Primary in DMZ

[natemg]

I am working for a client and they currently have one primary and it is in the DMZ. They have other site servers spread out which are not in the DMZ. Everything I have come across seems to tell me that this is not a conventional setup. It seems some most ports that are needed for communication between the primary and the site servers have been opened on the firewall. One thing that is blocked it ping, at least between a box in the DMZ and a subnet outside of the DMZ.

 

My questions are :

What effects will they have if they keep the single primary in the DMZ?

What will be the effects of blocking ICMP ping between the primary, the clients and the management points?

Does anyone have SCCM set up like this?

 

The way I see it right now there really isn't a reason that the primary should be in the DMZ. SCCM is only really currently used for the workstations. If, down the line they want to use it for servers in the DMZ, they could spin up a CAS then another primary in the DMZ. By having the SCCM server in the DMZ, you have to punch a bunch of holes. By doing this you are taking away many of the arguments of it even being in the DMZ.

 

Thanks for your help!

[wilbywilson]

1) I don't think there will be any "effects", IF they've got the firewall and ports configured securely. It's not a conventional setup, but it could work if it's locked down properly. Best practice would be to have the Primary residing in the domain, and if your client needs to be able to manage machines over the internet, they can set up an internet MP in the DMZ (ideally in a separate domain.)

 

2) I don't believe that ICMP is required, so no bad effects that I'm aware of.

 

3) I'm sure there are others that have it set up like this, but you've REALLY got to trust your firewall, ports, and DMZ security. It's a risk.

 

Check out this post for a recommended way to set up an internet MP:

http://www.systemcenterdudes.com/?p=193