The goal of this post is to describe the steps needed to implement SCCM Internet-based client management. With the increasing client working from home, this solution would allow you to manage your client on the internet. The other option would be to install a cloud management gateway (CMG)

Download the step-by-step guide in the download section or directly here. For now on, this blog post won’t be updated. Only the document will be.

In this scenario, SCCM 2012 R2 is installed as a stand-alone primary site. For security reasons, a second site server will be installed in the DMZ to respond to internet clients’ requests. Internet clients are laptops and tablets that are sometimes on the intranet (work network) and some time on the internet.

sccm internet based client management

Assumption :

  • Your primary site server is up and running
  • Site server is installed in the DMZ
  • Site systems that support Internet-based client management must have connectivity to the Internet and must be in an Active Directory domain.
  • The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers
  • Your organisation has a certificate server
  • You have a client on the internet for testing purposes

Grab a cup of coffee and here we go !

High level steps :

  •  Create the needed cerificate
  • Issue the certificate on the new machine
  • GPO creation for client Auto-Enrollment
  • Add the Management Point role and the distribution point role to the new machine
  • Test the setup on an internet client

1.1.   Overview

The following table lists the types of PKI certificates that is required for System Center 2012 Configuration Manager and describes how they are used.

Certificate Requirement

Certificate Description

Web server certificate for site systems that run IIS

This certificate is used to encrypt data and authenticate the server to clients. It must be installed externally from Configuration Manager on site systems servers that run IIS and that are configured in Configuration Manager to use HTTPS.

This certificate will be installed on any site servers with the Management Point and/or Distribution Point Roles. It is used to encrypt data and authenticate clients. Configure this in IIS.

Client certificate for Windows computers

This certificate is used to authenticate Configuration Manager client computers to site systems that are configured to use HTTPS. It can also be used for management points and state migration points to monitor their operational status when they are configured to use HTTPS. It must be installed externally from Configuration Manager on computers.

Client certificate for distribution points

This certificate has two purposes:

The certificate is used to authenticate the distribution point to an HTTPS-enabled management point before the distribution point sends status messages.

When the Enable PXE support for clients’ distribution point option is selected, the certificate is sent to computers that PXE boot so that they can connect to a HTTPS-enabled management point during the deployment of the operating system.

1.2.   Certificate Creation

WEB SERVER (IIS) CERTIFICATE

This procedure creates a certificate template for Configuration Manager 2012 site systems

To create and issue the Web server certificate template on the certification authority

  1. Ensure that you have a security group that contains the member servers to install Configuration Manager 2012 site systems that will run IIS. (SCCM_SiteServers)
  2. RDP to an Intermediate CA
  3. Open Certification Authority console, right-click Certificate Templates and click Manage
  4. sccm 2012 internet based client managementRight click Web Server and click Duplicate Template.
  5. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.Do not select Windows 2008 Server, Enterprise Edition.
  6. In the Properties, name this “ConfigMgr 2012 IIS Certificate
  7. Set the Validity Period to 5 years
  8. Click the Subject Name tab, select the Supply in the request radio button.
  9. sccm 2012 internet based client managementClick the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
  10. Click Add, enter “SCCM_SiteServer” in the text box, and then click OK.
  11. Select the Enroll permission for this group, and do not clear the Read permission.
  12. sccm 2012 internet based client managementClick OK, and close the Certificate Templates Console.

DISTRIBUTION POINT SITE SERVER CERTIFICATE

This procedure creates a certificate template for Configuration Manager 2012 Distribution Points.

  1. Ensure that you have a security group that contains the member servers to install Configuration Manager 2012 site systems that will run IIS. (SCCM_SiteServers)
  2. RDP to an Intermediate CA
  3. Open Certification Authority console, right-click Certificate Templates and click Manage
  4. sccm 2012 internet based client managementRight click Workstation Authentication and click Duplicate Template.
  5. Rename the template “ConfigMgr 2012 Client Distribution Point Certificate
  6. Set the Validity Period to 5 years
  7. On the Request Handling tab select Allow private key to be exported.
  8. sccm 2012 internet based client managementOn the Security tab add the “SCCM_SiteServer” group, and give the server Enroll permission. Click Apply, then OK.
  9. Now if you look at the Certificate Templates Console you will see our three new templates.

