Before you install System Center 2012 Configuration Manager, plan for the network communications between different sites in a hierarchy, between different site system servers in a site, and between clients and site system servers. These communications might be contained in a single domain, or they might span multiple Active Directory forests. You might also have to plan for communications to manage clients on the Internet.

Use the following sections in this topic to help you plan for communications in Configuration Manager.

What’s New in Configuration Manager

What’s New in Configuration Manager SP1

Planning for Intersite Communications in Configuration Manager

In a Configuration Manager hierarchy, each site communicates with its parent site and its direct child sites by using two data transfer methods: file-based replication and database replication. Secondary sites not only communicate to their parent primary sites by using both data transfer methods, but can also communicate with other secondary sites by using file-based replication to route content to remote network locations.

Configuration Manager uses file-based replication and database replication to transfer different types of information between sites.

File-Based Replication

Configuration Manager uses file-based replication to transfer file-based data between sites in your hierarchy. This data includes content such as applications and packages that you want to deploy to distribution points in child sites, and unprocessed discovery data records that are transferred to parent sites where they are processed.

File-based communication between sites uses the Server Message Block (SMB) protocol by using TCP/IP port 445. You can specify configurations that include bandwidth throttling and pulse mode to control the amount of data transferred across the network, and schedules to control when to send data across the network.

With Configuration Manager SP1, addresses are renamed to file replication routes to bring consistency with database replication. Prior to SP1, Configuration Manager uses an address to connect to the SMS_SITE share on the destination site server to transfer file-based data. Beginning with SP1, Configuration Manager uses a file replication route. File replication routes and addresses operate the same way, and support the same configurations.

The following sections are written for service pack 1 and reference file replication routes instead of addresses. If you use Configuration Manager without a service pack, use the information in the following table to convert the references to file replication routes back to the related reference for addresses.

Configuration Manager with SP1 Configuration Manager without service pack

File Replication Account

Site Address Account

File replication route

Address

File Replication node in the Configuration Manager console

Addresses node in the Configuration Manager console

File Replication Routes

Database Replication

Configuration Manager database replication uses SQL Server to transfer data and merge changes that are made in a site database with the information stored in the database at other sites in the hierarchy. This enables all sites to share the same information. Database replication is automatically configured by all Configuration Manager sites. When you install a site in a hierarchy, database replication automatically configures between the new site and its designated parent site. When the site installation finishes, database replication automatically starts.

When you install a new site in a hierarchy, Configuration Manager creates a generic database at the new site. Next, the parent site creates a snapshot of the relevant data in its database and transfers that snapshot to the new site by file-based replication. The new site then uses a SQL Server bulk copy program (BCP) to load the information into its local copy of the Configuration Manager database. After the snapshot loads, each site conducts database replication with the other site.

To replicate data between sites, Configuration Manager uses its own database replication service. The database replication service uses SQL Server change tracking to monitor the local site database for changes, and then replicates those changes to other sites by using a SQL Server Service Broker. By default, this process uses the TCP/IP port 4022.

Configuration Manager groups data that replicates by database replication into different replication groups. Each replication group has a separate, fixed replication schedule that determines how frequently changes to the data in the group is replicated to other sites. For example, a configuration change to a role-based administration configuration replicates quickly to other sites to ensure that these changes are enforced as soon as possible. Meanwhile a lower priority configuration change, such as a request to install a new secondary site, replicates with less urgency and takes several minutes for the new site request to reach the destination primary site.

Note
Configuration Manager database replication is configured automatically and does not support configuration of replication groups or replication schedules. However, with Configuration Manager SP1, you can configure database replication links to control when specific traffic traverses the network. You can also configure when Configuration Manager raises alerts about replication links that have a status of degraded or failed.

