The following sections provide example scenarios of how Internet-based client management in Configuration Manager 2007 can be implemented to solve the following business requirements:
- Continue to Manage
Laptops that Regularly Move out of the Intranet and On to the
Internet
- Manage Home
Computers That Never Connect to the Intranet
- Support Internet-Based
Clients and Intranet Clients in the Intranet on the Same Site
System Server
Continue to Manage Laptops That Regularly Move Out of the Intranet and on to the Internet
This scenario demonstrates how you can extend an existing Configuration Manager site to support clients when they move from the intranet to the Internet, using Internet-based client management. The network design chosen incorporates the supported scenario of adding Internet-based site systems into the perimeter network and using a SQL Server replica in the perimeter network for additional security: Network Diagram for Internet-Based Servers - Scenario 1 with SQL Server Replica.
A. Datum Corporation has a number of sales people who regularly travel to see customers and only periodically return to the office. Managing their laptops so that they have all the required software updates and the latest applications is difficult, because either the sales staff have to find the time to come back into the office or they attempt a connection using the in-house VPN solution, which is slow and unreliable. Additionally, the audit department is requesting up-to-date weekly inventory reports to record application usage, and this requirement cannot be met for the laptops because their inventory data is not always returned every week.
To continue to manage these laptops when they leave the intranet, A. Datum Corporation decides on the course of action described in the following table.
| Process | Reference | ||
|---|---|---|---|
|
Tommy Hartono is the Configuration Manager administrator who manages a Configuration Manager 2007 site. He reads about Internet-based client management and how clients can continue to be managed when they move from the intranet to the Internet. |
|||
|
Weighing up the advantages and disadvantages of implementing Internet-based client management or upgrading their existing VPN solution, he decides that Internet-based client management is the better solution because it does not rely on users making the connection. |
Determine If You Should Use Internet-Based Client Management |
||
|
Tommy discusses his proposal with his manager, who asks him to look into what dependencies Internet-based client management has, to make sure that these can be met, and engage the necessary people within the company that will be needed to support the implementation. Tommy checks the dependencies and identifies the people to contact who will be needed to be involved. |
Prerequisites for Internet-Based Client Management Determine Administrator Roles and Processes for Internet-Based Client Management |
||
|
Tommy realizes that Internet-based client management requires native mode, and the site is currently configured for mixed mode. The company already has a PKI solution for computers on the intranet and Internet, so he immediately talks to this team first to ensure that this requirement can be met and, if so, to initiate the process for deploying the required certificates. |
Determine Whether You Can Use Your Existing PKI for Native Mode Administrator Checklist: Deploying the PKI Requirements for Native Mode |
||
|
Tommy then initiates design meetings with the company's networking infrastructure team to decide how the Internet connectivity will fit in with the existing networking infrastructure. They discuss supported scenarios, how many sites need to support Internet-based clients, and where servers should be placed. |
Supported Scenarios for Internet-Based Client Management Determine Site Placement for Internet-based Client Management Determine Server Placement for Internet-Based Client Management |
||
|
They decide to extend one site such that it has the following additional site systems in the perimeter network:
|
Network Diagram for Internet-Based Servers - Scenario 3 with No SQL Server Replica |
||
|
They discuss the design with the company's security team, who approves it on condition that SQL connections initiated from the perimeter network do not traverse the security boundary into the intranet. The design is revised so that a SQL Server replica will be used in the perimeter network, and the database administrators are informed of this requirement. |
Network Diagram for Internet-Based Servers - Scenario 3 with SQL Server Replica |
||
|
When the network design is approved, Tommy involves the networking team that looks after firewalls and network devices in the perimeter network. They identify the network ports that will be used so they can make changes as required.