CLIENT CERTIFICATE

This procedure creates a certificate template for Configuration Manager 2012 clients

  1. RDP to an Intermediate CA
  2. Open Certification Authority console, right-click Certificate Templates and click Manage
  3. sccm 2012 internet based client managementRight click Workstation Authentication and click Duplicate Template.
  4. sccm 2012 internet based client managementMake sure to use Server 2003, not 2008
  5. In the Properties, name this “ConfigMgr 2012 Client Certificate“.
  6. Set the Validity Period to 5 years
  7. Click on the Security tab, select the Domain Computers group and add the permissions of Read and Autoenroll, do not clear Enroll. Then click OK.
  8. sccm 2012 internet based client managementWhen you refresh your console, you will see that the new template is there.
sccm 2012 internet based client management

1.3.   Issuing the 3 certificates

  • In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  • In the Enable Certificate Templates dialog box, select the 3 new template you have just created :
  • ConfigMgr 2012 Client Certificate
  • ConfigMgr 2012 IIS Certificate
  • ConfigMgr 2012 Client Distribution Point Certificate
  • Click OK
  • They will then show up in the Certificate Templates listing
  • Close Certification Authority.

1.4.   Auto-Enroll GPO

  • Launch Group Policy Management on your Domain (Start – Administrative Tools – Group Policy Management).
  • Right-click your Laptop OU and select “Create a GPO in this domain, and Link it here…
  • Name your GPO I named my policy “AutoEnroll ConfigMgr Client Cert“, then click OK.
sccm 2012 internet based client management
  • Edit your newly created GPO. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Right-click on Certificate Services Client – Auto-Enrollment and then click Properties.
sccm internet based client management

Change the Configuration Model: to Enabled, check the Update certificates that use certificate templates and select Renew expired certificates, update pending certificates. Then click Apply and OK.

sccm internet based client management

Reboot a workstation and when you run a “gpupdate /force” or in 15 minutes when GP is re-applied, any machine on the domain communicating with the DC will request and receive a client certificate automatically that will be place in the Local Computer Personal Certificate Store.

1.5.   Distribution Point

REQUEST DISTRIBUTION POINT CERTIFICATE

The same certificate can be used on all DPs. So you only need to do the following steps on the internet facing DP.

  • Reboot your SCCM Site server.
  • This is so that it will pick up the permissions change that will allow it to register for the Web Server Certificate.
  • Once the reboot completes, RDP to your DP server
  • Start > Run.  Type mmc.exe and click OK
  • Click File > Add/Remove Snap-In… Choose Certificates and click Add
  • Choose Computer Account, click Next, Choose Local Computer, click Finish
  • Click OK, and then expand the Certificates tree to the Personal > Certificates folder.
  • Click All Tasks > Request New Certificate…
  • You are presented with the Certificate Enrollment wizard.
  • Click Next.
  • Leave the default here, and click Next
  • At the Request Certificates part of the wizard, check the ConfigMgr Client Distribution Point Certificate.
  • Click Enroll and then finish once the enrollment is successful.
  • Now we need to export the Client Distribution Point Certificate while we are in the Certificates Management console.
  • Right-click the certificate and select All Tasks > Export
  • Click Next at the Welcome Screen of the export wizard. Then on the Export Private Key page change this to YES then click Next.
  • Next, select Personal Information Exchange – PKCS #12 (.PFX) and then click Next.
  • Set a password (15 car.) and document it
  • Save the file as SCCM DP Certificate to a network location
  • The reason for this export is that we will later be importing this certificate into SCCM DP and we need to do so in pkcs12 format, with a password protected private key included.

1.6.   Management Point

REQUEST CM2012 IIS CERTIFICATE

This shall be done on the Management point that will handle internet client requests.

  • Start > Run.  Type mmc.exe and click OK
  • Click File > Add/Remove Snap-In… Choose Certificates and click Add
  • Choose Computer Account, click Next, Choose Local Computer, click Finish
  • Click OK, and then expand the Certificates tree to the Personal > Certificates folder.
  • Click All Tasks > Request New Certificate…
  • You are presented with the Certificate Enrollment wizard.
  • Click Next.
  • Leave the default here, and click Next
  • At the Request Certificates part of the wizard, check the ConfigMgr 2012 IIS Certificate.
  • sccm 2012 internet based client managementYou will notice that under the Web cert, a prompt that says, “More information is required to enroll for this certificate. Click here to configure settings”
  • Click the link and setup your Certificate Properties.
  • For Subject name, select Common name and use the server name as the common name.
  • For Alternative name, select DNS and use the server name as well as its FQDN as DNS.
  • In General tab, use the server name as the friendly name.
  • In Certification Authority tab, select only your regional CA.
  • Click Add and then OK.
  • sccm 2012 internet based client managementThen the warning field will disappear from the Request Certificates screen of the Certificate Enrollment wizard
  • Click Enroll and then finish once the enrollment is successful.

