The goal of this post is to describe the steps needed to implement SCCM 2012 Internet based client management

Download the step-by-step guide in the download section or directly here. For now on, this blog post won’t be updated. Only the document will be.

 

In this scenario, SCCM 2012 R2 is installed as a stand-alone primary site. For security reason, a second site server will be installed in the DMZ to response to internet clients requests. Internet clients are laptop and tablets that are sometime on the intranet (work network) and sometime on internet.

sccm 2012 internet based client management

Assumption :

  • Your primary site server is up and running
  • Site server is installed in the DMZ
  • Site systems that support Internet-based client management must have connectivity to the Internet and must be in an Active Directory domain.
  • The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers
  • Your organisation has a certificate server
  • You have a client on the internet for testing purposes

Grab a cup of coffee and here we go !

High level steps :

  •  Create the needed cerificate
  • Issue the certificate on the new machine
  • GPO creation for client Auto-Enrollment
  • Add the Management Point role and the distribution point role to the new machine
  • Test the setup on an internet client

1.1.   Overview

The following table lists the types of PKI certificates that is required for System Center 2012 Configuration Manager and describes how they are used.

Certificate Requirement

Certificate Description

Web server certificate for site systems that run IIS

This certificate is used to encrypt data and authenticate the server to clients. It must be installed externally from Configuration Manager on site systems servers that run IIS and that are configured in Configuration Manager to use HTTPS.

This certificate will be installed on any site servers with the Management Point and/or Distribution Point Roles. It is used to encrypt data and authenticate clients. Configure this in IIS.

Client certificate for Windows computers

This certificate is used to authenticate Configuration Manager client computers to site systems that are configured to use HTTPS. It can also be used for management points and state migration points to monitor their operational status when they are configured to use HTTPS. It must be installed externally from Configuration Manager on computers.

Client certificate for distribution points

This certificate has two purposes:

The certificate is used to authenticate the distribution point to an HTTPS-enabled management point before the distribution point sends status messages.

When the Enable PXE support for clients’ distribution point option is selected, the certificate is sent to computers that PXE boot so that they can connect to a HTTPS-enabled management point during the deployment of the operating system.

1.2.   Certificate Creation

WEB SERVER (IIS) CERTIFICATE

This procedure creates a certificate template for Configuration Manager 2012 site systems

To create and issue the Web server certificate template on the certification authority

  1. Ensure that you have a security group that contains the member servers to install Configuration Manager 2012 site systems that will run IIS. (SCCM_SiteServers)
  2. RDP to an Intermediate CA
  3. Open Certification Authority console, right-click Certificate Templates and click Manage
  4. sccm 2012 internet based client managementRight click Web Server and click Duplicate Template.
  5. In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK.Do not select Windows 2008 Server, Enterprise Edition.
  6. In the Properties, name this “ConfigMgr 2012 IIS Certificate
  7. Set the Validity Period to 5 years
  8. Click the Subject Name tab, select the Supply in the request radio button.
  9. sccm 2012 internet based client managementClick the Security tab, and remove the Enroll permission from the security groups Domain Admins and Enterprise Admins.
  10. Click Add, enter “SCCM_SiteServer” in the text box, and then click OK.
  11. Select the Enroll permission for this group, and do not clear the Read permission.
  12. sccm 2012 internet based client managementClick OK, and close the Certificate Templates Console.

DISTRIBUTION POINT SITE SERVER CERTIFICATE

This procedure creates a certificate template for Configuration Manager 2012 Distribution Points.

  1. Ensure that you have a security group that contains the member servers to install Configuration Manager 2012 site systems that will run IIS. (SCCM_SiteServers)
  2. RDP to an Intermediate CA
  3. Open Certification Authority console, right-click Certificate Templates and click Manage
  4. sccm 2012 internet based client managementRight click Workstation Authentication and click Duplicate Template.
  5. Rename the template “ConfigMgr 2012 Client Distribution Point Certificate
  6. Set the Validity Period to 5 years
  7. On the Request Handling tab select Allow private key to be exported.
  8. sccm 2012 internet based client managementOn the Security tab add the “SCCM_SiteServer” group, and give the server Enroll permission. Click Apply, then OK.
  9. Now if you look at the Certificate Templates Console you will see our three new templates.

