IT Consultant Everyday Notes

Just some problems/solutions storage

SCCM 2012: How to manage servers in DMZ

(in progress…)

I decided to figure out how to get DMZ servers managed using SCCM 2012.

  • Draft design: MP, DP and SUP are on Internal network. We are panning to manage servers in DMZ. The server belongs to a different domain. I am planning to publish ports 443 and 80 (if necessary) on my reverse proxy and hope it will work.Smile. Update: it does not work via proxy since a Client Certificate is used and proxy (at least TMG) cannot pass it to the MP located on Intranet. So I need to either configure firewall to allow TCP 443 from the Server in DMZ to MP on Intranet or (less secure) create a server publishing rule on TMG (keeping the source IP unchanged) and create a static route on MP so the traffic back to DMZ server pass via TMG, not default gateway (if TMG is not dg of course). 
  • I added dedicated MP/DP to Intranet and configure both of them to answer to Intranet and Internet requests. Important: add Internet name during installation, there is no way to add it later.
  • The server name for Internet and Intranet are different, so I have to add SAN to certificates.
  • Certificates:
Site settings As per Microsoft document I need set my site to serve both HTT and HTTPS and add CA root certificate to the site (in Site Properties). I am using Two level CA in a different forest, so I added both Root CA and Issuing CA certificates.
image
MP certificate It must be certificate with “Client Authentication” EKU. I created a duplicate from “Workstation” template with exportable private key and issued a certificate for the server Internet name as CN and Intranet name as SAN
image
ConfigMgr Web certificate I created a duplicate of “Web Server” template with exportable private key and issued a certificate for Internet name as CN and Intranet name as SAN
DP certificate This is a “Client Authentication” certificate again, so I decided to try to use the same I used for MP
   
   
  • Firewall: open 80 and 443 from server in DMZ to SCCM servers
  • Add Internet names to a hosts file on managed nodes (for test, planning to move the manes to DMZ DNS in future)
  • Install SCCM Client on a managed machine using: ccmsetup /usePKICert /NOCRLCheck /mp:https://SCCM.internet.com SMSSITECODE=TOR CCMHOSTNAME=SCCM.internet.com  (where SCCM.internet.com is Internet name for my MP/DP designated for DMZ management)

 

Notes:

1. It is better to install IIS and assign ConfigMgr WEB certificate to  default web site before MP and DP installation.

2. After I installed MP it should grab a proper certificate from Local Store. It did it, but for some reasons setup could not verify connection to this new MP. it failed with error: Failed to send http request /SMS_MP/.sms_aut?MPLIST. Error 12175. I tried to restart SMS services, but it did not help. Reboot the new server fixed the issue.

3. Ideally you should have CRL available for clients. If this is not the case and you do not want to fix it – Disable CRL check

image

Finally the Client connected to SCCM:

image

4. Updates: Client should receive both update locations (Windows Updates site and SP).

image

BITS will try Microsoft site first – (it fails since I do not have Internet access from my DMZ systems):

DataTransferService.log:

CDTSJob::HandleErrors: DTS Job ‘{2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5}’ BITS Job ‘{AA69D14E-270B-4EF2-BA03-D91288D37D95}’ under user ‘S-1-5-18’ OldErrorCount 2440 NewErrorCount 2441 ErrorCode 0x80072EFD

CDTSJob::HandleErrors: DTS Job ID='{2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5}’ URL=’http://download.windowsupdate.com:80/msdownload/update/software/secu/2012/04′ ProtType=1

and it switches to a Distribution point after that:

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} switched to location ‘:443/SMS_DP_SMSPKG">https://sccm.lab.<my domain here>:443/SMS_DP_SMSPKG$/0257c940-6d4b-4278-9b5e-a6d88c06e10f’.

<……>

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} in state ‘RetrievedData’.

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} successfully completed download.

DTSJob {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} in state ‘NotifiedComplete’.

DTS job {2EBD230D-F8D9-40E3-9FBF-F1A7C8AACCD5} has completed:
    Status : SUCCESS
    Start time : 08/28/2012 19:53:27
    Completion time : 08/30/2012 16:17:53
    Elapsed time : 92 seconds

Advertisements

7 responses to “SCCM 2012: How to manage servers in DMZ

  1. Justin Coffi January 16, 2013 at 2:47 pm

    Thank you. This was immensely helpful.

  2. Jesse April 23, 2013 at 11:16 am

    How did you install a certificate on your DMZ system? Our DMZ systems are blocked from our PKI systems, obviously so I’m curious how you got around that?

    • alex416 April 23, 2013 at 6:22 pm

      You can either
      1. prepare a request on your DMZ server using certutil tool and copy it to CA
      2. Issue the certificate on your CA
      3. copy generated certificate back to the DMZ server and accept it using certutil
      or
      1. Request the certificate using WEB interface from one of your internal machine (be sure to request it with exportable private key). A
      2. Export certificate with private key from that machine to a file and copy the file to the DMZ server (it is normally .PFX file)
      3. Import the certificate to the local machine store on DMZ server.

  3. filip June 27, 2013 at 3:45 am

    Hi,

    What should one do if the DMZ server does’t have an internet name?
    the server is on an internal dmz where different servers from different domains connect to (shared KMS).

    Thanks!

    Filip

    • alex416 July 2, 2013 at 8:46 am

      Hi Filip.

      SCCM can manage servers from different forest. Since it uses pull technology (SCCM client connects to the server and pull policies and content) the DMZ server name is not critically important; it should be able to resolve SCCM Management point and Distribution points name though.

      -Alex

  4. Ravindra Pawar September 2, 2014 at 6:09 am

    hi,

    can you please share me the more documents on this

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: