To:* mssms@lists.myitforum.com *Subject:* RE: [mssms] SCCM 2012, PKI and ICBM Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian -- From: eric.morri...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I've configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn't have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You'll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you're going to do Software Distribution, Software Updates, and App Catalog, then you'll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it's just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route... J Thanks, Eric Morrison *From:* listsad...@lists.myitforum.com [ mailto:listsad...@lists.myitforum.com listsad...@lists.myitforum.com] *On Behalf Of *Brian McDonald *Sent:* Tuesday, January 21, 2014 2:52 PM *To:* mssms@lists.myitforum.com; mssms@lists.myitforum.com *Subject:* [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
Re: [mssms] SCCM 2012, PKI and ICBM
What is the recommended config something like this or are there other possible solutions? Brian Sent from my iPhone On Jan 31, 2014, at 5:40 PM, Benjamin Monrad bmonrad@gmail.com wrote: You could place TMG in the DMZ and use that to proxy client traffic to an MP/DP/SUP on an internal network. On Fri, Jan 31, 2014 at 2:36 PM, Brian McDonald mcdonald...@hotmail.com wrote: So, it's official. The decision has been made PKI and ICBM. :( I have two domains. 1 internal Domain ABC.domain and 1 DMZ ABC0.domain. The requirement is to be able to leverage PKI and ICBM for internet clients. Therefore, my requirements would be: 1) PKI Infrastructure 2) Would I absolutely have to have a Standalone DP in my DMZ? I do not have any workgroup clients in the DMZ? Seems to me there would be another way or methods to accomplish this w/o having to install a DP in the DMZ. Please correct me if I'm wrong. Thanks, Brian From: t3chn...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Sun, 26 Jan 2014 13:32:01 -0700 Another good resource that I keep on hand … http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementing-a-pki-part-i-design-and-planning.aspx From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 24, 2014 8:05 AM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian From: eric.morri...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I’ve configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn’t have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You’ll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you’re going to do Software Distribution, Software Updates, and App Catalog, then you’ll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it’s just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route… J Thanks, Eric Morrison From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.com; mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
RE: [mssms] SCCM 2012, PKI and ICBM
Another good resource that I keep on hand . http://blogs.technet.com/b/askds/archive/2009/09/01/designing-and-implementi ng-a-pki-part-i-design-and-planning.aspx From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 24, 2014 8:05 AM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00 _example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_fo r_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_20 08.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian _ From: eric.morri...@hotmail.com mailto:eric.morri...@hotmail.com To: mssms@lists.myitforum.com mailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I've configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn't have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You'll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you're going to do Software Distribution, Software Updates, and App Catalog, then you'll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it's just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route. :) Thanks, Eric Morrison From: listsad...@lists.myitforum.com mailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.com mailto:mssms@lists.myitforum.com ; mssms@lists.myitforum.com mailto:mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
RE: [mssms] SCCM 2012, PKI and ICBM
Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian From: eric.morri...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I’ve configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn’t have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You’ll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you’re going to do Software Distribution, Software Updates, and App Catalog, then you’ll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it’s just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route… J Thanks, Eric Morrison From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.com; mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
RE: [mssms] SCCM 2012, PKI and ICBM
What about Windows Intune fitting into the discussion as a possible solution? This would get us what we need (Patch Deployment, Compliance Management, Software Deployment). This gives us the same ability to manage internet clients all from a single pane in CM12. From: mcdonald...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Fri, 24 Jan 2014 09:04:55 -0600 Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian From: eric.morri...@hotmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I’ve configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn’t have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You’ll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you’re going to do Software Distribution, Software Updates, and App Catalog, then you’ll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it’s just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route… J Thanks, Eric Morrison From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.com; mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