ASSIGN THE WEB (IIS) CERTIFICATE TO IIS

This shall be done on the Management point that will handle internet client requests.

  • Launch IIS Manager
  • Navigate to the Default Website
  • Right-click it and select Edit Bindings
  • Add https binding and click Edit
  • Select the certificate with your server name, and then click OK.

1.7.   Add the new site system in SCCM

Ensure that all your certificate actions are done before adding the roles.

PREREQUISITES

  • RDP to your DMZ Site server
  • Add the following prerequisites in Server Features
Management Point

.NET Framework 3.5 SP1

Default IIS with:

ISAPI Extensions

Windows Authentication

IIS 6 Metabase Compatibility

IIS 6 WMI Compatibility

BITS Server Extensions

Distribution Point

Default IIS with:

ISAPI Extensions

Windows Authentication

IIS 6 Metabase Compatibility

IIS 6 WMI Compatibility

BITS Server Extensions

Remote Differential Compression

ROLES INSTALLATION

  • Open the SCCM console
  • Administration / Servers and site system role
  • Create site system server
  • Specify the new site server name and specify the internet FQDN
  • Select the DP and MP role
  • sccm 2012 internet based client management
  • Configure the ConfigMgr Client Distribution Point certificate (the .PFX created in previous section) supply the password and OK.
  • sccm 2012 internet based client managementChoose HTTPS and “Allow Internet-Only connections”
  • In the Management point section
  • Choose HTTPS and “Allow Internet-Only connections”
  • sccm 2012 internet based client management

1.8.   Change SCCM client communication settings

This shall be done on each of primary site server

  • Go to Administration –> Sites –> Right click and choose properties
  • Go to client computer communication –> Choose use HTTPS or HTTP
  • Check the “Use PKI client certificate when available” checkbox
  • Import the Root CA certificate in the bottom menu
sccm internet based client management

1.8.Client installation

Client push is not supported on the internet. The client must be installed on your network before it can go on the internet.

The logic behind this is that the client will first try to communicate with the intranet MP, if sucessful the client will show “Currently Intranet”. If it fail, it will try to reach the internet MP and shows “Currently Internet”. When the laptop will be back at the office, it will return to the intranet MP. The evaluation is done when the computer gets its IP address.

You have different option to do so :

  • You can manually add the new MP FQDN in the “Network” tab of the client properties
  • You can include the Client.msi property of CCMHOSTNAME=<Internet FQDN of the Internet-based management point> when you install the client, for example by using manual installation or client push. When you use this method, you must also directly assign the client to the site and cannot use automatic site assignment.
  • Configure clients for Internet-based client management after client installation by using a script

——-start of script————–
on error resume next

‘ Create variables.
Dim newInternetBasedManagementPointFQDN
Dim client

newInternetBasedManagementPointFQDN = “mp.yourorganisation.com”

‘ Create the client COM object.
Set client = CreateObject (“Microsoft.SMS.Client”)

‘ Set the Internet-Based Management Point FQDN by calling the SetCurrentManagementPoint method.
client.SetInternetManagementPointFQDN newInternetBasedManagementPointFQDN

‘ Clear variables.
Set client = Nothing
Set internetBasedManagementPointFQDN = Nothing

——-end of script————–

***Replace mp.yourorganisation.com with the Internet FQDN of your Internet-based management point.

 1.9 Test your clients

  • After installing a client on internet make sure that you are using HTTPS by looking at the “Connection Type” is Internet
  • You can also review the ClientLocation.log and datatransfer.log to ensure that your new MP is used
  • sccm 2012 internet based client management

That was intense…  Until next time !

See this Technet blog post to fix common issues : Here

Comments (52)

Nagayya

09.20.2019 AT 12:36 AM
after installing am getting below error [RegTask] - Client is not registered. Sending registration request for GUID:69F2AF5E-35CD-4DB3-BFB0-C4AAE8B567C3 ... ClientIDManagerStartup 9/20/2019 11:02:22 AM 15324 (0x3BDC) WPJ Certificate not found ClientIDManagerStartup 9/20/2019 11:02:22 AM 15324 (0x3BDC) RegTask: Failed to send registration request message. Error: 0x87d00231 ClientIDManagerStartup 9/20/2019 11:02:28 AM 15324 (0x3BDC) RegTask: Failed to send registration request. Error: 0x87d00231 ClientIDManagerStartup 9/20/2019 11:02:28 AM 15324 (0x3BDC) the client certificate is none

telekill rules of survival

11.23.2018 AT 08:20 PM
sc2 arrived on the scene and also the whole of South Korea were stuck within this starcraft hangover rut, it absolutely was being a giant economy going bust big. During your free time can you often wind up tired of nothing much to do on account of deficiency of activity. Not only are you looking to have steady aim and turn into a good shot, in addition, you must tactically assassinate your targets inside a few missions.

