Lessons Learned with Configuration Manager 2012 Cross-Forest, Internet-Based Client Management Configuration.
In a recent implementation, I enjoyed (and cried over) learning some lessons in regards to setting up Internet Based Client Management in multiple forests. There are several things that need to be put into place in order to get Configuration Manager (ConfigMgr) 2012 working properly with intranet clients, internet clients located in the same forest as ConfigMgr, and internet clients located in separate forests from ConfigMgr. The notes below are broken down as a high level overview along with some additional tidbits that might help others with getting their environment working properly. This is going with the scenario that there will be an intranet facing role server and internet facing role server located within the same forest while trying to get devices in other forests communicating via the internet, but these principles should be able to meet mostly all needs of configuration of Internet Based Client Management.
- Make sure that you have a functioning ConfigMgr environment that works across forests and domains via intranet clients; easily done if there are trusts between the forests and domains.
- Make sure the Certificate Authority is set up in each forest correctly or else you will run into issues, and never know there are problems because the Certificate Authority was setup incorrectly in the first place. Beware of doing an implementation when there is not a knowledgeable PKI admin in place that can confirm if the environment is stable or not.
- Have the network team establish an Internet FQDN for the Internet facing role server.
- Deploying the Web Server Certificate for Site Systems that run IIS (http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_webserver2008_cm2012)
- Deploying the Client Certificates for Windows Computers (http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_client2008_cm2012)
- Deploying the Client Certificate for Distribution Points (http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_clientdistributionpoint2008_cm2012)
Note: The above steps are appropriate to establish internet-based clients within the same forest as ConfigMgr.
- Create a GPO for Certificate Authorities Trust if different Certificate Authorities exist in each forest (http://technet.microsoft.com/en-us/library/cc738131(v=ws.10).aspx.
- The public key of the root certificate is normally located here, C:WindowsSystem32certsrvCertEnroll, in the Certificate Authority Server and also has a file extension of CRT.
- Create a GPO in each forest that ConfigMgr is not located in and include the root certificate from the Certificate Authority in the forest that ConfigMgr is located in. Attach this GPO to the devices that will be internet-based clients. This will create a certificate chain of trust.
- Create a GPO in the forest that ConfigMgr is located in and include the root certificate from the Certificate Authorities in the forest that ConfigMgr is not located in. Attach this GPO to the intranet facing and internet facing role servers to create a chain of trust with the other forest’s Certificate Authorities. It is important for the GPO to be connected with the intranet facing role server in order to establish the initial validity of the certificate when the client is first installed. The internet facing role server needs the GPO to continue the chain of trust when the client is taken off the domain and joined to the internet to still communicate with ConfigMgr.
- Root certificates from the Certificate Authorities in the other forests (not the one ConfigMgr is located in) have to be put into the ConfigMgr Site server’s properties under the Client Computer Communication tab’s Trusted Root Certificate Authorities. This will help with publishing to the AD in the other forests the Certificate Issuers that the client is allowed to use while attempting to validate the PKI certificate.
- The command properties used for the client installation are as follows:
ccmsetup.exe /usePKICert /NOCRLCheck /mp: SMSSITECODE= CCMHOSTNAME=
These might not all be necessary, but I found it to be in this environment.
Please utilize the below links when setting up Internet Based Client Management:
Keep in mind that every environment is different. Setting up Internet Based Client Management in any environment can be an intricate and convoluted process; do not be discouraged and most of all, be patient. Along with the links above, there are a lot of good blogs out there that explain things and go over certain experiences.
Hope this helps everyone out there and makes life a little easier for you.