RE: [mssms] SCCM 2012, PKI and ICBM
Correct me if I am wrong, but I don't think we can run the Intune client and ConfigMgr client side by side on one system. Michael Dzikowski Senior Systems Engineer | Ally Technical Infrastructure - Windows Hosting [cid:image002.gif@01CDF887.776259A0] From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 24, 2014 10:08 AM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM What about Windows Intune fitting into the discussion as a possible solution? This would get us what we need (Patch Deployment, Compliance Management, Software Deployment). This gives us the same ability to manage internet clients all from a single pane in CM12. From: mcdonald...@hotmail.commailto:mcdonald...@hotmail.com To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Fri, 24 Jan 2014 09:04:55 -0600 Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian From: eric.morri...@hotmail.commailto:eric.morri...@hotmail.com To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I've configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn't have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You'll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you're going to do Software Distribution, Software Updates, and App Catalog, then you'll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it's just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route... :) Thanks, Eric Morrison From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com; mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian inline: image001.png
RE: [mssms] SCCM 2012, PKI and ICBM
That's correct. Also, Windows systems managed by Intune are not manageable from ConfigMgr using the Intune connector - the Intune connector is explicitly only for mobile devices (not that Win 8.1 can actually act like a mobile device but you lose any ability to perform software updates or manage SCEP when you manage it this way). J From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Dzikowski, Michael Sent: Friday, January 24, 2014 9:10 AM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Correct me if I am wrong, but I don't think we can run the Intune client and ConfigMgr client side by side on one system. Michael Dzikowski Senior Systems Engineer | Ally Technical Infrastructure - Windows Hosting [cid:image002.gif@01CDF887.776259A0] From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Friday, January 24, 2014 10:08 AM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM What about Windows Intune fitting into the discussion as a possible solution? This would get us what we need (Patch Deployment, Compliance Management, Software Deployment). This gives us the same ability to manage internet clients all from a single pane in CM12. From: mcdonald...@hotmail.commailto:mcdonald...@hotmail.com To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Fri, 24 Jan 2014 09:04:55 -0600 Discussing this with my counterpart now. No, we do not have a PKI infrastructure. I came across this recently. There may be other sources out there but this does seem fairly straight forward. http://blogs.msdn.com/b/scstr/archive/2012/05/31/step_2d00_by_2d00_step_2d00_example_2d00_deployment_2d00_of_2d00_the_2d00_pki_2d00_certificates_2d00_for_2d00_configuration_2d00_manager_2d00_2012_2d00_windows_2d00_server_2d00_2008.aspx I'm entirely new to PKI, so any direction would be nice. Thanks, Brian From: eric.morri...@hotmail.commailto:eric.morri...@hotmail.com To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Wed, 22 Jan 2014 09:29:09 -0600 Setting up IBCM in 2012 is a breeze compared to the 2007 days. I've configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn't have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You'll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you're going to do Software Distribution, Software Updates, and App Catalog, then you'll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it's just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route... :) Thanks, Eric Morrison From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com; mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian inline: image001.png
RE: [mssms] SCCM 2012, PKI and ICBM
PKI isn't that bad at all, IBCM on the other hand is very involve and you don't get the same functionality. DA gives you the whole feature set, including Remote Control. If you have ip v4 only devices that the remote machines need to talk to you will need either ISATAP or DNS64. Christopher Catlett Consultant | Detroit [MCTS_2013_small] Sogeti USA Office 248-876-9738 |Fax 877.406.9647 26957 Northwestern Highway, Suite 130, Southfield, MI 48033-8456 www.us.sogeti.comhttp://www.us.sogeti.com/ From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Trevor Sullivan Sent: Tuesday, January 21, 2014 10:05 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM The official Microsoft TechNet documentation is excellent. Remote Access (DirectAccess, Routing and Remote Access) Overviewhttp://technet.microsoft.com/en-us/library/hh831416.aspx Cheers, Trevor Sullivan From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 4:13 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Ouch...thanks guys. Never setup DirectAccess either. Anyone point me to some good resources? Thanks! Rich From: tsul...@gmail.commailto:tsul...@gmail.com To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Tue, 21 Jan 2014 15:53:17 -0600 +1, working on a project now to plan for DirectAccess instead of IBCM for remote clients. Cheers, Trevor Sullivan From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Lindenfeld, Ivan Sent: Tuesday, January 21, 2014 3:51 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM It is my opinion as well that IBCM is hard to set up. We have aborted our effort for now. Ivan Lindenfeld From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 4:29 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Great question and I'm glad you asked. Possibly. :) Would that be the opinion of most in the group? Thanks, Brian From: mlin...@icc.illinois.govmailto:mlin...@icc.illinois.gov To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Date: Tue, 21 Jan 2014 14:55:54 -0600 Subject: RE: [mssms] SCCM 2012, PKI and ICBM Can you use Direct Access?? Much simpler to setup. ICBM is a lot of work. From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian inline: image001.jpg