CLIENT CERTIFICATE

This procedure creates a certificate template for Configuration Manager 2012 clients

  1. RDP to an Intermediate CA
  2. Open Certification Authority console, right-click Certificate Templates and click Manage
  3. sccm 2012 internet based client managementRight click Workstation Authentication and click Duplicate Template.
  4. sccm 2012 internet based client managementMake sure to use Server 2003, not 2008
  5. In the Properties, name this “ConfigMgr 2012 Client Certificate“.
  6. Set the Validity Period to 5 years
  7. Click on the Security tab, select the Domain Computers group and add the permissions of Read and Autoenroll, do not clear Enroll. Then click OK.
  8. sccm 2012 internet based client managementWhen you refresh your console, you will see that the new template is there.

sccm 2012 internet based client management1.3.   Issuing the 3 certificates

  • In the Certification Authority console, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  • In the Enable Certificate Templates dialog box, select the 3 new template you have just created :
  • ConfigMgr 2012 Client Certificate
  • ConfigMgr 2012 IIS Certificate
  • ConfigMgr 2012 Client Distribution Point Certificate
  • Click OK
  • They will then show up in the Certificate Templates listing
  • Close Certification Authority.

1.4.   Auto-Enroll GPO

  • Launch Group Policy Management on your Domain (Start – Administrative Tools – Group Policy Management).
  • Right-click your Laptop OU and select “Create a GPO in this domain, and Link it here…
  • Name your GPO I named my policy “AutoEnroll ConfigMgr Client Cert“, then click OK.

sccm 2012 internet based client management

  • Edit your newly created GPO. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies. Right-click on Certificate Services Client – Auto-Enrollment and then click Properties.

sccm 2012 internet based client managementChange the Configuration Model: to Enabled, check the Update certificates that use certificate templates and select Renew expired certificates, update pending certificates. Then click Apply and OK.

sccm 2012 internet based client management

Reboot a workstation and when you run a “gpupdate /force” or in 15 minutes when GP is re-applied, any machine on the domain communicating with the DC will request and receive a client certificate automatically that will be place in the Local Computer Personal Certificate Store.

1.5.   Distribution Point

REQUEST DISTRIBUTION POINT CERTIFICATE

The same certificate can be used on all DPs. So you only need to do the following steps on the internet facing DP.

  • Reboot your SCCM Site server.
  • This is so that it will pick up the permissions change that will allow it to register for the Web Server Certificate.
  • Once the reboot completes, RDP to your DP server
  • Start > Run.  Type mmc.exe and click OK
  • Click File > Add/Remove Snap-In… Choose Certificates and click Add
  • Choose Computer Account, click Next, Choose Local Computer, click Finish
  • Click OK, and then expand the Certificates tree to the Personal > Certificates folder.
  • Click All Tasks > Request New Certificate…
  • You are presented with the Certificate Enrollment wizard.
  • Click Next.
  • Leave the default here, and click Next
  • At the Request Certificates part of the wizard, check the ConfigMgr Client Distribution Point Certificate.
  • Click Enroll and then finish once the enrollment is successful.
  • Now we need to export the Client Distribution Point Certificate while we are in the Certificates Management console.
  • Right-click the certificate and select All Tasks > Export
  • Click Next at the Welcome Screen of the export wizard. Then on the Export Private Key page change this to YES then click Next.
  • Next, select Personal Information Exchange – PKCS #12 (.PFX) and then click Next.
  • Set a password (15 car.) and document it
  • Save the file as SCCM DP Certificate to a network location
  • The reason for this export is that we will later be importing this certificate into SCCM DP and we need to do so in pkcs12 format, with a password protected private key included.

