Topic last updated -- November 2007
For Configuration Manager 2007 sites to communicate with clients using a custom port, the Web site used by Configuration Manager 2007 site systems must be configured to accept connections on custom ports. Although it is supported, changing the port used for connecting to the default Web site is not recommended when other applications that depend on Internet Information Services (IIS), such as Microsoft Windows® SharePoint® Services, are also installed on the site system. Changing the port for the default web site in these cases may cause the shared application to fail.
|Using Configuration Manager site systems to run additional applications increases the attack surface on those site systems and is not recommended. The best practice for Configuration Manager site systems requiring IIS is to use a server solely dedicated to providing Configuration Manager services.
By creating a custom Web site for Configuration Manager 2007 use and setting it to accept client connections on the port that you specify for client communications, you can allow other applications to continue to function using the default Web site. For information about which Configuration Manager 2007 site systems require IIS, see Configuration Manager Supported Configurations.
When creating a custom Web site, it is important that you define custom ports for the new Web site that are different from those in use on the default Web site. The default Web site and the custom Web site cannot be started at the same time if both are configured to operate on the same TCP/IP ports.
|When configuring the custom Web site to use https ports to support native mode site operations, the custom Web site must be configured to use a Web server certificate issued by a trusted certification authority. For more information about certificate requirements for native mode see, Certificate Requirements for Native Mode.
Configuring a custom Web site is a site-wide operation. If you choose to use a custom Web site, it is recommended that you implement custom Web sites at every site in the hierarchy. You should also switch the ports used by clients to communicate with site systems in parallel by configuring the sites to use custom Web sites.
When you enable a custom Web site, the site roles installed on the server computer will automatically be uninstalled and reinstalled. The TCP/IP ports configured in IIS for the custom Web site after the site roles have been reinstalled should be the same as the client communication ports configured for the site. After configuring a custom Web site, you should verify that the ports configured for the custom Web site match those configured for the site.
When you change from using the default Web site to using a custom Web site, Configuration Manager 2007 does not automatically remove the old virtual directories. You should manually remove the virtual directories created under the default Web site. For more information, see Software Distribution Security Best Practices and Privacy Information.
Create and Configure the Custom Web Site in Internet Information Services (IIS)
To create a custom Web site in Internet Information Services (IIS)
Open the Internet Information Services Manager console on the Configuration Manager 2007 site system by clicking Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.
Start the Web Site Creation Wizard in the Internet Information Services Manager console by right-clicking Web Sites, clicking New, and clicking Web Site.
Using the Web Site Creation Wizard, create a custom Web site named SMSWEB.
Important SMSWEB is the only allowed custom Web site name for Configuration Manager 2007 custom Web sites.
Configure the custom Web site to use a custom client connection port.
If you are configuring a custom Web site for use in Configuration Manager 2007 sites operating in mixed mode, you must enable the Allow anonymous access to this web site check box.
If you are configuring a custom Web site for use in Configuration Manager 2007 sites operating in native mode, you should disable the Allow anonymous access to this web site check box and also configure the site to use a Web certificate issued by a trusted certification authority to secure client connections to the Web site. For more information about configuring the custom Web site to use a Web certificate, see Deploying the Web Server Certificates to Site System Servers.
Verify Custom Web Site Creation Success
To verify that the custom Web site creation process was successful
Review the smsprov.log file to verify that the site control file for the site was successfully updated.
Review the hman.log file to verify that the site control file changes were successfully processed.
Review the site role setup logs to verify that the site roles were successfully uninstalled and reinstalled with the new settings. For example, if you are configuring a custom Web site for a site server hosting the management point role, review the mpsetup.log.
If the Active Directory schema has been extended for Configuration Manager 2007 and the site is publishing site information, you should also review the sitecomp.log to verify that the site component manager successfully updated the site information published to Active Directory Domain Services.
Review the custom Web site in the Internet Information Services Manager console. Verify that the custom Web site is running and the virtual directories for site roles installed on the server computer have been created.