Cristhian Reyes

11.07.2018 AT 05:54 PM
Thank you very much for the manual, it is very detailed, I am currently in an implementation of IBCM but I would like to know, from the internet to the DMZ server and from DMZ to the internet, what ports are required?

Vishal

10.08.2018 AT 10:40 AM
Thanks for the guidance in providing the step-by-step changes from HTTP to HTTPS. Everything works fine except OSD. I get lot of error message in smspxe logs and client aborts after giving error message NO Boot file received.Belwo is snapshot of the smspxe log we get; 34:E6😀7:24:24:60, 4C4C4544-004B-3010-8054-B7C04F4B3132: Not serviced. SMSPXE 08/10/2018 16:20:52 892 (0x037C) SSL - using authenticator in request. SMSPXE 08/10/2018 16:20:56 892 (0x037C) In SSL, but with no client cert SMSPXE 08/10/2018 16:20:56 892 (0x037C) [TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered SMSPXE 08/10/2018 16:20:56 892 (0x037C) [TSMESSAGING] : dwStatusInformationLength is 4 SMSPXE 08/10/2018 16:20:56 892 (0x037C) [TSMESSAGING] : *lpvStatusInformation is 0x80000000 SMSPXE 08/10/2018 16:20:56 892 (0x037C) [TSMESSAGING] : WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR is set SMSPXE 08/10/2018 16:20:56 892 (0x037C) [TSMESSAGING] AsyncCallback(): ----------------------------------------------------------------- SMSPXE 08/10/2018 16:20:56 892 (0x037C) sending with winhttp failed; 80072f8f SMSPXE 08/10/2018 16:20:56 892 (0x037C) Unsuccessful in getting MP key information. 80072f8f. SMSPXE 08/10/2018 16:20:56 892 (0x037C) PXE::MP_InitializeTransport failed; 0x80072f8f SMSPXE 08/10/2018 16:20:56 892 (0x037C) PXE::MP_LookupDevice failed; 0x80070490 SMSPXE 08/10/2018 16:20:56 892 (0x037C) SSL - using authenticator in request. SMSPXE 08/10/2018 16:20:56 892 (0x037C) In SSL, but with no client cert SMSPXE 08/10/2018 16:20:56 892 (0x037C) [TSMESSAGING] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered SMSPXE 08/10/2018 16:20:56 892 (0x037C) [TSMESSAGING] : dwStatusInformationLength is 4 SMSPXE 08/10/2018 16:20:56 892 (0x037C) [TSMESSAGING] : *lpvStatusInformation is 0x80000000 SMSPXE 08/10/2018 16:20:56 892 (0x037C) [TSMESSAGING] : WINHTTP_CALLBACK_STATUS_FLAG_SECURITY_CHANNEL_ERROR is set SMSPXE 08/10/2018 16:20:56 892 (0x037C) [TSMESSAGING] AsyncCallback(): ----------------------------------------------------------------- SMSPXE 08/10/2018 16:20:56 892 (0x037C) sending with winhttp failed; 80072f8f SMSPXE 08/10/2018 16:20:57 892 (0x037C) Unsuccessful in getting MP key information. 80072f8f. SMSPXE 08/10/2018 16:20:57 892 (0x037C) PXE::MP_InitializeTransport failed; 0x80072f8f SMSPXE 08/10/2018 16:20:57 892 (0x037C) PXE::MP_ReportStatus failed; 0x80070490 SMSPXE 08/10/2018 16:20:57 892 (0x037C) PXE Provider failed to process message. Element not found. (Error: 80070490; Source: Windows) SMSPXE 08/10/2018 16:20:57 892 (0x037C) Any information provided will be of great help.

dcrescendo

08.31.2018 AT 03:00 PM
Is this still live?

Christopher Moriarty

08.15.2017 AT 01:52 PM
What if the CA is not in the same domain and you can't use auto-enroll/templates? Can you issue certs via an intermediary? Looking at step 1.5. Distribution Point

Beau

07.07.2017 AT 11:12 AM
That is really attention-grabbing, You're an overly professional blogger. I've joined your feed and stay up for in quest of extra of your excellent post. Additionally, I have shared your site in my social networks

Christopher Moriarty

06.16.2017 AT 03:13 PM
Can any of this be done without creating new templates, re-using existing web server and workstation templates on a CA?