1.6.   Management Point

REQUEST CM2012 IIS CERTIFICATE

This shall be done on the Management point that will handle internet client requests.

  • Start > Run.  Type mmc.exe and click OK
  • Click File > Add/Remove Snap-In… Choose Certificates and click Add
  • Choose Computer Account, click Next, Choose Local Computer, click Finish
  • Click OK, and then expand the Certificates tree to the Personal > Certificates folder.
  • Click All Tasks > Request New Certificate…
  • You are presented with the Certificate Enrollment wizard.
  • Click Next.
  • Leave the default here, and click Next
  • At the Request Certificates part of the wizard, check the ConfigMgr 2012 IIS Certificate.
  • sccm 2012 internet based client managementYou will notice that under the Web cert, a prompt that says, “More information is required to enroll for this certificate. Click here to configure settings”
  • Click the link and setup your Certificate Properties.
  • For Subject name, select Common name and use the server name as the common name.
  • For Alternative name, select DNS and use the server name as well as its FQDN as DNS.
  • In General tab, use the server name as the friendly name.
  • In Certification Authority tab, select only your regional CA.
  • Click Add and then OK.
  • sccm 2012 internet based client managementThen the warning field will disappear from the Request Certificates screen of the Certificate Enrollment wizard
  • Click Enroll and then finish once the enrollment is successful.

ASSIGN THE WEB (IIS) CERTIFICATE TO IIS

This shall be done on the Management point that will handle internet client requests.

  • Launch IIS Manager
  • Navigate to the Default Website
  • Right-click it and select Edit Bindings
  • Add https binding and click Edit
  • Select the certificate with your server name, and then click OK.

1.7.   Add the new site system in SCCM

Ensure that all your certificate actions are done before adding the roles.

PREREQUISITES

  • RDP to your DMZ Site server
  • Add the following prerequisites in Server Features
Management Point

.NET Framework 3.5 SP1

Default IIS with:

ISAPI Extensions

Windows Authentication

IIS 6 Metabase Compatibility

IIS 6 WMI Compatibility

BITS Server Extensions

Distribution Point

Default IIS with:

ISAPI Extensions

Windows Authentication

IIS 6 Metabase Compatibility

IIS 6 WMI Compatibility

BITS Server Extensions

Remote Differential Compression

ROLES INSTALLATION

  • Open the SCCM console
  • Administration / Servers and site system role
  • Create site system server
  • Specify the new site server name and specify the internet FQDN
  • Select the DP and MP role
  • sccm 2012 internet based client management
  • Configure the ConfigMgr Client Distribution Point certificate (the .PFX created in previous section) supply the password and OK.
  • sccm 2012 internet based client managementChoose HTTPS and “Allow Internet-Only connections”
  • In the Management point section
  • Choose HTTPS and “Allow Internet-Only connections”
  • sccm 2012 internet based client management

1.8.   Change SCCM client communication settings

This shall be done on each of primary site server

  • Go to Administration –> Sites –> Right click and choose properties
  • Go to client computer communication –> Choose use HTTPS or HTTP
  • Check the “Use PKI client certificate when available” checkbox
  • Import the Root CA certificate in the bottom menu

sccm 2012 internet based client management1.8.Client installation

Client push is not supported on the internet. The client must be installed on your network before it can go on the internet.

The logic behind this is that the client will first try to communicate with the intranet MP, if sucessful the client will show “Currently Intranet”. If it fail, it will try to reach the internet MP and shows “Currently Internet”. When the laptop will be back at the office, it will return to the intranet MP. The evaluation is done when the computer gets its IP address.

