I'm in the process of planning our System Center Configuration Manager 2012R2 deployment.
One thing I'm having trouble figuring out is what I need to have to support remote laptops. We have quite a few users who sometimes work from home/on the road (so their laptops are on the domain, but often not connected to our network for weeks at a time). We also have a bunch of laptops used for presentations and such which aren't on the domain at all, and rarely if ever connect to our internal network.
So far I know I need PKI setup and working properly, which shouldn't be much issue.
But do I need a separate server in a DMZ for internet clients? If so, with which roles? One of the technet articles said to setup an entirely separate forest. Is that really necessary?
Can I simply open up HTTPS to the intranet site server? Or does that introduce some huge attack vector?
I'm sure there's several ways that this can be setup, each with advantages, drawbacks and security implications, but so far I haven't even managed to enumerate what my options are.
For MDMarra's question:
For management of internet connected laptops, I want to (if possible):
- Keep their hardware and software inventories up to date
- Make sure they have windows updates installed (hopefully downloaded from MS, not my local server)
- Check endpoint antivirus status
- Push out software and third party updates
Of course, some things like OS deployment and out of band management just aren't going to be possible remotely. It looks like remote control isn't supported remotely either, which is unfortunate but I can live without it.
We're considering getting a VPN setup for the domain connected laptops, which would probably make this easier, but that's still a way off. And it wouldn't help with the non-domain laptops.