RE: [mssms] SCCM 2012, PKI and ICBM
Setting up IBCM in 2012 is a breeze compared to the 2007 days. I've configured IBCM in both versions and as long as you have basic PKI understanding, you shouldn't have too many roadblocks. In the environment you are going to use to set it up, do you already have PKI setup with machine certificates deployed, specifically workstations to be managed over the internet? You'll also need to either stand up a new site system server in your DMZ, or have the ports reverse proxy to your primary site server. If you're going to do Software Distribution, Software Updates, and App Catalog, then you'll need to make sure those roles are setup as HTTPS and the appropriate web server cert in IIS and make sure the roles allow intranet and internet. After that it's just a matter of making sure the clients have the public fqdn configured for IBCM and that the firewall ports are open. Now, if DA is the option like so many suggested, definitely go that route. :) Thanks, Eric Morrison From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.com; mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
RE: [mssms] SCCM 2012, PKI and ICBM
Using DA for a year plus now ... very easy to setup and works a charm. Robert christopher.catl...@us.sogeti.com wrote: PKI isn't that bad at all, IBCM on the other hand is very involve and you don't get the same functionality. DA gives you the whole feature set, including Remote Control. If you have ip v4 only devices that the remote machines need to talk to you will need either ISATAP or DNS64. Christopher Catlett Consultant | Detroit [MCTS_2013_small] Sogeti USA Office 248-876-9738 |Fax 877.406.9647 26957 Northwestern Highway, Suite 130, Southfield, MI 48033-8456 www.us.sogeti.comhttp://www.us.sogeti.com/ From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Trevor Sullivan Sent: Tuesday, January 21, 2014 10:05 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM The official Microsoft TechNet documentation is excellent. Remote Access (DirectAccess, Routing and Remote Access) Overviewhttp://technet.microsoft.com/en-us/library/hh831416.aspx Cheers, Trevor Sullivan From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 4:13 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Ouch...thanks guys. Never setup DirectAccess either. Anyone point me to some good resources? Thanks! Rich From: tsul...@gmail.commailto:tsul...@gmail.com To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Tue, 21 Jan 2014 15:53:17 -0600 +1, working on a project now to plan for DirectAccess instead of IBCM for remote clients. Cheers, Trevor Sullivan From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Lindenfeld, Ivan Sent: Tuesday, January 21, 2014 3:51 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM It is my opinion as well that IBCM is hard to set up. We have aborted our effort for now. Ivan Lindenfeld From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 4:29 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Great question and I'm glad you asked. Possibly. :) Would that be the opinion of most in the group? Thanks, Brian From: mlin...@icc.illinois.govmailto:mlin...@icc.illinois.gov To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Date: Tue, 21 Jan 2014 14:55:54 -0600 Subject: RE: [mssms] SCCM 2012, PKI and ICBM Can you use Direct Access?? Much simpler to setup. ICBM is a lot of work. From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
RE: [mssms] SCCM 2012, PKI and ICBM
Can you use Direct Access?? Much simpler to setup. ICBM is a lot of work. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
RE: [mssms] SCCM 2012, PKI and ICBM
Great question and I'm glad you asked. Possibly. :) Would that be the opinion of most in the group? Thanks, Brian From: mlin...@icc.illinois.gov To: mssms@lists.myitforum.com Date: Tue, 21 Jan 2014 14:55:54 -0600 Subject: RE: [mssms] SCCM 2012, PKI and ICBM Can you use Direct Access?? Much simpler to setup. ICBM is a lot of work. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
RE: [mssms] SCCM 2012, PKI and ICBM
Can't speak to the effort involved but you get more value for the time spent. The entire OS has the benefit of the network using DA, not just SCCM in the PKI solution. Thanks, Mark Mears mark.me...@cireson.commailto:mark.me...@cireson.com%0d Phone: (757) 945-2651 [cid:image001.png@01CEAC8E.61A72300]http://www.cireson.com/ [cid:image002.jpg@01CEAC8E.61A72300]http://twitter.com/teamcireson Check out our System Center App Store: www.cireson.com/app-store From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 3:29 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Great question and I'm glad you asked. Possibly. :) Would that be the opinion of most in the group? Thanks, Brian From: mlin...@icc.illinois.govmailto:mlin...@icc.illinois.gov To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Date: Tue, 21 Jan 2014 14:55:54 -0600 Subject: RE: [mssms] SCCM 2012, PKI and ICBM Can you use Direct Access?? Much simpler to setup. ICBM is a lot of work. From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian inline: image005.pnginline: image006.jpg
