-1

I'm in the process of planning our System Center Configuration Manager 2012R2 deployment.

One thing I'm having trouble figuring out is what I need to have to support remote laptops. We have quite a few users who sometimes work from home/on the road (so their laptops are on the domain, but often not connected to our network for weeks at a time). We also have a bunch of laptops used for presentations and such which aren't on the domain at all, and rarely if ever connect to our internal network.

So far I know I need PKI setup and working properly, which shouldn't be much issue.

But do I need a separate server in a DMZ for internet clients? If so, with which roles? One of the technet articles said to setup an entirely separate forest. Is that really necessary?

Can I simply open up HTTPS to the intranet site server? Or does that introduce some huge attack vector?

I'm sure there's several ways that this can be setup, each with advantages, drawbacks and security implications, but so far I haven't even managed to enumerate what my options are.

For MDMarra's question:

For management of internet connected laptops, I want to (if possible):

  • Keep their hardware and software inventories up to date
  • Make sure they have windows updates installed (hopefully downloaded from MS, not my local server)
  • Check endpoint antivirus status
  • Push out software and third party updates

Of course, some things like OS deployment and out of band management just aren't going to be possible remotely. It looks like remote control isn't supported remotely either, which is unfortunate but I can live without it.

We're considering getting a VPN setup for the domain connected laptops, which would probably make this easier, but that's still a way off. And it wouldn't help with the non-domain laptops.

Grant
  • 17,671
  • 14
  • 69
  • 101
  • Please define "manage" - do you just want a DP available to these users, or do you need an MP there as well? Exactly what features are you looking to use with Internet-connected clients? – MDMarra Sep 27 '14 at 15:36
  • @MDMarra added to question. – Grant Sep 27 '14 at 16:03
  • You want to manage remote laptops without a VPN? That's going to be a huge pain. Before asking how to manage these computers with SCCM, you need to ask yourself how you manage them at all... and I suspect you really don't, as it is, which would seem to suggest to me that there should be more urgency around getting a VPN in place, so you can manage those laptops with a reasonable amount of effort. – HopelessN00b Sep 29 '14 at 13:04
  • @HopelessN00b a VPN will work for the staff laptops, but not for the ones they borrow for training (not on the domain, not always used by people with domain accounts) or the public computers (like library computers) - I don't want them on the staff network, but do need to make sure they have all their updates and get hardware inventories. – Grant Sep 29 '14 at 19:06

1 Answers1

0
  • You don't NEED a seperate DMZ system, but it is highly recommended.
  • Shouldn't need a seperate forest.
  • You CAN just open up your internal server to the internet and set it to handle internet clients...but that would be one hell of a security vulnerability.

There's a lot of details to planning/implementing this. I've included a couple links to get you started.

The following article goes over all the prereqs: http://blogs.technet.com/b/jchalfant/archive/2015/04/15/prerequisites-for-ibcm-in-configuration-manager.aspx

This is a pretty detailed tutorial on the process: http://www.systemcenterdudes.com/internet-based-client-management/

rootchord
  • 48
  • 6