Monday, April 11, 2016

SCCM 2012 Internet based client management

Download the step-by-step guide in the download section or directly here. For now on, this blog post won’t be updated. Only the document will be.

In this scenario, SCCM 2012 R2 is installed as a stand-alone primary site. For security reason, a second site server will be installed in the DMZ to response to internet clients requests. Internet clients are laptop and tablets that are sometime on the intranet (work network) and sometime on internet.
sccm 2012 internet based client management

Assumption :

  • Your primary site server is up and running
  • Site server is installed in the DMZ
  • Site systems that support Internet-based client management must have connectivity to the Internet and must be in an Active Directory domain.
  • The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers
  • Your organisation has a certificate server
  • You have a client on the internet for testing purposes
Grab a cup of coffee and here we go !

High level steps :

  •  Create the needed cerificate
  • Issue the certificate on the new machine
  • GPO creation for client Auto-Enrollment
  • Add the Management Point role and the distribution point role to the new machine
  • Test the setup on an internet client
1.1.   Overview
The following table lists the types of PKI certificates that is required for System Center 2012 Configuration Manager and describes how they are used.
Certificate Requirement
Certificate Description
Web server certificate for site systems that run IIS
This certificate is used to encrypt data and authenticate the server to clients. It must be installed externally from Configuration Manager on site systems servers that run IIS and that are configured in Configuration Manager to use HTTPS.
This certificate will be installed on any site servers with the Management Point and/or Distribution Point Roles. It is used to encrypt data and authenticate clients. Configure this in IIS.
Client certificate for Windows computers
This certificate is used to authenticate Configuration Manager client computers to site systems that are configured to use HTTPS. It can also be used for management points and state migration points to monitor their operational status when they are configured to use HTTPS. It must be installed externally from Configuration Manager on computers.
Client certificate for distribution points
This certificate has two purposes:
The certificate is used to authenticate the distribution point to an HTTPS-enabled management point before the distribution point sends status messages.
When the Enable PXE support for clients’ distribution point option is selected, the certificate is sent to computers that PXE boot so that they can connect to a HTTPS-enabled management point during the deployment of the operating system.
1.2.   Certificate Creation
WEB SERVER (IIS) CERTIFICATE
This procedure creates a certificate template for Configuration Manager 2012 site systems
To create and issue the Web server certificate template on the certification authority
  1. Ensure that you have a security group that contains the member servers to install Configuration Manager 2012 site systems that will run IIS. (SCCM_SiteServers)
  2. RDP to an Intermediate CA
  3. Open Certification Authority console, right-click Certificate Templates and click Manage
  4. sccm 2012 internet based client managementRight click Web Server and click Duplicate Template.
  5. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.Do not select Windows 2008 Server, Enterprise Edition.
  6. In the Properties, name this “ConfigMgr 2012 IIS Certificate
  7. Set the Validity Period to 5 years
  8. Click the Subject Name tab, select the Supply in the request radio button.
  9. sccm 2012 internet based client managementClick the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
  10. Click Add, enter “SCCM_SiteServer” in the text box, and then click OK.
  11. Select the Enroll permission for this group, and do not clear the Read permission.
  12. sccm 2012 internet based client managementClick OK, and close the Certificate Templates Console.
DISTRIBUTION POINT SITE SERVER CERTIFICATE
This procedure creates a certificate template for Configuration Manager 2012 Distribution Points.
  1. Ensure that you have a security group that contains the member servers to install Configuration Manager 2012 site systems that will run IIS. (SCCM_SiteServers)
  2. RDP to an Intermediate CA
  3. Open Certification Authority console, right-click Certificate Templates and click Manage
  4. sccm 2012 internet based client managementRight click Workstation Authentication and click Duplicate Template.
  5. Rename the template “ConfigMgr 2012 Client Distribution Point Certificate
  6. Set the Validity Period to 5 years
  7. On the Request Handling tab select Allow private key to be exported.