You have different option to do so :

  • You can manually add the new MP FQDN in the “Network” tab of the client properties
  • You can include the Client.msi property of CCMHOSTNAME=<Internet FQDN of the Internet-based management point> when you install the client, for example by using manual installation or client push. When you use this method, you must also directly assign the client to the site and cannot use automatic site assignment.
  • Configure clients for Internet-based client management after client installation by using a script

——-start of script————–
on error resume next

‘ Create variables.
Dim newInternetBasedManagementPointFQDN
Dim client

newInternetBasedManagementPointFQDN = “mp.yourorganisation.com”

‘ Create the client COM object.
Set client = CreateObject (“Microsoft.SMS.Client”)

‘ Set the Internet-Based Management Point FQDN by calling the SetCurrentManagementPoint method.
client.SetInternetManagementPointFQDN newInternetBasedManagementPointFQDN

‘ Clear variables.
Set client = Nothing
Set internetBasedManagementPointFQDN = Nothing

——-end of script————–

***Replace mp.yourorganisation.com with the Internet FQDN of your Internet-based management point.

 1.9 Test your clients

  • After installing a client on internet make sure that you are using HTTPS by looking at the “Connection Type” is Internet
  • You can also review the ClientLocation.log and datatransfer.log to ensure that your new MP is used
  • sccm 2012 internet based client management

That was intense…  Until next time !

See this Technet blog post to fix common issues : Here

SCCM 2012 Internet Based Client Management
5 - 10 votes
Comments
  • Nick
    Posted at 4:47 PM December 14, 2016
    Nick
    Reply
    Author

    Thanks for the great guide! I went through the purchased guide and was unable to figure out were the network tab is or the properties are in the first place. I ran a command to install with the new ccmhostname property but I still can’t find where to verify what my connection is. From the primary site server I’m showing the computer is up but I can’t query it. I never did anything with boundaries since it was never stated in the guide. I’m not sure if there are other prerequisites that are not listed.

  • Al Kongsjord
    Posted at 10:02 AM July 22, 2016
    Al Kongsjord
    Reply
    Author

    This document is very good but does not include the likelihood that the DMZ system may need to be a member of a different domain. In that case you must reference KB2689646.

    Also remember to add the sysadmin permission to the Login created to match the Management Point Communication Account and dbowner to the CM_ account in SQL.

    If you are using a domain account for the Management Point Connection Account then you may have to do these same steps with that account so that SQL will work with it. Watch the SQL logs for rejections specific to your domain account.

  • Peter
    Posted at 8:22 AM June 9, 2016
    Peter
    Reply
    Author

    Hi, Great Guide, thanks!

    Is the following scenario supported, SCCM joined to a AD domain (domain 1) and the IBCM SCCM site server in a different domain (domain 2) in the DMZ?
    How do I get SCCM clients in domain 1 to enrol for the certificate created in the domain 2?
    Thanks

  • Simon Bond
    Posted at 7:07 AM May 5, 2016
    Simon Bond
    Reply
    Author

    Hi Benoit,
    I purchased your guide, thanks for that. Just wondering if there are any tips or further things so consider when using public certificates. I have a client who has expressed a wish to use these.
    Thanks

  • Shailendra Dev
    Posted at 2:03 PM March 3, 2016
    Shailendra Dev
    Reply
    Author

    Hi,
    I have gone through your articles and have below query..
    1. do i need the Workstation Authentication Certificate for the each Client (that will be managed as IBCM SCCM Agent) ?
    2. how can i create,enrol /deploy the individual Workstation Authentication Certificate for the each Client that not using the office network (that connected to internet only)? i am looking for the step by step process for this , i do not want to use the GPO for this as many Machines is on Internet instead of Office network.
    3. Installation method of SCCM Agent on Each Internet Based client Machines ?

  • Visan
    Posted at 8:27 AM January 13, 2016
    Visan
    Reply
    Author

    Hi Benoit,

    I have followed your guide and deployed an internet based MP and DP on a DMZ server that is joined to the same domain as that of the primary server. i have the certificates in place as well. All seems well but the setup does not respond to the browser tests (http://sms_mp/.sms_aut?mplist). Could you suggest any remedy for this.