|
Determine the Ports Required for Internet-Based Client Management See the Configuration Manager CRL dependency listed in the following topic: Prerequisites for Native Mode. |
||
|
The company's Internet DNS servers are managed by an external company, so Tommy submits a Request for Change (RFC) to publish the Internet FQDNs of the Internet-based site systems in DNS. He supplies the information required. |
|||
|
With the PKI certificates now deployed, Tommy migrates the site to native mode and monitors it for a period of time to ensure that there are no problems. |
|||
|
Additional servers are installed and hardened with security policies suitable for computers in the perimeter network. Tommy confirms that the networking infrastructure is configured as required. |
Internal process that is company-specific |
||
|
Tommy installs the Internet-based site system roles on the servers with the following configuration:
|
How to Configure the Site System Installation Account How to Configure the Internet FQDN of Site Systems that Support Internet-Based Client Management How to Configure Internet-Based Site Systems to Allow Only Site Server Initiated Data Transfers |
||
|
Tommy configures the Internet-based software update point to synchronize software updates. |
|||
|
The database administrators install and configure a SQL Server replica in the perimeter network. |
|||
|
Tommy configures the Internet-based site systems to accept connections from Internet clients only. |
How to Configure a Management Point for Internet-Based Client Connections How to Configure a Distribution Point for Internet-Based Client Connections How to Configure a Fallback Status Point for Internet-Based Client Connections How to Configure a Software Update Point for Internet-Based Client Connections |
||
|
Tommy configures the Internet-based distribution points so that they can transfer content over the Internet. |
How to Configure a Distribution Point to Transfer Content Using BITS, HTTP, and HTTPS |
||
|
Tommy runs a test pilot with a few machines, specifying the Internet-based management point FQDN on the client, using the Internet tab in Configuration Manager from the Control Panel. |
How to Assign Configuration Manager Client Computers to the Internet-Based Management Point |
||
|
When the preliminary tests are successful, Tommy then extends the pilot by sending a script to a few computers that reinstalls them with the following installation parameters:
|
|||
|
Laptop users are informed about the changes that will be implemented, and the Help Desk is updated and given information on how to troubleshoot clients that experience problems installing applications or software updates when they are on the Internet. |
Internal process that is company-specific |
||
|
Satisfied with the pilot test results, Tommy sends the same installation script to the laptops. He monitors when the script is successfully sent to each client and tracks client deployment by using the reports generated by the fallback status point. He also identifies client configuration details by using the client hardware inventory data. |
About the Fallback Status Point in Configuration Manager How to Identify Client Configuration Details for Native Mode and Internet-Based Client Management |
||
|
After six weeks, Tommy notes that 95 percent of laptop computers have received the script, and inventory data from these computers are being sent as regularly as computers on the intranet. Additionally, the laptops are reporting the same level of compliance with software updates that are reported by computers on the intranet. |
Report category of Software - Companies and Products report:
|
||
|
Tommy solicits feedback from the Help Desk and users to review the process for improvements or changes. |
Internal process that is company-specific |
||
|
Tommy is able to deliver the timely inventory reports as requested. |
Internal process that is company-specific |
NoteThis deployment of Internet-based client management might impact users in the following ways when their computers are configured for Internet and intranet client management:
- Laptop moves from intranet to the
Internet:
Whenever the sales person has an Internet connection, the laptop continues to send inventory data and compliance information back to its site. Applications and software updates that are required are installed automatically, although they can sometimes take a while to download first. However, if the connection is broken, the download resumes when it next has an Internet connection.
The sales person does not receive software distributions that are targeted to her Windows user account, but these applications are optional and not required.
- Laptop moves from Internet to intranet:
A sales person returns to the office after an absence of four weeks. She connects her laptop into the intranet and a download for a large software distribution package resumes where it left off, completing quickly with the faster network connection.
The user notices that two optional software distributions are available and decides to install them in case they are needed later.
Manage Home Computers That Never Connect to the Intranet
This scenario demonstrates how you can create a new Configuration Manager site to support clients on the Internet that never connect to the intranet, using Internet-based client management. The network design chosen incorporates the supported scenario of having a child site completely in the perimeter network: Network Diagram for Internet-Based Servers - Scenario 2 with Child Site.
Coho Winery has a number of contract users who work at home, using their own computers and communicating by e-mail. They do not have Windows user accounts on the intranet and so will never log in to the intranet. However, they sometimes need software applications to complete their work, and they would like tested software updates installed automatically to help keep their computers secure.
To offer this level of management to home workers, Coho Winery decides to install the Configuration Manager client on these computers with an Internet-only configuration. This allows the home computers to be managed, which will increase the home workers' efficiency and productivity. Jenni Merriam is the Configuration Manager administrator, and she takes the course of action described in the following table.