Configuration Manager classifies the data that it replicates by database replication as either global data or site data. When database replication occurs, changes to global data and site data are transferred across the database replication link. Global data can replicate to both a parent or child site, and site replicates only to a parent site. A third data type that is named local data, does not replicate to other sites. Local data includes information that is not required by other sites:

  • Global Data: Global data refers to administrator-created objects that replicate to all sites throughout the hierarchy, although secondary sites receive only a subset of global data, as global proxy data. Examples of global data include software deployments, software updates, collection definitions, and role-based administration security scopes. Administrators can create global data at central administration sites and primary sites.

  • Site Data: Site data refers to operational information that Configuration Manager primary sites and the clients that report to primary sites create. Site data replicates to the central administration site but not to other primary sites. Examples of site data include hardware inventory data, status messages, alerts, and the results from query-based collections. Site data is only viewable at the central administration site and the primary site where the data originates. Site data can be modified only at the primary site where it was created.

    All site data replicates to the central administration site; therefore the central administration site can perform administration and reporting for the whole hierarchy.

Use the information in the following sections to plan for using the controls that are available with Configuration Manager SP1 to configure database replication links between sites, and to configure controls on each site database. These controls can help you control and monitor the network traffic that database replication creates.

Database Replication Links

When you install a new site in a hierarchy, Configuration Manager automatically creates a database replication link between the two sites. A single link is created to connect the new site to the parent site.

With Configuration Manager SP1, each database replication link supports configurations to help control the transfer of data across the replication link. Each replication link supports separate configurations. The controls for database replication links include the following:

  • Use distributed views to stop the replication of selected site data from a primary site to the central administration site, and enable the central administration site to directly access this data from the database of the primary site.

  • Schedule when selected site data transfers from a child primary site to the central administration site.

  • Define the settings that determine when a database replication link is in a degraded status or has failed.

  • Configure when to raise alerts for a failed replication link.

  • Specify how frequently Configuration Manager summarizes data about the replication traffic that uses the replication link. This data is used in reports.

To configure a database replication link, you edit the properties for the link in the Configuration Manager console from the Database Replication node. This node appears in the Monitoring workspace, and with Configuration Manager SP1, this node also appears under the Hierarchy Configuration node in the Administration workspace. You can edit a replication link from either the parent site or the child site of the replication link.

Tip
You can edit database replication links from the Database Replication node in either workspace. However, when you use the Database Replication node in the Monitoring workspace you can also view the status of database replication for replication links, and access the Replication Link Analyzer tool to help you investigate problems with database replication.

For information about how to configure replication links with Configuration Manager SP1, see Site Database Replication Controls. For more information about how to monitor replication, see the How to Monitor Database Replication Links and Replication Status section in the Monitor Configuration Manager Sites and Hierarchy topic.

Use the information in the following sections to plan for database replication links.

Planning to use Distributed Views

Plan to Schedule Transfers of Site Data on Database Replication Links

Plan for Summarization of Database Replication Traffic

Plan for Database Replication Thresholds

Site Database Replication Controls

For Configuration Manager SP1 only:

Each site database supports configurations that can help you control the network bandwidth used for database replication. These configurations apply only to the site database where you configure the settings, and are always used when the site replicates any data by database replication to any other site.

Replication controls for each site database include the following:

  • Change the port that Configuration Manager uses for the SQL Server Service Broker.

  • Configure the period of time to wait before replication failures trigger the site to reinitializes its copy of the site database.

  • Configure a site database to compress the data that it replicates by database replication. The data is compressed only for transfer between sites, and not for storage in the site database at either site.

To configure the replication controls for a site database, you edit the properties of the site database in the Configuration Manager console from the Database Replication node. This node appears under the Hierarchy Configuration node in the Administration workspace, and also appears in the Monitoring workspace. To edit the properties of the site database, select the replication link between the sites, and then open either the Parent Database Properties or Child Database Properties.

Tip
You can configure database replication controls from the Database Replication node in either workspace. However, when you use the Database Replication node in the Monitoring workspace you can also view the status of database replication for a replication link, and access the Replication Link Analyzer tool to help you investigate problems with replication.

