IBCM with Web Application Proxy

[Tolik]

Trying to get Internet Based Client Management working for domain clients that may leave intranet network. Not so much concerned about workgroup clients
Current setup is single MP on domain with a Web Application Proxy server setup in DMZ (port 443 opened on firewall). SCCM 2012 SP1 R2 CU1

 

The SCCM client is installed while the system is on the domain and is properly registered with SCCM (installed vie client push). The system knows when it leaves the intranet and switches (as seen in Configuring Manger). The internet client whoever cannot communicate with the MP. All communication (internal and external) is setup to use PKI. All certificates are loaded on client system and MP.

 

How can we get this setup to work properly? We would like to avoid installing a site system in the DMZ.

 

Thank you.

[Peter van der Woude]

Web Application Proxy (WAP) is not going to help you in this scenario. It's simply not capable of providing a certificate.

[Tolik]

I was afraid of that. Thank you for the clarification.

 

In our scenario then how would we proceed to setup IBMC to manage "roaming" systems? Right now our current server in DMZ is a standalone server. I understand we would need to install a site system role (DP) to the server in DMZ. The part that’s confusing is that the server in DMZ would need to be part of "a" domain. Our security team would like to avoid domain joined servers in DMZ. How can the certificate then be passed along?

 

What would be simplest and secure way to establish a trust between the server in DMZ and our internal MP? Thank you.

[Peter van der Woude]

The site server in the DMZ doesn't have to be part of the same domain, it can also be part of a separate domain, specific to the DMZ. Installing a certificate on the site server in the DMZ can also be done manually.