| Process | Reference |
|---|---|
|
Jenni reads about Internet-based client management and how clients can be configured for Internet-only, and be able to receive software distributions and software updates. |
|
|
Jenni discusses her proposal with her manager, who asks her to look into what dependencies Internet-based client management has, to make sure that these can be met, and to engage the necessary people within the company who will be needed to support the implementation. Jenni checks the dependencies and identifies the people who will need to be involved. |
Prerequisites for Internet-Based Client Management Determine Administrator Roles and Processes for Internet-Based Client Management |
|
Jenni realizes that Internet-based client management requires native mode, and the hierarchy is currently configured for mixed mode. The company does not have a PKI solution, so she makes this her first priority to investigate. After discussions with management, they are willing to engage PKI consultants to implement a PKI solution that is suitable for Configuration Manager, and that can be expanded to support other business requirements in the future. PKI consultants are brought in with the design of migrating to native mode the central site in the Configuration Manager hierarchy, which will allow a new child site to be created for native mode that will support the Internet-only clients. Jenni hands them the list of certificate requirements for native mode that must be in place for the central site and the new child site. |
Certificate Requirements for Native Mode Administrator Checklist: Deploying the PKI Requirements for Native Mode |
|
Jenni then initiates design meetings with the company's networking infrastructure team to decide how the Internet connectivity will fit in with the existing networking infrastructure. They discuss supported scenarios, how many sites need to support Internet-based clients, and where servers should be placed. |
Supported Scenarios for Internet-Based Client Management Determine Site Placement for Internet-based Client Management Determine Server Placement for Internet-Based Client Management |
|
They decide to create one new site in the perimeter network. |
Network Diagram for Internet-Based Servers - Scenario 2 with Child Site |
|
They discuss the design with the company's security team, who approves it on condition that the SMB traffic that traverses the security boundary of the perimeter network is secured with IPsec. The PKI consultants incorporate this request into their design. |
|
|
When the network design is approved, Jenni involves the networking team that looks after firewalls and network devices in the perimeter network. They identify the ports that will be used so they can make changes as required. |
Determine the Ports Required for Internet-Based Client Management |
|
The company's Internet DNS servers are managed internally in the perimeter network, so Jenni submits a Request for Change (RFC) to publish the Internet FQDNs of the Internet-based site systems in DNS. She supplies the information required. |
|
|
With the PKI certificates now deployed, Jenni migrates the central site to native mode and monitors it for a period of time to ensure that there are no problems. |
|
|
Additional servers are installed and hardened with security policies suitable for computers in the perimeter network. Jenni confirms that the networking infrastructure is configured as required. |
Internal process that is company-specific |
|
Jenni installs a new child site in the perimeter network, configuring the Internet-based site system roles on the servers with the Internet FQDN of the site systems registered in the Internet DNS servers. |
How to Configure the Internet FQDN of Site Systems that Support Internet-Based Client Management |
|
Jenni configures the Internet-based software update point to synchronize software updates. |
|
|
Jenni configures the Internet-based site systems to accept connections from Internet clients only. |
How to Configure a Management Point for Internet-Based Client Connections How to Configure a Distribution Point for Internet-Based Client Connections How to Configure a Fallback Status Point for Internet-Based Client Connections How to Configure a Software Update Point for Internet-Based Client Connections |
|
Jenni configures the Internet-based distribution points so that they can transfer content over the Internet. |
How to Configure a Distribution Point to Transfer Content Using BITS, HTTP, and HTTPS |
|
Jenni runs a test pilot with a few machines, specifying the Internet-based management point FQDN on the Internet tab of Configuration Manager in the client Control Panel. |
How to Assign Configuration Manager Client Computers to the Internet-Based Management Point |
|
When the operational tests prove successful, Jenni then creates and tests an installation package with all the source files. This installation installs the Configuration Manager client with the following installation parameters:
|
|
|
The PKI team constructs a Web portal in the perimeter network, to which the home users can connect and request the certificates they need. |
Internal process that is company-specific |
|
Home workers are informed about the new service and told that installation is a two-step process:
|
Internal process that is company-specific |
|
The Help Desk is updated and given information on how to troubleshoot clients that experience problems requesting the certificates or installing the client. |
Internal process that is company-specific |
|
After a pilot test with a few home workers, Jenni is satisfied with the results, and the installation CD is mailed to the remaining home workers. |
Internal process that is company-specific |
|
After six weeks, Jenni notes 100 percent of the home workers' computers are successfully assigned to the site and receiving software distributions and software updates. |
|
|
Jenni solicits feedback from the Help Desk and users to review the process for improvements or changes. |
Internal process that is company-specific |
This deployment of Internet-based client management might impact the home workers in the following ways when their computers are configured for Internet-only management:
- Software updates are automatically
installed.
Some home workers remember to run Windows Update, but many forget or get confused about which updates to install. Having critical software updates automatically installed for them helps to keep their computers more secure.
- Software applications are made available.
To complete a project, a specific application is often needed. Instead of trying to install it as an e-mail attachment or having to wait for it to arrive in the mail, it now appears as an available application that home workers can select when it's needed.
Support Internet-Based Clients and Intranet Clients in the Intranet on the Same Site System Server
This scenario demonstrates how you can add Internet-based client management to an existing Configuration Manager site in the intranet, without having to add new site system servers in the perimeter network. Because this configuration bridges the security boundary of the perimeter network into the intranet, it is not a security best practice. However, as in this scenario, it does offer an efficient way to quickly test the Internet-based client management feature without having to install and configure additional servers. It also disables certificate revocation checking on clients, to save the additional configuration that would be required on a production network to publish a certificate revocation list that is accessible from the Internet.