For more information about how to configure database replication controls, see Configure Database Replication Controls. For more information about how to monitor replication, see Monitor Site Database Replication.

Planning for Intrasite Communications in Configuration Manager

Each Configuration Manager site contains a site server and can have one or more additional site system servers that host site system roles. Configuration Manager requires each site system server to be a member of an Active Directory domain. Configuration Manager does not support a change of the computer name or the domain membership while the computer remains a site system.

When Configuration Manager site systems or components communicate across the network to other site systems or Configuration Manager components in the site, they use either server message block (SMB), HTTP, or HTTPS. The communication method depends on how you choose to configure the site. With the exception of communication from the site server to a distribution point, these server-to-server communications in a site can occur at any time and do not use mechanisms to control the network bandwidth. Because you cannot control the communication between site systems, ensure that you install site system servers in locations that have well connected and fast networks.

You can use the following options to help you manage the transfer of content from the site server to distribution points:

  • Configure the distribution point for network bandwidth control and scheduling. These controls resemble the configurations used by intersite addresses, and you can often use this configuration instead of installing another Configuration Manager site when the transfer of content to remote network locations is your main bandwidth consideration.

  • You can install a distribution point as a prestaged distribution point. A prestaged distribution point lets you use content that is manually put on the distribution point server and removes the requirement to transfer content files across the network.

For more information about network bandwidth considerations, see Network Bandwidth Considerations for Distribution Points in Planning for Content Management in Configuration Manager.

Planning for Client Communication in Configuration Manager

Client communication in Configuration Manager includes client-to-site-system communications and service location inquiries. By using service location inquiries, Configuration Manager clients can identify the site system servers to use.

Use the information in the following sections to plan for communications by Windows-based clients.

In Configuration Manager SP1, you can manage clients that run Linux and UNIX. Clients that run Linux and UNIX operate as clients in workgroups. For information about supporting computers that are in workgroups, see the Planning for Communications Across Forests in Configuration Manager in this topic. For additional information about communication for clients that run Linux and UNIX, see the Planning for Communication across Forest Trusts for Linux and UNIX Servers section in the Planning for Client Deployment for Linux and UNIX Servers topic.

Planning for Client Communication to Site Systems

Planning for Client Approval

Planning for Service Location by Clients

Planning How to Wake Up Clients

Planning for Communications Across Forests in Configuration Manager

System Center 2012 Configuration Manager supports sites and hierarchies that span Active Directory forests.

Configuration Manager also supports domain computers that are not in the same Active Directory forest as the site server, and computers that are in workgroups:

  • To support domain computers in a forest that is not trusted by your site server’s forest, you can install site system roles in that untrusted forest, with the option to publish site information to the client’s Active Directory forest. Or, you can manage these computers as if they are workgroup computers. When you install site system servers in the client’s forest, the client-to-server communication is kept within the client’s forest and Configuration Manager can authenticate the computer by using Kerberos. When you publish site information to the client’s forest, clients benefit from retrieving site information, such as a list of available management points, from their Active Directory forest rather than downloading this information from their assigned management point.

    Note
    If you want to manage devices that are on the Internet, you can install Internet-based site system roles in your perimeter network when the site system servers are in an Active Directory forest. This scenario does not require a two-way trust between the perimeter network and the site server’s forest.
  • To support computers in a workgroup, you must manually approve these computers if they use HTTP client connections to site system roles because Configuration Manager cannot authenticate these computers by using Kerberos. In addition, you must configure the Network Access Account so that these computers can retrieve content from distribution points. Because these clients cannot retrieve site information from Active Directory Domain Services, you must provide an alternative mechanism for them to find management points. You can use DNS publishing, or WINS, or directly assign a management point.

    For information about client approval and how clients find management points, see the Planning for Client Communication in Configuration Manager section in this topic.

