wilbywilson Posted May 21, 2014 Report post Posted May 21, 2014 I've spent the last few weeks installing/configuring a internet-based management point for SCCM 2012 R2, and I thought I'd share some tips, since it was not the most straight-forward thing. Also, thanks to those people (especially Peter) who gave me advice along the way. I chose to install the internet-based management point onto a DMZ server, which is in a separate domain from the SCCM primary. This DMZ domain does NOT need to have the schema extended for SCCM 2012, nor a "Systems Management" container created, nor add the SCCM Primary computer account to the administrators group. If you're planning to manage clients within that DMZ domain, configuring those pieces may be a good idea, but if you're just trying to stage a management point to serve clients in an existing domain, you don't need to do those steps. For configuration of PKI and certificates, I followed this post: http://sccmmofos.idepix.ca/?p=193 When installing the internet-based MP/DP, specify an account in the DMZ domain. It will need to have administrative access to the internet-based DMZ server. For the MP/DP/SUP options, choose "HTTPS", "Internet-Only", and "SSL" where applicable. You'll want to lock down the internet-based MP as much as possible. As for firewall ports: From the SCCM Primary to the DMZ Server, I opened 80, 135, 443, 445, 8530, and 8531, and 49125-65535 (dynamic range for Windows Server 2012.) From the DMZ server to the Primary, I opened up 135, 445, 8530, and 8531. (Also, in the MP settings, check the box that says "Require the site server to initiate connections to this site system." And the FQDN for the internet MP/DP should be the internet DNS name, as opposed to the internal server name.) Between the SQL server and the DMZ server, only port 1433 should be open. If you're doing SQL DB replication, also open port 4022. And finally from the DMZ server to the internet, open ports 443 and 8531. On the IIS server in the DMZ, make sure to add an SSL binding for the WSUS port (8531). The instructions I followed showed how to do this for SSL over port 443, but use the same premise to make the binding for port 8531: http://wibier.me/wsus-and-configmgr-2012-https-communication/ After all of this, your internet-based SCCM clients should be able to do hardware/software inventory, and receive approved Windows Updates. I did run into an issue with a security update that was approved/published via SCUP, but I think that may be expected behavior, and I'll start another thread on that topic. Hope this information is helpful to someone out there. Quote Share this post Link to post Share on other sites More sharing options...
Peter van der Woude Posted May 21, 2014 Report post Posted May 21, 2014 Thanks for sharing! Quote Share this post Link to post Share on other sites More sharing options...
fromthewoods Posted May 27, 2015 Report post Posted May 27, 2015 I'd love to see what you find out about IBCM and SCUP. I'm having trouble with clients rejecting MS Updates packages because of hash mismatches. Quote Share this post Link to post Share on other sites More sharing options...