The network design involves the supported scenario of the Configuration Manager 2007 site contained on the intranet, and the site systems that are configured for Internet-based client management can accept both Internet connections and intranet connections. (Network Diagram for Internet-Based Servers - Scenario 4 with Internet Connections into the Intranet.)
The administrators at Trey Research are interested in implementing Internet-based client management to supplement their computer management strategy for their existing Configuration Manager hierarchy. They have had problems keeping laptops up-to-date with important security software updates and application updates when staff spends extended time away from their offices to attend worldwide conferences. However, Trey Research does not currently have a PKI in place, which is a requirement for Internet-based client management. Before management will agree to resource this project, they require confirmation that Internet-based client management works and will provide the business benefits that they require.
The Configuration Manager administrator, Terry Adams, takes the course of action described in the following table.
| Process | Reference | ||
|---|---|---|---|
|
For testing purposes, Terry uses a nonproduction Active Directory forest on an isolated section of the intranet that also has access to the Internet. The Internet namespace for the company is treyresearch.net, and the internal Active Directory namespace on the test network is testnet.treyresearch.net. |
Internal process. |
||
|
For rapid deployment and with limited testing equipment, Terry decides to use just one server for all his Configuration Manager site systems that will host the following site system roles:
Terry decides not to deploy a fallback status point for this proof of concept, because although it would be useful for identifying client communication issues, it is not needed to test basic site operation. After reading through the server placement options for Internet-based site systems, Terry realizes that a single site system can support intranet clients and Internet-based clients. Although this is not a security best practice, the advantages for Terry are that he needs to install and configure fewer servers. This strategy allows Terry to test the Internet-based client management feature more quickly than if he had to install and configure multiple servers. The security risks of hosting multiple site system roles on a single server and of accepting Internet traffic into the intranet are mitigated by the test network's isolation from the production network. |
About the Fallback Status Point in Configuration Manager Determine Server Placement for Internet-Based Client Management |
||
|
Terry installs a new server running Windows Server 2003 Service Pack 1 (which he names IBCMServer) and joins it to the domain. This server will be his single site system server. On it, he also installs IIS and all other prerequisites for Configuration Manager 2007. He then extends the Active Directory schema for Configuration Manager 2007 and enables publishing by creating the System Management container and configuring the permissions on it for the IBCMServer computer. Terry then installs a laptop computer running Windows Vista and joins it to the domain. |
Prerequisites for Installing Configuration Manager How to Extend the Active Directory Schema for Configuration Manager |
||
|
Terry next discusses his proof of concept design with the networking team that manages the company's Internet connectivity requirements. After reading the external dependencies for Internet-based client management, Terry realizes that he will need their help with the following:
|
|||
|
The networking team requires acceptance from the security team before they can make changes to the existing Internet infrastructure. The security team reviews the plan and raises concerns about the server being in the intranet and exposed to traffic from the Internet. Terry explains that this design is only for a proof of concept on an isolated network and shows them the different supported designs for production networks. In these, the site server is never exposed to Internet traffic, and although the Internet-based site systems can support Internet connections and intranet connections, there are other designs that offer stronger security. The security team agrees to the design of the proof of concept on the understanding that Terry works with them for a more extensive review of the final design if the project is approved. |
|||
|
Terry confirms that his member server has automatically registered the computer name of IBCMServer in his internal Active Directory DNS zone of testnet.treyresearch.net. The networking team manually adds a DNS A record for IBCMServer in the public DNS zone of treyresearch.net. Because ISA Server will be publishing this Internet-based site system, this record is configured with a public IP address that belongs to one of the external adapters on the ISA Server and that is not currently in use. This external IP address must be dedicated to Internet-based client management connections.
