Presentation is loading. Please wait.

Presentation is loading. Please wait.

Implementing Native Mode and Internet Based Client Management.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Implementing Native Mode and Internet Based Client Management."— Presentation transcript:

1 Implementing Native Mode and Internet Based Client Management

2  Next version of SMS  Released in Aug 2007  SP1 in April 2008  R2 released in Oct 2008

3  What does it mean  Secures your environment by signing communication between your server and clients.  Benefits  Reduces the ability of attacker to set up bogus site and distribution points and encrypts communication through SSL  Considerations  With added security comes added complexity and administration  PKI is not something to just throw in. Make sure to plan a proper deployment before you attempt to tackle native mode  http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx  http://technet.microsoft.com/en-us/library/cc772670.aspx http://technet.microsoft.com/en-us/library/cc772670.aspx  http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part1.html http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part1.html

4  Internet Based Client Management  Allows you to manage clients outside of intranet or VPN  Supported Functions  Software Distribution (targeting computers, not users)  Software Updates (SUP)  Desired Configuration Management  Inventory  Software Metering  Non-Supported  Operating System Deployment  WOL (Wake on LAN)  Remote Tools (remote connection, remote assistance)

5  PKI Certificates  More Info: “Deploying the PKI Certificates Required for Native Mode” http://technet.microsoft.com/en- us/library/bb680312.aspx http://technet.microsoft.com/en- us/library/bb680312.aspx  System Center Configuration Manager  Perimeter server to host roles  Perimeter server for FSP role

6  This can be your own CA or external CA (Network Solutions, Verisign, etc…)  This demonstration is using a Microsoft Windows Server 2003 CA.  Clients must be able to trust the certificates issuing authority (Trusted Root, Intermediate Root)  Clients must be able to see published CRL*

7  Certificate Revocation List  Used to determine if certificate is valid or has been revoked.  Path to list needs to be accessible to internet clients  Must be defined before creating cert (gets placed in the certificate – see image)

8

9 1. Manual installation 2. Request through http:// /certsrv 3. Autoenrollment through Group Policy  Make sure client can trust the certificate authority  Download into trusted root  Publish through GPO  Add CTL to IIS

10

11  Three primary types of certs needed 1. Computer/Workstation  Used for authentication  Autoenrollment  How to revoke  How to request for non-domain 2. Doc Signing  Custom cert for ConfigMgr Site Servers 3. Web  Needed for all servers hosting site server roles (IIS)

12  Standard Computer certificate – can be provided by intermediate CA  Can be configured in Group Policy for autoenrollment  Demo GPO

13

14  Standard IIS web server certificate  If internet, cert must support SAN  SAN  Subject Alternative Name  To add option to MS CA certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2  To add to a web based cert request - in attributes section:  san:dns= &dns= [&…]

15

16

17  The name of the certificate needs to be the following:  “The site code of this site server is ”  Demo  More information:  http://technet.microsoft.com/en- us/library/cc872789.aspx http://technet.microsoft.com/en- us/library/cc872789.aspx

18

19

20

21

22

23  Configure Templates  Install web cert to ConfigMgr1  Install site signing cert to ConfigMgr1  Configure AD for client autoenrollment  Configure IIS for cert  Configure ConfigMgr Site for native mode  Demo

24  Install web cert to ConfigMgr2 (SAN)  Install computer cert on ConfigMgr2  Configure IIS for cert on both headers and IP  Verify IIS works from internal and external  Deploy roles to ConfigMgr2  Verify Logs  Demo

25

26

27

28  Options to add to install – ccmsetup is bootstrapper for client.msi  Client.msi options can be passed through ccmsetup, but not vise versa.  CCMSetup.exe  /mp:mp2.mylab.com – used to define location to pull down client install files  /native - sets the communication mode for the client (http vs https). MUST be defined if client will be internet only – additional options CRL | FALLBACK | CRLANDFALLBACK  Client.msi  FSP=mp2.mylab.com – used to define fallback status point when client can’t communicate to mp (cert errors). This should be separate server than MP since it is unsecure site.  SMSSITECODE=A00 – defines the site the client will communicate to  CCMALWAYSINF=1 – the “1” option defines the client as always internet  CCMHOSTNAME=mp2.mylab.com – defines the internet FQDN management point the client will report to.  SMSMP=mp2.mylab.com – defines the management point the client will report to  Demo

29  Domain Member  Will always be on local network  Pulls information from AD for assignment

30  Non-Domain (not trusted or workgroup)  Will never connect to local network  Assignment defined via installation options

31  Domain Member  Will connect to local network and be external on internet  Assignment defined via installation options

32  Client and Server must share cert information  Clients need to have a copy of the site signing cert so that they can decrypt the communication – stored in registry, not cert store  Domain clients can obtain from AD (secure)  Non-Domain get it during install (secure) or from MP after install (less secure)  To install  SMSSIGNCERT=.\.\A00SSC.cer - defines the site server self-signing cert when clients cannot connect to AD. This is the file path to exported certificate from the site server.  Client installs the site signing cert WITHOUT the private key  Key can also be pre-staged, pulled from GC, or pulled from MP

33

34

35  Certificate errors will manifest in the client and server logs as WINHTTP errors WINHTTP_CALLBACK_STATUS_SECURE_FAILURE <![LOG[[CCMHTTP] : dwStatusInformationLength is 4 ]LOG]!> <![LOG[[CCMHTTP] : *lpvStatusInformation is 0x9 ]LOG]!> WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED <![LOG[[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set ]LOG]!> WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA <![LOG[[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set ]LOG]!>  More information about winhttp errors can be found on MSDN  http://msdn.microsoft.com/en-us/library/aa383917(VS.85).aspx http://msdn.microsoft.com/en-us/library/aa383917(VS.85).aspx

Download ppt "Implementing Native Mode and Internet Based Client Management."

Similar presentations

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager 2007. Configuration Manager 2007 Internet-Based.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
Deploying and Managing Active Directory Certificate Services

Deploying and Managing Active Directory Certificate Services
Internet Based Client Management

Internet Based Client Management
Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.

Sandia is a multiprogram laboratory operated by Sandia Corporation, a Lockheed Martin Company, for the United States Department of Energy’s National Nuclear.
Chapter 9 Deploying IIS and Active Directory Certificate Services

Chapter 9 Deploying IIS and Active Directory Certificate Services
Module 5: Configuring Access to Internal Resources.

Module 5: Configuring Access to Internal Resources.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Intel Confidential 1 Configure PKI Web Server Certificates for each Management Controller.

Intel Confidential 1 Configure PKI Web Server Certificates for each Management Controller.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Senior Technical Writer

Senior Technical Writer
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.

Week #10 Objectives: Remote Access and Mobile Computing Configure Mobile Computer and Device Settings Configure Remote Desktop and Remote Assistance for.
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.

Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN

Similar presentations

Ads by Google