    For information about how to configure the Network Access Account, see the Configure the Network Access Account section in the Configuring Content Management in Configuration Manager topic.

    For information about how to install clients on workgroup computers, see the How to Install Configuration Manager Clients on Workgroup Computers section in the How to Install Clients on Windows-Based Computers in Configuration Manager topic.

Configuration Manager supports the Exchange Server connector in a different forest from the site server. To support this scenario, ensure that name resolution works across the forests (for example, configure DNS forwards), and specify the intranet FQDN of the Exchange Server when you configure the Exchange Server connector. For more information, see How to Manage Mobile Devices by Using the Exchange Server Connector in Configuration Manager.

When your Configuration Manager design spans multiple Active Directory domains and forests, use the additional information in the following table to help you plan for the following types of communication.

Scenario Details More information

Communication between sites in a hierarchy that spans forests:

  • Requires a two-way forest trust, which supports Kerberos authentication that Configuration Manager requires.

Configuration Manager supports installing a child site in a remote forest that has the required two-way trust with the forest of the parent site. For example: You can place a secondary site in a different forest from its primary parent site so long as the required trust exists. If you do not have a two-way forest trust which supports Kerberos authentication, then Configuration Manager does not support the child site in the remote forest.

Note
A child site can be primary site (where the central administration site is the parent site), or a secondary site.

Intersite communication in Configuration Manager uses database replication and file-based transfers. When you install a site, you must specify an account to install the site on the designated server. This account also establishes and maintains communication between sites.

After the site successfully installs and initiates file-based transfers and database replication, you do not have to configure anything else for communication to the site.

For more information about how to install a site, see the Install a Site Server section in the Install Sites and Create a Hierarchy for Configuration Manager topic.

When a two-way forest trust exists, Configuration Manager does not require any additional configuration steps.

By default, when you install a new site as a child of another site, Configuration Manager configures the following:

  • An intersite file-based replication address at each site that uses the site server computer account. Configuration Manager adds the computer account of each computer to the SMS_SiteToSiteConnection_<sitecode> group on the destination computer.

  • Database replication between the SQL Server at each site.

The following configurations must also be set:

  • Intervening firewalls and network devices must allow the network packets that Configuration Manager requires.

  • Name resolution must work between the forests.

  • To install a site or site system role, you must specify an account that has local administrator permissions on the specified computer.

Communication in a site that spans forests:

  • Does not require a two-way forest trust.

To support clients primary sites support the installation of each site system role on computers in other forests.

Note
Two exceptions are the out of band service point and the Application Catalog web service point. Each must be installed in the same forest as the site server.

When the site system role accepts connections from the Internet, as a security best practice, install these site system roles in an untrusted forest (for example, in a perimeter network) so that the forest boundary provides protection for the site server.

When you specify a computer to be a site system server, you must specify the Site System Installation Account. This account must have local administrative credentials to connect to, and then install site system roles on the specified computer.

When you install a site system role in an untrusted forest, you must select the site system option Require the site server to initiate connections to this site system. This configuration enables the site server to establish connections to the site system server to transfer data. This prevents the site system server that is in the untrusted location from initiating contact with the site server that is inside your trusted network. These connections use the Site System Installation Account that you use to install the site system server.

The management point and enrollment point site system roles connect to the site database. By default, when these site system roles are installed, Configuration Manager configures the computer account of the new site system server as the connection account and adds the account to the appropriate SQL Server database role. When you install these site system roles in an untrusted domain, you must configure the site system role connection account to enable the site system role to obtain information from the database.

If you configure a domain user account for these connection accounts, ensure that the account has appropriate access to the SQL Server database at that site:

  • Management point: Management Point Database Connection Account

  • Enrollment point: Enrollment Point Connection Account

Consider the following additional information when you plan for site system roles in other forests:

  • If you run a Windows Firewall, configure the applicable firewall profiles to pass communications between the site database server and computers that are installed with remote site system roles. For information about firewall profiles, see Understanding Firewall Profiles.