  • Oscar Gutiérrez
    Posted at 10:37 AM December 22, 2015
    Oscar Gutiérrez
    Reply
    Author

    Hi,

    I already purchased your guide, was very useful. Can you issue an Invoice for my company?

    tnks

  • Paul
    Posted at 3:30 PM December 4, 2015
    Paul
    Reply
    Author

    Thanks for the guide! I have downloaded and followed your tutorial and I’m confused on a one of the parts. During step 3.2 I go through the installation of the MP and DP. After selecting Distribution Point and Management Point it looks like you’re missing some steps. It goes to configure the Client DP Certificate and then straight to the Management Point settings. What do I set for the Distribution Point Settings? I see options to “Install and configure IIS if required by Configuration Manager” and Enable and configure BranchCache for the distribution point. Do I not choose any of these options? You screen shot does not what I see in the wizard. Also what about the Drive Settings, Pull Distribution Point, Content Validation Boundary Groups, Management Point, and Management Point Database Settings? You’re guide doesn’t say to skip these nor does it say configure these. Can you clarify if these settings are skipped? Thanks again.

  • Troy
    Posted at 8:47 PM December 1, 2015
    Troy
    Reply
    Author

    I’m in the process of attempting to setup an IBDP. SCCM 2012 R2 is fully stood up in my environment. My question is would I have to set up the primary site server as the IBDP (I hope not) or would I have to set up a new server with the MP and DP. And if I do need setup a new server with these 2 roles, would I need to setup a boundary group like the Internal Distribution Points?

    • Benoit Lecours
      Posted at 8:40 AM December 2, 2015
      Benoit Lecours
      Reply
      Author

      Yes, you need to add a new site server. Use the boundary group to limit your internet clients to your internet facing DP.

  • Zach
    Posted at 9:09 AM November 19, 2015
    Zach
    Reply
    Author

    I’m not sure what cer to import for my Trusted Root CA on my Primary site properties on your last steps. When i click set i have no options to pick from.
    Great article by the way, just need a little help with this last step.

    • Jeff B.
      Posted at 12:05 PM July 18, 2016
      Jeff B.
      Reply
      Author

      Ever figure which cert this is supposed to be?

    • Chris
      Posted at 3:13 PM January 9, 2017
      Chris
      Reply
      Author

      I am in the same boat.

  • Pushkar Singh
    Posted at 11:40 PM October 26, 2015
    Pushkar Singh
    Reply
    Author

    Hi Benoit,

    As mentioned in above guide we can go for installing secondry site with mp and dp installed for managing Internet clients.

    If i want to have local SUP for my internet client then i could not go for installing secondry sites so in that case should i have one primary site installed for managing internal clients and other for internet client.

    Please suggest

    • Benoit Lecours
      Posted at 9:09 AM October 30, 2015
      Benoit Lecours
      Reply
      Author

      Hi Pushar,

      I won’t install Secondary or Primary site at all. Just deploy a site server in your DMZ with the SUP role and make sure that all the certificates are issued to the client using the guide.

  • Mike
    Posted at 6:59 AM July 14, 2015
    Mike
    Reply
    Author

    Thank you for the documentation. My question is how does the client on the internet get the Sccm client installed, if they are not connected VPN?

  • Mike Givens
    Posted at 8:47 AM July 13, 2015
    Mike Givens
    Reply
    Author

    First of all, I want to thank you for your blog and your documentation is very thorough. My question is how do the internet based clients connect to the internet MP in order to get the client installed. For example, do they connect VPN? Please advise thanks.

    • Benoit Lecours
      Posted at 9:30 AM July 13, 2015
      Benoit Lecours
      Reply
      Author

      As describe in section – 1.8. Client installation, the client must be installed on your network before it can go on the internet.
      You can install your clients when the machine are on the VPN without problem as long as the VPN IP range is in the site assignment boundary.