Thomas

06.13.2017 AT 05:08 PM
When setting up a MP that takes both Internet and Intranet connections, it needs to be noted that the ampersand (&😉 should be set in the DNS portion of the WebServer certificate request under the Alternate Name. The way this spells it out, it sounds like it should be in the CommonName section.

Mike

05.19.2017 AT 12:34 PM
This question was never answered in the forum: I’m not sure what cer to import for my Trusted Root CA on my Primary site properties on your last steps. I am in the same boat, any help would be great.

sometechstuff

05.11.2017 AT 08:39 AM
Thanks for all your PKI posts. I have a "working " PKI. However, I am incredibly frusterated trying to enroll the SCCM Mac Client. The client states, "Certificate has untrusted root". I have read somewhere that the CAPolicy.inf files should have the setting AlternateSignatureAlgorithm=0. My offline root CA and the subordinate CA had it set to =1. This is my first question? Do you know if this is the reason why the Macs (Sierra) are getting this error? If so, if I change the CAPolicy,inf file, does that mean I need to renew the certs? Thanks a bunch.

Andrew

04.21.2017 AT 01:07 PM
Hey, thanks for that manual. Very good article to start from. Does anyone know how to Replicate SCUP patches to 2nd SUP (DMZ)? I found sort of solution here: https://social.technet.microsoft.com/Forums/office/en-US/124d3fa5-3cd0-42fa-914f-16e4f9dfd774/replicawsus-doesnt-contain-locally-published-updates?forum=winserverwsus But this is about to change SQL data. Is there any solution from the box?🙂

Glen

04.13.2017 AT 08:05 AM
Nice guide. I paid some "experts" to assist with my last upgrade and they didn't know how to get IBCM working, and for few dollars and a little work now I do. While getting SUP on as well wasn't too much of a stretch, it would make sense to add this to the guide.

Benoit Lecours

04.13.2017 AT 08:12 AM
Next time, hire "real" experts! 😉 Thanks for your comment

Shawn M

10.12.2017 AT 10:18 AM
Is the guide offered ($4.99) more up-to-date than what is currently posted, updated for latest Current Branch? Thanks

Damon B

01.24.2017 AT 11:22 AM
Great post, thanks for the info. I have a question about step 1.6. Management Point: REQUEST CM2012 IIS CERTIFICATE Our CA is internal, and in our internal network and domain. My DMZ server will be in the DMZ, in a different domain. There will be no permanent firewall openings between DMZ server CA, and they're not in the same domain, and there's no certificate trust. I could feasibly make a temporary firewall opening to get the work done. How can I get the certificate from the internal network to the DMZ server? Does step 1.6 as it's written happen on the internal site server or the new DMZ server?

Tim

03.08.2017 AT 03:48 PM
I would also like to know the answer to Damon's question.

Nick

12.14.2016 AT 04:47 PM
Thanks for the great guide! I went through the purchased guide and was unable to figure out were the network tab is or the properties are in the first place. I ran a command to install with the new ccmhostname property but I still can't find where to verify what my connection is. From the primary site server I'm showing the computer is up but I can't query it. I never did anything with boundaries since it was never stated in the guide. I'm not sure if there are other prerequisites that are not listed.

Al Kongsjord

07.22.2016 AT 10:02 AM
This document is very good but does not include the likelihood that the DMZ system may need to be a member of a different domain. In that case you must reference KB2689646. Also remember to add the sysadmin permission to the Login created to match the Management Point Communication Account and dbowner to the CM_ account in SQL. If you are using a domain account for the Management Point Connection Account then you may have to do these same steps with that account so that SQL will work with it. Watch the SQL logs for rejections specific to your domain account.

Peter

06.09.2016 AT 08:22 AM
Hi, Great Guide, thanks! Is the following scenario supported, SCCM joined to a AD domain (domain 1) and the IBCM SCCM site server in a different domain (domain 2) in the DMZ? How do I get SCCM clients in domain 1 to enrol for the certificate created in the domain 2? Thanks

Simon Bond

05.05.2016 AT 07:07 AM
Hi Benoit, I purchased your guide, thanks for that. Just wondering if there are any tips or further things so consider when using public certificates. I have a client who has expressed a wish to use these. Thanks

Shailendra Dev

03.03.2016 AT 02:03 PM
Hi, I have gone through your articles and have below query.. 1. do i need the Workstation Authentication Certificate for the each Client (that will be managed as IBCM SCCM Agent) ? 2. how can i create,enrol /deploy the individual Workstation Authentication Certificate for the each Client that not using the office network (that connected to internet only)? i am looking for the step by step process for this , i do not want to use the GPO for this as many Machines is on Internet instead of Office network. 3. Installation method of SCCM Agent on Each Internet Based client Machines ?