Native mode is the recommended site configuration for new Configuration Manager 2007 sites because it offers a higher level of security by integrating with a public key infrastructure (PKI) to help protect client-to-server communication. Native mode is also a requirement for Internet-based client management.
In native mode, clients communicate over HTTPS to the following site systems:
- Management points:
- Default management point
- Network load balanced management points
- Proxy management point
- Internet-based management point
- Default management point
- Standard distribution points (not branch
distribution points)
- Software update points
- State migration point
Note |
---|
There are some situations on the intranet where native mode clients can communicate with standard distribution points over server message blocks (SMB). These scenarios include if advertisements are configured for the option Run program from distribution point, if HTTPS fails, or if the distribution point is not configured with the option Allow clients to transfer content from this distribution point using BITS, HTTP, and HTTPS (required for device clients and Internet-based clients). |
In native mode, clients continue to communicate over HTTP to the fallback status point, so that any communication issues related to certificates can be reported back to the site so that the administrator can identify and resolve client communication problems. Additionally, if a native mode client is configured with the option Configure HTTP communication for roaming and site assignment, the client can communicate over HTTP to the following site systems:
- Server locator point
- Resident management point and distribution
points in a mixed mode site
Important |
---|
Native mode does not affect communication between site severs, or between sites in a Configuration Manager 2007 hierarchy. To help secure this communication, use IPsec. For more information, see Implementing IPsec in Configuration Manager 2007. |
In native mode, client policies are signed by the site server, which adds an additional layer of defense to the Configuration Manager 2007 hierarchy to mitigate the security risk of a compromised management point sending policies that have been tampered with. This safeguard is particularly relevant if you are using Internet-based client management because this environment requires a management point that is exposed to Internet communication.
Mixed mode offers a lower level of security to support SMS 2003 clients, providing self-signed certificates if you do not have a supporting public key infrastructure (PKI) that can provide the certificates that are required for Configuration Manager 2007.
You cannot upgrade a SMS 2003 site directly to native mode, although you can migrate to native mode after the upgrade is complete.
When you migrate a primary site to native mode, this procedure automatically migrates any secondary sites that are attached to the primary site. It does not automatically migrate child primary sites.
Comparison of Mixed Mode and Native Mode
The following table compares the two site modes and the security features they offer.
Configuration Manager Operation | Mixed Mode | Native Mode |
---|---|---|
Use of certificates |
Self-signed certificates that are generated and managed by Configuration Manager, and are used only within Configuration Manager. |
Industry standard PKI certificates that are created and managed independently from Configuration Manager, and can be integrated with other business solutions. |
Mutual authentication between client and site systems |
Proprietary authentication between the client and management point, and between the client and state migration point. No other site systems use mutual authentication with clients. |
SSL mutual authentication between the client and following site systems:
SSL server authentication to the software update point. |
Site system to site system authentication and encryption of traffic |
No - IPsec is recommended to help secure this communication. |
No - IPsec is recommended to help secure this communication. |
WINS can be used for name resolution and service location. |
Yes |
Although WINS can be used for name resolution and locating a server locator point, WINS cannot be used in native mode to locate the default management point. Default management points are located in Active Directory, DNS, or the server locator point. However, network load balanced management points can only be located in Active Directory or with a server locator point. For more information about service location in native mode, see Configuration Manager and Service Location (Site Information and Management Points). |
Policy is signed |
Yes - by the management point |
Yes - by the site server, and the management point. |
Policy is encrypted over SSL |
No |
Yes |
Content is signed |
Yes, if advertisements are using the option of Download content from distribution point and run locally. No, if advertisements are using the option Run program from distribution point. |
Yes, if advertisements are using the option of Download content from distribution point and run locally No, if advertisements are using the option Run program from distribution point (this option is not supported when the client is managed on the Internet) |
Content is encrypted |
No |
Yes, using SSL if advertisements are using the option of Download content from distribution point and run locally. However, if HTTPS fails in the intranet, content is sent over SMB which is not encrypted. No if advertisements are using the option Run program from distribution point because SMB will be used (this option is not supported when the client is managed on the Internet). |
Inventory data and state messages are signed |
Yes, using SHA1 if clients are running at least SMS 2003 Service Pack 1. |
Yes. The one exception is state messages to the fallback status point, which are not signed. |
Inventory data and state messages are encrypted |
Optional, using 3DES |
Yes, using SSL. The one exception is state messages to the fallback status point, which are not encrypted. |
Status messages from clients are signed |
No |
Yes. |
Status messages from clients are encrypted |
No |
Yes, using SSL. |
Metering data from clients is signed |
No |
Yes |
Metering data from clients is encrypted |
No |
Yes, using SSL |
Client approval to be fully managed in the site |
Requires configuration with one of the following options:
|
|
If the operating system deployment feature is used, state migration data is signed and encrypted |
Yes |
Yes, using SSL |
See Also
Concepts
Prerequisites for Native ModeOverview of Internet-Based Client Management
Certificate Requirements for Native Mode
Decide If You Need to Configure HTTP Communication for Roaming and Site Assignment (Native Mode)
Client Communication in Mixed Mode and Native Mode
Configuration Manager and Service Location (Site Information and Management Points)
Implementing IPsec in Configuration Manager 2007