Internet-based client management allows you to manage Configuration Manager 2007 clients when they are not connected to your company network but have a standard Internet connection. This arrangement has a number of advantages, including the reduced costs of not having to run virtual private networks (VPNs) and being able to deploy software updates in a more timely manner.
Because of the higher security requirements of managing client computers on a public network, Internet-based client management requires that the site is in native mode. This ensures that connections to the management point, software update point, and distribution points are authenticated by an independent authority, and that data to and from these site systems are encrypted using Secure Sockets Layer (SSL).
Features that Are Not Supported on the Internet
Not all Configuration Manager 2007 features are appropriate for the Internet, and so they are not supported when clients are managed on the Internet. The features that are not supported for Internet management typically rely on Active Directory Domain Services (which is not accessible from the Internet) or are not appropriate for a public network (such as network discovery and Wake On LAN).
The following features are not supported when clients are managed on the Internet:
- Software distribution that is targeted to
users (either directly or through Microsoft Windows security
- Branch distribution points (a branch
distribution point cannot support Internet clients, and clients on
the Internet cannot be configured as a branch distribution
- Client deployment over the Internet.
- Auto-site assignment.
- Network Access Protection (NAP).
- Wake On LAN.
- Operating system deployment.
- Task sequences.
- Remote control.
- Out of band management in Configuration
Manager 2007 SP1 and later.
- The client ping functionality used with the
client status reporting feature in Configuration Manager
Additionally, Internet-based client management does not support roaming, which allows clients to always find the closest distribution points to download content. Clients that are managed on the Internet have a fixed Internet-based management point and communicate with that management point only when they are on the Internet, and with site systems in the site that are configured for Internet-based client management.
Clients connecting over the Internet will download content from any of the Internet-based distribution points in the site, regardless of bandwidth or physical location. For this reason, you cannot configure a protected site system to support Internet-based client management.
Configuring Site Systems for Internet-Based Client Management
There are no new site system roles required to support clients on the Internet. Instead, existing site system roles in a native mode, primary site are configured for Internet-based client management and placed appropriately on the network. The following site systems can support client management over the Internet:
- Management point (with and without a network
load balancing cluster)
- Distribution points
- Fallback status point
- Software update point (with and without a
network load balancing cluster)
A number of supported scenarios determine the location of servers in the Configuration Manager 2007 primary site. These range from having the complete Configuration Manager 2007 site contained within the perimeter network (also known as a screened subnet or DMZ) to having the site divided between the perimeter network and the intranet. The configuration of firewalls and Web proxies will depend on the server placement you choose. If you are using a proxy Web server, such as Microsoft ISA Server 2006, it must also have an appropriate certificate and support SSL termination so that the proxy Web server can authenticate client connections.
Configuring Clients for Internet-Based Management
Client computers and mobile client devices can be configured for one of the following management methods:
- Internet-only management
- Intranet-only management
Clients that are managed over the Internet must be configured to use their assigned site's Internet-based management point. Clients cannot communicate with an Internet-based management point from another site or with any other Internet-based site systems from another site. The configuration for the Internet-based management point can be specified with command-line properties during installation or specified in the Internet tab of Configuration Manager from the Control Panel of a client computer.
|The Internet tab displays only if the client is communicating in native mode.|
Clients configured for Internet-only management only communicate with the site systems that are configured to support Internet-based client management. This would be appropriate for computers and devices that you know will never connect to your company intranet, with an example being point of sale computers in remote locations.
Clients configured for intranet-only management are not configured to use the Internet management point, and they do not have a requirement to connect to site systems that are configured for Internet-based client management.
Client computers can have a third configuration that is not available for mobile client devices:
- Internet or intranet management
To support this mode of operation, clients must be domain-joined and have a trust relationship to the site server's Active Directory forest. For example, they must be in the same Active Directory forest as their site server's forest, or they must be authenticated through an external trust or forest trust. Workgroup clients do not support Internet or intranet management but must be configured for intranet-only management or for Internet-only management.
Client computers configured for Internet or intranet management can automatically switch between Internet-based client management and intranet client management whenever they detect a change of network.
When this network change is detected, the client computer will first attempt to communicate with its assigned management point on the intranet. If this succeeds, the client computer behaves as a standard intranet client. However, if the client computer cannot connect to its assigned management point, it then attempts communication with its configured Internet management point, using the Internet fully qualified domain name that is configured on the management point and registered with Internet DNS servers. When the Internet management point responds, the client computer then uses as required, the distribution points and software updates point that are also configured for Internet-based client management.
The benefit in automatic switching between Internet-based client management and intranet client management is that client computers can use the full range of Configuration Manager features when they reconnect to the intranet. Additionally, a download that began on the Internet can seamlessly resume on the intranet.
|If you have clients that cannot support both intranet and Internet client management (such as workgroup clients) and you want to manage them on the Internet, they must be configured for Internet-only management. This means that when they connect to the intranet, they continue to communicate with the Internet-based site systems. Additionally, they will not support the full Configuration Manager feature range associated with intranet client management, as listed in the previous section "Features that Are Not Supported on the Internet".|
How Internet Clients Use the Fallback Status Point
If you are using a fallback status point in the Internet-based client management site, the client must be configured with the Internet-based fallback status point when it is installed. If the client fails to connect to its Internet-based management point when it is on the Internet (for example, because its certificate has expired), it will send a failure status message to its configured Internet-based fallback status point using HTTP.
When a client computer is configured for both Internet and intranet-based client management and configured with an Internet-based fallback status point, it will not use the fallback status point on the intranet. This means that if a client computer moves onto the intranet and cannot connect to its assigned management point on the intranet, the client computer will send its failure status message to the Internet-based fallback status point from the intranet.
How Internet Client Computers Use the Proxy Server Settings
In addition to specifying the client's Internet-based management point, client computers can also specify proxy Web server settings. Specify proxy Web server settings if the client computer needs to connect to the Internet using a proxy Web server.
|If you are using a site port number for HTTPS client requests other than the industry default of 443, Internet connections that require a proxy Web server are unlikely to work because, typically, proxy Web servers are configured to use the default HTTPS port of 443.|
The ability to specify a proxy Web server configuration is particularly useful for users, such as consultants, who have laptops that connect to another company’s intranets. Specifying the proxy Web server details as a Configuration Manager property means that computers remain managed even when users are not logged on. However, if the proxy Web server settings are not specified as a Configuration Manager property, Configuration Manager client computers will try the following proxy Web server discovery methods to connect to the specified Internet-based management point :
- The proxy Web server settings configured in the default
- The system context
- The currently logged-on user's credentials