  8. sccm 2012 internet based client managementOn the Security tab add the “SCCM_SiteServer” group, and give the server Enroll permission. Click Apply, then OK.
  9. Now if you look at the Certificate Templates Console you will see our three new templates.
CLIENT CERTIFICATE
This procedure creates a certificate template for Configuration Manager 2012 clients
  1. RDP to an Intermediate CA
  2. Open Certification Authority console, right-click Certificate Templates and click Manage
  3. sccm 2012 internet based client managementRight click Workstation Authentication and click Duplicate Template.
  4. sccm 2012 internet based client managementMake sure to use Server 2003, not 2008
  5. In the Properties, name this “ConfigMgr 2012 Client Certificate“.
  6. Set the Validity Period to 5 years
  7. Click on the Security tab, select the Domain Computers group and add the permissions of Read and Autoenroll, do not clear Enroll. Then click OK.
  8. sccm 2012 internet based client managementWhen you refresh your console, you will see that the new template is there.
sccm 2012 internet based client management1.3.   Issuing the 3 certificates
  • In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  • In the Enable Certificate Templates dialog box, select the 3 new template you have just created :
  • ConfigMgr 2012 Client Certificate
  • ConfigMgr 2012 IIS Certificate
  • ConfigMgr 2012 Client Distribution Point Certificate
  • Click OK
  • They will then show up in the Certificate Templates listing
  • Close Certification Authority.
1.4.   Auto-Enroll GPO
  • Launch Group Policy Management on your Domain (Start – Administrative Tools – Group Policy Management).
  • Right-click your Laptop OU and select “Create a GPO in this domain, and Link it here…
  • Name your GPO I named my policy “AutoEnroll ConfigMgr Client Cert“, then click OK.
sccm 2012 internet based client management
  • Edit your newly created GPO. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Right-click on Certificate Services Client – Auto-Enrollment and then click Properties.
sccm 2012 internet based client managementChange the Configuration Model: to Enabled, check the Update certificates that use certificate templates and select Renew expired certificates, update pending certificates. Then click Apply and OK.
sccm 2012 internet based client management
Reboot a workstation and when you run a “gpupdate /force” or in 15 minutes when GP is re-applied, any machine on the domain communicating with the DC will request and receive a client certificate automatically that will be place in the Local Computer Personal Certificate Store.
1.5.   Distribution Point
REQUEST DISTRIBUTION POINT CERTIFICATE
The same certificate can be used on all DPs. So you only need to do the following steps on the internet facing DP.
  • Reboot your SCCM Site server.
  • This is so that it will pick up the permissions change that will allow it to register for the Web Server Certificate.
  • Once the reboot completes, RDP to your DP server
  • Start > Run.  Type mmc.exe and click OK
  • Click File > Add/Remove Snap-In… Choose Certificates and click Add
  • Choose Computer Account, click Next, Choose Local Computer, click Finish
  • Click OK, and then expand the Certificates tree to the Personal > Certificates folder.
  • Click All Tasks > Request New Certificate…
  • You are presented with the Certificate Enrollment wizard.
  • Click Next.
  • Leave the default here, and click Next
  • At the Request Certificates part of the wizard, check the ConfigMgr Client Distribution Point Certificate.
  • Click Enroll and then finish once the enrollment is successful.
  • Now we need to export the Client Distribution Point Certificate while we are in the Certificates Management console.
  • Right-click the certificate and select All Tasks > Export
  • Click Next at the Welcome Screen of the export wizard. Then on the Export Private Key page change this to YES then click Next.
  • Next, select Personal Information Exchange – PKCS #12 (.PFX) and then click Next.
  • Set a password (15 car.) and document it
  • Save the file as SCCM DP Certificate to a network location
  • The reason for this export is that we will later be importing this certificate into SCCM DP and we need to do so in pkcs12 format, with a password protected private key included.
1.6.   Management Point
REQUEST CM2012 IIS CERTIFICATE
This shall be done on the Management point that will handle internet client requests.
  • Start > Run.  Type mmc.exe and click OK
  • Click File > Add/Remove Snap-In… Choose Certificates and click Add
  • Choose Computer Account, click Next, Choose Local Computer, click Finish
  • Click OK, and then expand the Certificates tree to the Personal > Certificates folder.
  • Click All Tasks > Request New Certificate…
  • You are presented with the Certificate Enrollment wizard.
  • Click Next.
  • Leave the default here, and click Next