  • When the Internet-based management point trusts the forest that contains the user accounts, user policies are supported. When no trust exists, only computer policies are supported.

Communication between clients and site system roles when the clients are not in the same Active Directory forest as their site server.

Configuration Manager supports the following scenarios for clients that are not in the same forest as their site’s site server:

  • There is a two-way forest trust between the forest of the client and the forest of the site server

  • The site system role server is located in the same forest as the client

  • The client is on a domain computer that does not have a two-way forest trust with the site server and site system roles are not installed in the client's forest

  • The client is on a workgroup computer

Note
Configuration Manager cannot manage AMT-based computers out of band when these computers are in a different forest from the site server.

Clients on a domain computer can use Active Directory Domain Services for service location when their site is published to their Active Directory Forest.

To publish site information to another Active Directory forest, you must first specify the forest and then enable publishing to that forest in the Active Directory Forests node of the Administration workspace. Additionally, you must enable each site to publish its data to Active Directory Domain Services. This configuration enables clients in that forest to retrieve site information and find management points. For clients that cannot use Active Directory Domain Services for service location, you can use DNS, WINS, or the client’s assigned management point.

Planning for Internet-Based Client Management

Internet-based client management lets you manage Configuration Manager clients when they are not connected to your company network but have a standard Internet connection. This arrangement has several advantages that include the reduced costs of not having to run virtual private networks (VPNs) and being able to deploy software updates in a timelier manner.

Because of the higher security requirements of managing client computers on a public network, Internet-based client management requires that clients and the site system servers that the clients connect to use PKI certificates. This ensures that connections are authenticated by an independent authority, and that data to and from these site systems are encrypted by using Secure Sockets Layer (SSL).

Use the following sections to help you plan for Internet-based client management.

Features that Are Not Supported on the Internet

Not all client management functionality is appropriate for the Internet; therefore they are not supported when clients are managed on the Internet. The features that are not supported for Internet management typically rely on Active Directory Domain Services or are not appropriate for a public network, such as network discovery and Wake-on-LAN (WOL).

The following features are not supported when clients are managed on the Internet:

  • Client deployment over the Internet, such as client push and software update-based client deployment. Instead, use manual client installation.

  • Automatic site assignment.

  • Network Access Protection (NAP).

  • Wake-on-LAN.

  • Operating system deployment. However, you can deploy task sequences that do not deploy an operating system; for example, task sequences that run scripts and maintenance tasks on clients.

  • Remote control.

  • Out of band management.

  • Software deployment to users unless the Internet-based management point can authenticate the user in Active Directory Domain Services by using Windows authentication (Kerberos or NTLM). This is possible when the Internet-based management point trusts the forest where the user account resides.

Additionally, Internet-based client management does not support roaming. Roaming enables clients to always find the closest distribution points to download content. Clients that are managed on the Internet communicate with site systems from their assigned site when these site systems are configured to use an Internet FQDN and the site system roles allow client connections from the Internet. Clients non-deterministically select one of the Internet-based site systems, regardless of bandwidth or physical location.

Note
New in System Center 2012 Configuration Manager, when you have a software update point that is configured to accept connections from the Internet, Configuration Manager Internet-based clients on the Internet always scan against this software update point, to determine which software updates are required. However, when these clients are on the Internet, they first try to download the software updates from Microsoft Update, rather than from an Internet-based distribution point. Only if this fails, will they then try to download the required software updates from an Internet-based distribution point. Clients that are not configured for Internet-based client management never try to download the software updates from Microsoft Update, but always use Configuration Manager distribution points.

Planning for Internet-Based Site Systems

The following site system roles in a primary site support client connections from the Internet:

  • Management point

  • Distribution point

  • Fallback status point

  • Software update point (with and without a network load balancing cluster)

  • Application Catalog website point

  • Enrollment proxy point

Secondary sites do not support client connections from the Internet.