|
|||
|
Terry turns his attention to the PKI requirements and checks which certificates are needed for his test network. He references the documentation topics that cover the certificate requirements with guidance about how to install them. Because of the limited scope of the testing environment, Terry needs only the following certificates:
|
|||
|
Terry realizes that the easiest way to deploy the required certificates is by using a Microsoft enterprise root certification authority, using the Enterprise Edition of Windows Server 2003. This solution provides the following benefits:
Terry confirms that his single Active Directory domain controller in the test network is running the Enterprise Edition of Windows Server 2003 and has Internet Information Services (IIS) installed. Terry then installs on his domain controller Microsoft Certificate Services (with the subcomponents of Certificate Services CA and Certificate Services Web Enrollment Support) and configures an enterprise root certification authority. After reading the topic about deploying the Web server certificate to site system servers, he realizes that he needs to enable support for the Subject Alternative Name (SAN) certificate attribute so that he can specify both the intranet FQDN and the Internet FQDN. He follows the procedure referenced in the article to enable SAN support on his root certification authority (CA), which, in his test environment, will also issue the certificates. |
Determine Whether You Can Use Your Existing PKI for Native Mode Deploying the Web Server Certificates to Site System Servers Information about how to add support for Subject Alternative Names with a Microsoft certification authority: http://go.microsoft.com/fwlink/?LinkId=93692 |
||
|
Terry has little PKI experience, so he references the step-by-step example deployment guide in the Configuration Manager library. He follows the procedures exactly for the site server signing certificate and for deploying client certificates. However, he has to modify the procedure for specifying his Web server certificate for this Internet-based site system, because this requires both the intranet FQDN and the Internet FQDN in the Subject Alternative Name:
|
Information about how to add support for Subject Alternative Names with a Microsoft certification authority: http://go.microsoft.com/fwlink/?LinkId=93692 |
||
|
After checking the prerequisites for native mode, Terry realizes that because his issuing certification authority is on the intranet, clients on the Internet will not, by default, be able to access the certificate revocation list (CRL). An intranet CRL is published by default with his certification authority. Terry reads the planning topic on CRL checking and realizes that if clients on the Internet attempt to locate the CRL and this fails, connections to the Internet-based site system roles will fail. Rather than publish a CRL on the Internet, which would be required for a production network, Terry decides to disable CRL checking on clients within his test environment so that he minimizes additional configuration requirements. |
Determine Whether You Need to Enable Certificate Revocation Checking (CRL) On Clients (Native Mode) |
||
|
Terry then runs Configuration Manager 2007 Setup on the member server with the following selections:
When setup is complete, Terry performs the following post setup tasks:
|
How to Deploy a Site Using Simple Setup How to Configure Configuration Manager Boundaries How to Configure the Intranet FQDN of Site Systems How to Configure the Internet FQDN of Site Systems that Support Internet-Based Client Management How to Enable or Disable Certificate Revocation Checking (CRL) on Clients |
||
|
Terry now installs the Configuration Manager client on the laptop, configures software updates, and confirms standard Configuration Manager operation on the intranet. |
|||
|
With intranet operation in native mode confirmed, Terry then configures the site system roles to allow intranet and Internet client connections. He also confirms that the distribution point is configured to transfer content using BITS and HTTP. |
How to Configure a Management Point for Internet-Based Client Connections How to Configure a Software Update Point for Internet-Based Client Connections How to Configure a Distribution Point for Internet-Based Client Connections How to Configure a Distribution Point to Transfer Content Using BITS, HTTP, and HTTPS |
||
|
On the laptop computer, Terry specifies IBCM.treyresearch.com as the Internet-based client management point on the Internet tab of Configuration Manager in Control Panel. |
How to Assign Configuration Manager Client Computers to the Internet-Based Management Point |
||
|
The networking team makes the final required configurations to allow the Internet traffic into both the perimeter network and the intranet:
|
Determine the Ports Required for Internet-Based Client Management Determine Requirements for Proxy Web Servers to Use With Internet-Based Client Management |
||
|
Terry disconnects his test laptop from the test network and, using the software updates feature in Configuration Manager, creates a new optional software update deployment. Terry then takes the test laptop home, connects to the Internet, manually initiates client policy, receives notification of the optional software update, and is able to successfully install it. |
How to Initiate Policy Retrieval for a Configuration Manager Client |
After this initial successful test, Terry conducts further tests with automatic software updates and software distributions, and he confirms that hardware inventory and desired configuration management compliance information is still reported when the laptop is on the Internet. He also confirms that a content download can seamlessly continue when he moves the laptop from the Internet to the intranet and vice versa.
Terry documents his findings and two weeks later presents his findings to the management team. The successful conclusion convinces the management team that Internet-based client management offers a seamless user experience that provides an effective method of managing laptops even when they are away from the company network. In turn, this helps to keep the laptops secure, so the investment required in a PKI solution is seen to be cost justified.
The company does not have the internal resources or experience to implement an internal PKI, so the proof of concept provides the cost justification to outsource this project so that Internet-based client management can be implemented in the near future.
See Also
Concepts
Administrator Checklist: Configuring a Site for Internet-Based Client ManagementAdministrator Checklist: Configuring Client Computers for a Site that Supports Internet-Based Client Management
Administrator Workflow: Configuring a Site for Internet-Based Client Management
Overview of Internet-Based Client Management