Chat with us, powered by LiveChat

Lessons Learned with Configuration Manager 2012 Cross-Forest, Internet-Based Client Management Configuration.

In a recent implementation, I enjoyed (and cried over) learning some lessons in regards to setting up Internet Based Client Management in multiple forests. There are several things that need to be put into place in order to get Configuration Manager (ConfigMgr) 2012 working properly with intranet clients, internet clients located in the same forest as ConfigMgr, and internet clients located in separate forests from ConfigMgr. The notes below are broken down as a high level overview along with some additional tidbits that might help others with getting their environment working properly. This is going with the scenario that there will be an intranet facing role server and internet facing role server located within the same forest while trying to get devices in other forests communicating via the internet, but these principles should be able to meet mostly all needs of configuration of Internet Based Client Management.

  1. Make sure that you have a functioning ConfigMgr environment that works across forests and domains via intranet clients; easily done if there are trusts between the forests and domains.
  2. Make sure the Certificate Authority is set up in each forest correctly or else you will run into issues, and never know there are problems because the Certificate Authority was setup incorrectly in the first place. Beware of doing an implementation when there is not a knowledgeable PKI admin in place that can confirm if the environment is stable or not.
  3. Have the network team establish an Internet FQDN for the Internet facing role server.
  4. Deploying the Web Server Certificate for Site Systems that run IIS (http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_webserver2008_cm2012)
  5. Deploying the Client Certificates for Windows Computers (http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_client2008_cm2012)
  6. Deploying the Client Certificate for Distribution Points (http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_clientdistributionpoint2008_cm2012)
    Note: The above steps are appropriate to establish internet-based clients within the same forest as ConfigMgr.
  7. Create a GPO for Certificate Authorities Trust if different Certificate Authorities exist in each forest (http://technet.microsoft.com/en-us/library/cc738131(v=ws.10).aspx.
  8. Root certificates from the Certificate Authorities in the other forests (not the one ConfigMgr is located in) have to be put into the ConfigMgr Site server’s properties under the Client Computer Communication tab’s Trusted Root Certificate Authorities. This will help with publishing to the AD in the other forests the Certificate Issuers that the client is allowed to use while attempting to validate the PKI certificate.
  9. The command properties used for the client installation are as follows:
    ccmsetup.exe /usePKICert /NOCRLCheck /mp: SMSSITECODE= CCMHOSTNAME=
    These might not all be necessary, but I found it to be in this environment.

Please utilize the below links when setting up Internet Based Client Management:

Keep in mind that every environment is different. Setting up Internet Based Client Management in any environment can be an intricate and convoluted process; do not be discouraged and most of all, be patient. Along with the links above, there are a lot of good blogs out there that explain things and go over certain experiences.

Hope this helps everyone out there and makes life a little easier for you.