All site systems must reside in an Active Directory domain. However, you can install site systems for Internet-based client management in an untrusted forest. This scenario might be appropriate for a perimeter network that requires high security. Although there is no requirement to have a trust between the two forests, when the forest that contains the Internet–based site systems trusts the forest that contains the user accounts, this configuration supports user-based policies for devices on the Internet when you enable the Client Policy client setting Enable user policy requests from Internet clients. For example, the following configurations illustrate when Internet-based client management supports user policies for devices on the Internet:

  • The Internet-based management point is in the perimeter network where a read-only domain controller resides to authenticate the user and an intervening firewall allows Active Directory packets.

  • The user account is in Forest A (the intranet) and the Internet-based management point is in Forest B (the perimeter network). Forest B trusts Forest A, and an intervening firewall allows the authentication packets.

  • The user account and the Internet-based management point are in Forest A (the intranet). The management point is published to the Internet by using a web proxy server.

Note
If Kerberos authentication fails, NTLM authentication is then automatically tried.

As the previous example shows, you can place Internet-based site systems in the intranet when they are published to the Internet by using a web proxy server, such as ISA Server and Forefront Threat Management Gateway. These site systems can be configured for client connection from the Internet only, or client connections from the Internet and intranet. When you use a web proxy server, you can configure it for Secure Sockets Layer (SSL) bridging to SSL (more secure) or SSL tunneling:

  • SSL bridging to SSL:

    The recommended configuration when you use proxy web servers for Internet-based client management is SSL bridging to SSL, which uses SSL termination with authentication. Client computers must be authenticated by using computer authentication, and mobile device legacy clients are authenticated by using user authentication. Mobile devices that are enrolled by Configuration Manager do not support SSL bridging.

    The benefit of SSL termination at the proxy web server is that packets from the Internet are subject to inspection before they are forwarded to the internal network. The proxy web server authenticates the connection from the client, terminates it, and then opens a new authenticated connection to the Internet-based site systems. When Configuration Manager clients use a proxy web server, the client identity (client GUID) is securely contained in the packet payload so that the management point does not consider the proxy web server to be the client. Bridging is not supported in Configuration Manager with HTTP to HTTPS, or from HTTPS to HTTP.

  • Tunneling:

    If your proxy web server cannot support the requirements for SSL bridging, or you want to configure Internet support for mobile devices that are enrolled by Configuration Manager, SSL tunneling is also supported. It is a less secure option because the SSL packets from the Internet are forwarded to the site systems without SSL termination, so they cannot be inspected for malicious content. When you use SSL tunneling, there are no certificate requirements for the proxy web server.

Planning for Internet-Based Clients

You must decide whether the client computers that will be managed over the Internet will be configured for management on the intranet and the Internet, or for Internet-only client management. You can only configure the client management option during the installation of a client computer. If you change your mind later, you must reinstall the client.

Tip
You do not have to restrict the configuration of Internet-only client management to the Internet and you can also use it on the intranet.

Clients that are configured for Internet-only client management only communicate with the site systems that are configured for client connections from the Internet. This configuration would be appropriate for computers that you know never connect to your company intranet, for example, point of sale computers in remote locations. It might also be appropriate when you want to restrict client communication to HTTPS only (for example, to support firewall and restricted security policies), and when you install Internet-based site systems in a perimeter network and you want to manage these servers by using the Configuration Manager client.

When you want to manage workgroup clients on the Internet, you must install them as Internet-only.

Note
Mobile device clients are automatically configured as Internet-only when they are configured to use an Internet-based management point.

Other client computers can be configured for Internet and intranet client management. They can automatically switch between Internet-based client management and intranet client management when they detect a change of network. If these clients can find and connect to a management point that is configured for client connections on the intranet, these clients are managed as intranet clients that have full Configuration Manager management functionality. If the clients cannot find or connect to a management point that is configured for client connections on the intranet, they attempt to connect to an Internet-based management point, and if this is successful, these clients are then managed by the Internet-based site systems in their assigned site.

