Best Practices - managing remote laptops

[brobbins23]

We are setting up SCCM 2012 specifically with Endpoint Protection and have approx 700 internal machines and 500 remote. We are currently planning on securing all client/server communication via https and then opening https through the firewall to manage the 500 remote clients. Is that the best way to manage remote machines? What suggestions do you have?

 

thanks!

[jorlando]

I am assuming these remote machines are 100% internet based and not just on a separate remote network. If they are on a remote network I would just set up a secondary site for those machines and then you can just secure communications between the primary and secondary sites.

 

For our Internet Management we put a MP in the DMZ for them to communicate with. This way you only have to poke holes in the firewall between the Primary site and DMZ MP. The clients are then configured using HTTPS to communicate with the management point located at sccmexteral.<company>.com

 

If it helps here is the install parameters for our intranet machines: ccmsetup.exe /UsePKICert /NOCRLCheck smssitecode=lab ccmhostname=sccmexternal.<company>.com

If the intranet machines go offsite they automatically start looking for the external web address.

 

For out 100% remote machines here is the install parameters: ccmsetup.exe /UsePKICert /NOCRLCheck smssitecode=lab ccmhostname=sccmexternal.<company>.com ccmalwaysinf=1

Notice ccmalwaysinf=1 means the client will always be internet based.

 

Hope this helps.

[brobbins23]

Thanks jorlando! I am talking about sales users who are 100% remote. Those install parameters will be very helpful. We just installed our Primary site (stand alone) on one server that includes the following roles: DP, MP, EPP and SUP.

 

We are just getting into SCCM, so this might be a dumb question but how do we setup up an additional SCCM machine with only the MP role? Can we do it or do we need to install a CAS first and then add the DMZ SCCM server as a secondary site?

[jorlando]

Microsoft recommends a CAS only if you are going to have more than 100,000 clients. I am going to venture a guess and say this is probably not the case for you.

 

Using the DMZ setup you are going to just want to setup a Site System Server in the SCCM Console. You will need to add the Distribution Point Role, Management Point Role, and Software Update Point. If you are just getting into SCCM this could end up being a pretty challenging setup. You have a lot to consider... If these sales laptops are not part of the domain you will need to get them certificates for HTTPS communication, plus how are you going to install the SCCM client?

 

Additionally, the DMZ firewall will need some ports open to communicate with your primary site. Properly setting up the HTTPS on IIS on the DMZ server is not too painful but you do need to know some PKI and IIS.

 

Hopefully these remote machines are part of the domain and you can automate some of this stuff. Use policy to generate certificates and client install.

 

Good Luck! Sounds like you are just getting started on this project!

[brobbins23]

We actually have a PKI, HTTPS setup and working and even have a couple of agents installed with Endpoint configured (we did this over the past two weeks). Our sales laptops are apart of the domain and will get the cert via group policy. We will install the client with LanDesk which will give us the ability to customize the install with the switches you provided earlier.

 

We do have a DMZ but from what I understand, we need that DMZ site system server on the domain? That's the part we'd have to figure out. I don't think we have routes setup.

 

Just to clarify, we will need to setup a server in the DMZ, put a client on it and then through SCCM add the roles to it or do we need to install SCCM on it and then add the roles? That's the part I'm kind of unclear about.

 

thanks again for your help!

[jorlando]

Just use this link to determine what ports you will need configured through your DMZ/Domain firewall: http://technet.microsoft.com/en-us/library/bb632618.aspx

 

You will have to configure a service account (Administration > Security > Accounts) for the Primary Site to use. But other than that once the firewall rules are in place just treat the DMZ MP the same as any other site server. Just start adding the roles. When adding the MP roles you will have to select HTTPS and allow internet only connections.

 

One more thing... you will need to configure the firewall to allow the MP to communicate with the site database. (You will have to tell it to use the domain account for this)

[brobbins23]

Okay, sounds good.

 

Thanks for your help.