RE: [mssms] SCCM 2012, PKI and ICBM
It is my opinion as well that IBCM is hard to set up. We have aborted our effort for now. Ivan Lindenfeld From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 4:29 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Great question and I'm glad you asked. Possibly. :) Would that be the opinion of most in the group? Thanks, Brian From: mlin...@icc.illinois.govmailto:mlin...@icc.illinois.gov To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Date: Tue, 21 Jan 2014 14:55:54 -0600 Subject: RE: [mssms] SCCM 2012, PKI and ICBM Can you use Direct Access?? Much simpler to setup. ICBM is a lot of work. From: listsad...@lists.myitforum.commailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.commailto:mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
RE: [mssms] SCCM 2012, PKI and ICBM
+1, working on a project now to plan for DirectAccess instead of IBCM for remote clients. Cheers, Trevor Sullivan From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Lindenfeld, Ivan Sent: Tuesday, January 21, 2014 3:51 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM It is my opinion as well that IBCM is hard to set up. We have aborted our effort for now. Ivan Lindenfeld From: listsad...@lists.myitforum.com mailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 4:29 PM To: mssms@lists.myitforum.com mailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Great question and I'm glad you asked. Possibly. :) Would that be the opinion of most in the group? Thanks, Brian _ From: mlin...@icc.illinois.gov mailto:mlin...@icc.illinois.gov To: mssms@lists.myitforum.com mailto:mssms@lists.myitforum.com Date: Tue, 21 Jan 2014 14:55:54 -0600 Subject: RE: [mssms] SCCM 2012, PKI and ICBM Can you use Direct Access?? Much simpler to setup. ICBM is a lot of work. From: listsad...@lists.myitforum.com mailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.com mailto:mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
RE: [mssms] SCCM 2012, PKI and ICBM
Ouch...thanks guys. Never setup DirectAccess either. Anyone point me to some good resources? Thanks!Rich From: tsul...@gmail.com To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Tue, 21 Jan 2014 15:53:17 -0600 +1, working on a project now to plan for DirectAccess instead of IBCM for remote clients. Cheers,Trevor Sullivan From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Lindenfeld, Ivan Sent: Tuesday, January 21, 2014 3:51 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM It is my opinion as well that IBCM is hard to set up. We have aborted our effort for now. Ivan Lindenfeld From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 4:29 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Great question and I'm glad you asked. Possibly. :) Would that be the opinion of most in the group? Thanks, Brian From: mlin...@icc.illinois.gov To: mssms@lists.myitforum.com Date: Tue, 21 Jan 2014 14:55:54 -0600 Subject: RE: [mssms] SCCM 2012, PKI and ICBMCan you use Direct Access?? Much simpler to setup. ICBM is a lot of work. From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian
RE: [mssms] SCCM 2012, PKI and ICBM
The official Microsoft TechNet documentation is excellent. Remote Access (DirectAccess, Routing and Remote Access) Overview http://technet.microsoft.com/en-us/library/hh831416.aspx Cheers, Trevor Sullivan From: listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 4:13 PM To: mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Ouch...thanks guys. Never setup DirectAccess either. Anyone point me to some good resources? Thanks! Rich _ From: tsul...@gmail.com mailto:tsul...@gmail.com To: mssms@lists.myitforum.com mailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Date: Tue, 21 Jan 2014 15:53:17 -0600 +1, working on a project now to plan for DirectAccess instead of IBCM for remote clients. Cheers, Trevor Sullivan From: listsad...@lists.myitforum.com mailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Lindenfeld, Ivan Sent: Tuesday, January 21, 2014 3:51 PM To: mssms@lists.myitforum.com mailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM It is my opinion as well that IBCM is hard to set up. We have aborted our effort for now. Ivan Lindenfeld From: listsad...@lists.myitforum.com mailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 4:29 PM To: mssms@lists.myitforum.com mailto:mssms@lists.myitforum.com Subject: RE: [mssms] SCCM 2012, PKI and ICBM Great question and I'm glad you asked. Possibly. :) Would that be the opinion of most in the group? Thanks, Brian _ From: mlin...@icc.illinois.gov mailto:mlin...@icc.illinois.gov To: mssms@lists.myitforum.com mailto:mssms@lists.myitforum.com Date: Tue, 21 Jan 2014 14:55:54 -0600 Subject: RE: [mssms] SCCM 2012, PKI and ICBM Can you use Direct Access?? Much simpler to setup. ICBM is a lot of work. From: listsad...@lists.myitforum.com mailto:listsad...@lists.myitforum.com [mailto:listsad...@lists.myitforum.com] On Behalf Of Brian McDonald Sent: Tuesday, January 21, 2014 2:52 PM To: mssms@lists.myitforum.com mailto:mssms@lists.myitforum.com Subject: [mssms] SCCM 2012, PKI and ICBM Hey everyone, Just out of curiosity, how many hours would you estimate it would take to setup a PKI infrastructure and ICBM for SCCM 2012 R2? My boss has asked me to implement and I have no idea what to guestimate for hours. Looking for someone who has experience with implementing both PKI and ICBM that might be able to give me a rough idea of how many hours this would take. From what I've read ICBM is complex to setup, but that was back in CM07. Not sure how much has changed with CM12. Thanks, Brian