The benefit in automatic switching between Internet-based client management and intranet client management is that client computers can automatically use all Configuration Manager features whenever they are connected to the intranet and continue to be managed for essential management functions when they are on the Internet. Additionally, a download that began on the Internet can seamlessly resume on the intranet, and vice versa.

Prerequisites for Internet-Based Client Management

Internet-based client management in Configuration Manager has the following external dependencies:

Dependency More information

Clients that will be managed on the Internet must have an Internet connection.

Configuration Manager uses existing Internet Service Provider (ISP) connections to the Internet, which can be either permanent or temporary connections. Client mobile devices must have a direct Internet connection, but client computers can have either a direct Internet connection or connect by using a proxy web server.

Site systems that support Internet-based client management must have connectivity to the Internet and must be in an Active Directory domain.

The Internet-based site systems do not require a trust relationship with the Active Directory forest of the site server. However, when the Internet-based management point can authenticate the user by using Windows authentication, user policies are supported. If Windows authentication fails, only computer policies are supported.

Note
To support user policies, you also must set to True the two Client Policy client settings:
  • Enable user policy polling on clients

  • Enable user policy requests from Internet clients

An Internet-based Application Catalog website point also requires Windows authentication to authenticate users when their computer is on the Internet. This requirement is independent from user policies.

You must have a supporting public key infrastructure (PKI) that can deploy and manage the certificates that the clients require and that are managed on the Internet and the Internet-based site system servers.

For more information about the PKI certificates, see PKI Certificate Requirements for Configuration Manager

The following infrastructure services must be configured to support Internet-based client management:

  • Public DNS servers: The Internet fully qualified domain name (FQDN) of site systems that support Internet-based client management must be registered as host entries on public DNS servers.

  • Intervening firewalls or proxy servers: These network devices must allow the client communication that is associated with Internet-based site systems.

Client communication requirements:

  • Support HTTP 1.1

  • Allow HTTP content type of multipart MIME attachment (multipart/mixed and application/octet-stream)

  • Allow the following verbs for the Internet-based management point:

    • HEAD

    • CCM_POST

    • BITS_POST

    • GET

    • PROPFIND

  • Allow the following verbs for the Internet-based distribution point:

    • HEAD

    • GET

    • PROPFIND

  • Allow the following verbs for the Internet-based fallback status point:

    • POST

  • Allow the following verbs for the Internet-based Application Catalog website point:

    • POST

    • GET

  • Allow the following HTTP headers for the Internet-based management point:

    • Range:

    • CCMClientID:

    • CCMClientIDSignature:

    • CCMClientTimestamp:

    • CCMClientTimestampsSignature:

  • Allow the following HTTP header for the Internet-based distribution point:

    • Range:

For configuration information to support these requirements, refer to your firewall or proxy server documentation.

For similar communication requirements when you use the software update point for client connections from the Internet, see the documentation for Windows Server Update Services (WSUS). For example, for WSUS on Windows Server 2003, see Appendix D: Security Settings, the deployment appendix for security settings.

Planning for Network Bandwidth in Configuration Manager

System Center 2012 Configuration Manager includes several methods to control the network bandwidth that is used by communications between sites, site system servers, and clients. However, not all communication on the network can be managed. Use the following sections to help you understand the methods that you can use to control network bandwidth and to design your site hierarchy.

When you plan the Configuration Manager hierarchy, consider the amount of network data that will be transferred from intersite and intrasite communications.

Note
File replication routes (known as addresses prior to Configuration Manager SP1), are used only for intersite communications and are not used for intrasite communications between site servers and site systems.

Controlling Network Bandwidth Usage Between Sites

Controlling Network Bandwidth Usage Between Site System Servers

Controlling Network Bandwidth Usage Between Clients and Site System Servers

See Also