  • Snoopy
    Posted at 7:39 PM July 7, 2015
    Snoopy
    Reply
    Author

    Hi Ben,

    Thanks a lot and Cant thank u enuf for this awesome guide and thank u once again for taking time off to put this article down here.

  • David
    Posted at 7:40 PM January 6, 2015
    David
    Reply
    Author

    Thanks for the article Benoit, might be worth while specifying “In the Duplicate Template dialog box, ensure that Windows 2003 Server, Enterprise Edition is selected, and then click OK. Do not select Windows 2008 Server, Enterprise Edition.” when going through how to create the remaining templates as they all need to be Windows 2003 Server.
    Cheers,
    David

    • Benoit Lecours
      Posted at 10:02 AM January 7, 2015
      Benoit Lecours
      Reply
      Author

      Exellent point, thanks for pointing that out.

  • ravinder
    Posted at 12:22 PM July 2, 2014
    ravinder
    Reply
    Author

    Its a wonderful link really! Great info. Can you also help me in conveying the requiremtn to the CA Admin. We have internal CA authority not public SSL. Will that work?

    • Benoit Lecours
      Posted at 5:04 PM July 2, 2014
      Benoit Lecours
      Reply
      Author

      I’m not sure to understand your question. The certificate used in the procedure is from a CA authority, not from a public provider.

      • ravinder
        Posted at 7:30 AM July 3, 2014
        ravinder
        Reply
        Author

        Got you. I am little confused on whether SUP should be installed with MP and DP on the DMZ Site system. We do not have any special requirement just want internet machines to be able to get patches.
        Also from ports perspective, I have listed down following requirements:

        Following Ports needs to be opened in the Firewall b/w Work Network & DMZ
        DMZ Site Server to DB – 1433(Bi-directional)
        DMZ Site Server to Primary Site Server – TCP 445(bi-directional
        Primary to DMZ Site Server RPC Endpoint mapper – 135(UDP & TCP) (bi-directional)
        DMZ Site Server to SUP – 80 & 443 TCP
        Primary to DMZ Site Server – RPC dynamic TCP Ports
        Primary to DMZ site Server RDP – TCP 3389 uni-directional
        Allowed traffic from internet to communicate with DP/MP/SUP (443 Bi-directional)
        Active Directory and Certificate Services Ports required communicating DMZ Server and DNS Ports as per company DMZ policy

        Am I missing something.

      • ravinder
        Posted at 7:42 AM July 3, 2014
        ravinder
        Reply
        Author

        Another good point raised by someone in a blog is about the requirement of Root certificate/Root certificate chain for IBCM

  • selimatmaca
    Posted at 7:41 PM May 11, 2014
    selimatmaca
    Reply
    Author

    Hi Benoit,
    You might remember me! I asked a question on Technet Forums about PKI and you suggested to read your article.

    http://social.technet.microsoft.com/Forums/en-US/171988f6-52db-45ae-b769-325010515f0e/internet-based-client-communication-can-not-be-established?forum=configmanagerdeployment

    After reading this article I figured out that I only chose to allow intranet communication only. After changing it to Intranet and Internet. It started working from Internet too. 🙂 Thanks a million for this great article.

  • Bogdan
    Posted at 9:41 AM March 20, 2014
    Bogdan
    Reply
    Author

    Hello guys, awesome tutorial, thank you.

    I have a question, these steps are also applying for an untrusted forest infrastructure ?

    I`m trying to install the SCCM client and I receive the following error:

    “Failed to receive ccm message response. Status code = 403;
    GetDPLocations failed with error 0x80004005;
    Failed to get DP locations as the expected version from MP ‘https://SCCMServer. Error 0x80004005”

    Any thoughts ?

    Regards.

    • Benoit Lecours
      Posted at 6:53 PM May 14, 2014
      Benoit Lecours
      Reply
      Author

      Hi Bogdan,

      What’s your installation methods ? What’s your installation properties ?

      Can you browse your DP using http ? http:///sms_mp/.sms_aut?mplist

  • Leave a Reply