Implementing Native Mode and Internet Based Client Management

 Next version of SMS  Released in Aug 2007  SP1 in April 2008  R2 released in Oct 2008

 What does it mean  Secures your environment by signing communication between your server and clients.  Benefits  Reduces the ability of attacker to set up bogus site and distribution points and encrypts communication through SSL  Considerations  With added security comes added complexity and administration  PKI is not something to just throw in. Make sure to plan a proper deployment before you attempt to tackle native mode   

 Internet Based Client Management  Allows you to manage clients outside of intranet or VPN  Supported Functions  Software Distribution (targeting computers, not users)  Software Updates (SUP)  Desired Configuration Management  Inventory  Software Metering  Non-Supported  Operating System Deployment  WOL (Wake on LAN)  Remote Tools (remote connection, remote assistance)

 PKI Certificates  More Info: “Deploying the PKI Certificates Required for Native Mode” us/library/bb aspx us/library/bb aspx  System Center Configuration Manager  Perimeter server to host roles  Perimeter server for FSP role

 This can be your own CA or external CA (Network Solutions, Verisign, etc…)  This demonstration is using a Microsoft Windows Server 2003 CA.  Clients must be able to trust the certificates issuing authority (Trusted Root, Intermediate Root)  Clients must be able to see published CRL*

 Certificate Revocation List  Used to determine if certificate is valid or has been revoked.  Path to list needs to be accessible to internet clients  Must be defined before creating cert (gets placed in the certificate – see image)

1. Manual installation 2. Request through /certsrv 3. Autoenrollment through Group Policy  Make sure client can trust the certificate authority  Download into trusted root  Publish through GPO  Add CTL to IIS

 Three primary types of certs needed 1. Computer/Workstation  Used for authentication  Autoenrollment  How to revoke  How to request for non-domain 2. Doc Signing  Custom cert for ConfigMgr Site Servers 3. Web  Needed for all servers hosting site server roles (IIS)

 Standard Computer certificate – can be provided by intermediate CA  Can be configured in Group Policy for autoenrollment  Demo GPO

 Standard IIS web server certificate  If internet, cert must support SAN  SAN  Subject Alternative Name  To add option to MS CA certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2  To add to a web based cert request - in attributes section:  san:dns= &dns= [&…]

 The name of the certificate needs to be the following:  “The site code of this site server is ”  Demo  More information:  us/library/cc aspx us/library/cc aspx

 Configure Templates  Install web cert to ConfigMgr1  Install site signing cert to ConfigMgr1  Configure AD for client autoenrollment  Configure IIS for cert  Configure ConfigMgr Site for native mode  Demo

 Install web cert to ConfigMgr2 (SAN)  Install computer cert on ConfigMgr2  Configure IIS for cert on both headers and IP  Verify IIS works from internal and external  Deploy roles to ConfigMgr2  Verify Logs  Demo

 Options to add to install – ccmsetup is bootstrapper for client.msi  Client.msi options can be passed through ccmsetup, but not vise versa.  CCMSetup.exe  /mp:mp2.mylab.com – used to define location to pull down client install files  /native - sets the communication mode for the client (http vs https). MUST be defined if client will be internet only – additional options CRL | FALLBACK | CRLANDFALLBACK  Client.msi  FSP=mp2.mylab.com – used to define fallback status point when client can’t communicate to mp (cert errors). This should be separate server than MP since it is unsecure site.  SMSSITECODE=A00 – defines the site the client will communicate to  CCMALWAYSINF=1 – the “1” option defines the client as always internet  CCMHOSTNAME=mp2.mylab.com – defines the internet FQDN management point the client will report to.  SMSMP=mp2.mylab.com – defines the management point the client will report to  Demo

 Domain Member  Will always be on local network  Pulls information from AD for assignment

 Non-Domain (not trusted or workgroup)  Will never connect to local network  Assignment defined via installation options

 Domain Member  Will connect to local network and be external on internet  Assignment defined via installation options

 Client and Server must share cert information  Clients need to have a copy of the site signing cert so that they can decrypt the communication – stored in registry, not cert store  Domain clients can obtain from AD (secure)  Non-Domain get it during install (secure) or from MP after install (less secure)  To install  SMSSIGNCERT=.\.\A00SSC.cer - defines the site server self-signing cert when clients cannot connect to AD. This is the file path to exported certificate from the site server.  Client installs the site signing cert WITHOUT the private key  Key can also be pre-staged, pulled from GC, or pulled from MP

 Certificate errors will manifest in the client and server logs as WINHTTP errors WINHTTP_CALLBACK_STATUS_SECURE_FAILURE <![LOG[[CCMHTTP] : dwStatusInformationLength is 4 ]LOG]!> <![LOG[[CCMHTTP] : *lpvStatusInformation is 0x9 ]LOG]!> WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED <![LOG[[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set ]LOG]!> WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA <![LOG[[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set ]LOG]!>  More information about winhttp errors can be found on MSDN 