  • At the Request Certificates part of the wizard, check the ConfigMgr 2012 IIS Certificate.
  • sccm 2012 internet based client managementYou will notice that under the Web cert, a prompt that says, “More information is required to enroll for this certificate. Click here to configure settings”
  • Click the link and setup your Certificate Properties.
  • For Subject name, select Common name and use the server name as the common name.
  • For Alternative name, select DNS and use the server name as well as its FQDN as DNS.
  • In General tab, use the server name as the friendly name.
  • In Certification Authority tab, select only your regional CA.
  • Click Add and then OK.
  • sccm 2012 internet based client managementThen the warning field will disappear from the Request Certificates screen of the Certificate Enrollment wizard
  • Click Enroll and then finish once the enrollment is successful.
ASSIGN THE WEB (IIS) CERTIFICATE TO IIS
This shall be done on the Management point that will handle internet client requests.
  • Launch IIS Manager
  • Navigate to the Default Website
  • Right-click it and select Edit Bindings
  • Add https binding and click Edit
  • Select the certificate with your server name, and then click OK.
1.7.   Add the new site system in SCCM
Ensure that all your certificate actions are done before adding the roles.
PREREQUISITES
  • RDP to your DMZ Site server
  • Add the following prerequisites in Server Features
Management Point
.NET Framework 3.5 SP1
Default IIS with:
ISAPI Extensions
Windows Authentication
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
BITS Server Extensions
Distribution Point
Default IIS with:
ISAPI Extensions
Windows Authentication
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
BITS Server Extensions
Remote Differential Compression
ROLES INSTALLATION
  • Open the SCCM console
  • Administration / Servers and site system role
  • Create site system server
  • Specify the new site server name and specify the internet FQDN
  • Select the DP and MP role
  • sccm 2012 internet based client management
  • Configure the ConfigMgr Client Distribution Point certificate (the .PFX created in previous section) supply the password and OK.
  • sccm 2012 internet based client managementChoose HTTPS and “Allow Internet-Only connections”
  • In the Management point section
  • Choose HTTPS and “Allow Internet-Only connections”
  • sccm 2012 internet based client management
1.8.   Change SCCM client communication settings
This shall be done on each of primary site server
  • Go to Administration –> Sites –> Right click and choose properties
  • Go to client computer communication –> Choose use HTTPS or HTTP
  • Check the “Use PKI client certificate when available” checkbox
  • Import the Root CA certificate in the bottom menu
sccm 2012 internet based client management1.8.Client installation
Client push is not supported on the internet. The client must be installed on your network before it can go on the internet.
The logic behind this is that the client will first try to communicate with the intranet MP, if sucessful the client will show “Currently Intranet”. If it fail, it will try to reach the internet MP and shows “Currently Internet”. When the laptop will be back at the office, it will return to the intranet MP. The evaluation is done when the computer gets its IP address.
You have different option to do so :
  • You can manually add the new MP FQDN in the “Network” tab of the client properties
  • You can include the Client.msi property of CCMHOSTNAME= when you install the client, for example by using manual installation or client push. When you use this method, you must also directly assign the client to the site and cannot use automatic site assignment.
  • Configure clients for Internet-based client management after client installation by using a script
——-start of script————–
on error resume next
‘ Create variables.
Dim newInternetBasedManagementPointFQDN
Dim client
newInternetBasedManagementPointFQDN = “mp.yourorganisation.com”
‘ Create the client COM object.
Set client = CreateObject (“Microsoft.SMS.Client”)
‘ Set the Internet-Based Management Point FQDN by calling the SetCurrentManagementPoint method.
client.SetInternetManagementPointFQDN newInternetBasedManagementPointFQDN
‘ Clear variables.
Set client = Nothing
Set internetBasedManagementPointFQDN = Nothing
——-end of script————–
***Replace mp.yourorganisation.com with the Internet FQDN of your Internet-based management point.
 1.9 Test your clients
  • After installing a client on internet make sure that you are using HTTPS by looking at the “Connection Type” is Internet
  • You can also review the ClientLocation.log and datatransfer.log to ensure that your new MP is used
  • sccm 2012 internet based client management
That was intense…  Until next time !

link from : https://www.systemcenterdudes.com/internet-based-client-management/

No comments:

Post a Comment