Topic last updated—November 2007
Protecting a Microsoft System Center Configuration Manager 2007 site system means that clients outside of the protected boundaries will not be able to access the distribution point or state migration point roles on that site system. Protection is applied to the entire site system, not to the properties of the site role. However, protection has no effect on any site system roles except distribution points and state migration points.
Fallback to Unprotected Distribution Points
Protecting the distribution point does not necessarily prevent clients inside the protected boundaries from accessing content from an unprotected distribution point. If the package is not present on a protected distribution point, the client might fall back to using an unprotected distribution point, depending on how you configure your advertisement for each package and how much time has elapsed. If the distribution point has been offline or has not been provisioned for more than eight hours, and if you select the setting Allow clients to fallback to unprotected distribution points when the content is not available on the protected distribution point, clients can receive content from unprotected distribution points.
The following table shows the how the advertisement configuration works depending on whether the content is available on the protected distribution point.
| Scenario | Option: Do not allow clients to fall back to unprotected distribution points when the content is not available on the protected distribution point. | Option: Allow clients to fall back to unprotected distribution points when the content is not available on the protected distribution point. |
|---|---|---|
|
At least one distribution point meets the following criteria:
|
Only protected distribution points are returned. The client downloads the package from the protected distribution point. |
Protected distribution points are returned if the content is present on the distribution point. If the content is not present on the distribution point, any unprotected distribution points that contain the content are returned. If no unprotected distribution points contain the content, the client fails with the message "Content is not available." |
|
No distribution points are returned. The client fails with the message "Content is not available." |
Any unprotected distribution points that contain the content are returned. If no unprotected distribution points contain the content, the client fails with the message "Content is not available." |
|
The management point sends a message to Distribution Manager to add the protected branch distribution point to the package. The client downloads the package from the protected branch distribution point. When the next client in the boundaries of the protected distribution point requests content location, the protected branch distribution point is returned. |
The management point sends a message to Distribution Manager to add the protected branch distribution point to the package. Future content location requests should return the protected branch distribution point. If the content is not present on the protected branch distribution point, any unprotected distribution points that contain the content are returned. The client downloads the package from either the protected branch distribution point or the unprotected distribution point. |
|
No distribution points are returned. The client fails with message "Content is not available." |
No distribution points are returned. The client fails with the message "Content is not available." |
|
Only protected distribution points are returned. After eight hours, the client fails with the message "Content is not available." |
Only protected distribution points are returned. After eight hours, the client fails with the message "Content is not available." |
Examples
In the following diagram, the subnet 192.168.11.0 is in a branch office in Naperville but is part of the Chicago site. The branch distribution point in the branch office is protected so that only clients in 192.168.11.0 can access it. The standard distribution point in the main office is not protected. Clients on the network 192.168.10.0 cannot access packages on the protected branch distribution point on 192.168.11.0. The default configuration for an advertisement is to Allow clients to fallback to unprotected distribution points when the content is not available on the protected distribution point. So clients on the 192.168.11.0 network can get the package from either distribution point. If you change the setting, the clients in 192.168.11.0 will attempt to retrieve the package only from the protected branch distribution point, even if the package has not been copied to that distribution point. (If you configure the package for on-demand package distribution, the management point will notify Distribution Manager to copy the package to the distribution point.) If a client from ORD roams to the LON site and an advertised package is not available on the LON distribution point, the client can fall back to using the distribution point on 192.168.10.0 (assuming the package is copied to that distribution point), but it can never access the protected distribution point because it is not on the 192.168.11.0 network.
It is possible to protect every distribution point in the site, but doing so eliminates the redundancy provided by multiple distribution points. In the following diagram, if the distribution point in Milpitas is unreachable, the clients in the Milpitas branch office cannot retrieve the content because all other distribution points are protected.
