Managing Internet-facing clients
Depending on the environment, you may have clients that:
- Regularly move between the Internet and the intranet
- Are home computers and never connect to the intranet
Managing clients that are not always connected to the internal network can be a challenge. If remote computers use Virtual Private Networking (VPN) to connect to the corporate network on a regular basis, Internet-facing support may not be required. But if we know that clients may use some type of remote desktop to connect to the corporate network, or maybe they don't have to connect to the corporate network at all to do their job, then Internet-facing support should be considered to ensure proper patch and asset management.
CM has two client communication methods: HTTPS only and HTTPS or HTTP. One CM site can support both HTTPS and HTTP communication if required.
Getting ready
Public Key Infrastructure (PKI) certificates are required for Internet-based client communication. Engage with the team that owns PKI in your infrastructure. If a PKI infrastructure doesn't currently exist, follow Microsoft's step-by-step example of deploying PKI https://technet.microsoft.com/en-us/library/mt627852.aspx. Once you have all valid certificates, proceed to the next section.
How to do it...
To enable Internet-facing clients, perform the following steps:
- Navigate to Administration | Site Configuration | Sites, and select the desired site to support Internet-based clients. Right-click on the site and select Properties.
- From the Client Computer Communication tab, select either HTTPS only if you only want to support HTTPS, or HTTPS or HTTP as required.
- Enable the checkbox to Use PKI client certificate, and then click on the Modify button to select the client certification selection criteria, as well as the store name, and then click on OK.
- Click on the Set button to specify the Trusted Root Certification Authorities, and then select the starburst to browse to a new certificate file.
- Select OK to save changes to Site Properties.
- From the Servers and Site System Roles node, select the desired site in the top pane. Select the desired roles from the bottom pane (Management Point, Distribution Point, Software Update Point, as well as Application catalog Point, if required).
- Specify HTTPS for client communication types.
- As long as the new site systems are accessible from the Internet at this point, the infrastructure configuration is complete. Follow the client installation instructions given at https://technet.microsoft.com/en-us/library/mt489016.aspx; to install the CM client properly.
How it works...
CM allows clients assigned to the same primary site to use either HTTP or HTTPS communication. If a client has the PKI cert, it can be set to use HTTP for the intranet and HTTPS for the Internet.
See also
- Refer to the document PKI certificate requirements for System Center Configuration Manager at https://technet.microsoft.com/en-us/library/mt613191.aspx
- Refer to the Plan for managing Internet-based clients in System Center Configuration Manager document at https://technet.microsoft.com/en-us/library/mt629422.aspx
