“I’ll have a quad-shot vanilla mocha half-fat latte with my company’s latest applications, and the security updates I need to keep my laptop secure”.
Internet-based client management in Configuration Manager is generating lots of excitement in the community, and especially at MMS this year where it was demonstrated. OK, it wasn’t demonstrated in a coffee store, but it’s easy to see how it’s an entirely plausible scenario. So would Internet-based client management benefit your company, and what do you need to get it up and running?
The Benefits of Internet-Based Client Management
SMS made it easier to manage computers when they are on the company network, but managing computers that were not tied to the company intranet was more challenging. These elusive computers included:
- “Road warriors”, typified by sales people who more often than not were on the road or airplanes, visiting customers
- Home workers who work isolated from the company network
- Consultants who plug into other customers’ networks
Managing these computers to collect their inventory and compliance status, send them software distributions or software updates, or run maintenance scripts, was often dependent on the users connecting into the intranet using a VPN solution. Most of these users would not do that unless they absolutely had to – it took extra effort, took a long time to connect and transfer data, and often resulted in calls to the Helpdesk because of timeouts and connection failures.
Or computer management was restricted to the few times when these users could come into the office, and they had to schedule this additional activity around their everyday work. In the meantime they lacked the software applications and security updates that would make them more productive, and their computers more secure.
From an IT perspective, maintaining a VPN solution is expensive and it’s also unsuitable for regular computer management because it relies on additional action from users. Users expect their computers to be seamlessly managed by IT so that they can get on with their job – and that’s fair enough.
The beauty of Internet-based client management in Configuration Manager is that it uses an existing Internet connection when an intranet connection is not possible. No VPN service is required; no additional action is required by users; data transfer is optimized for Internet connectivity; and it’s secured by industry standard protocols. Best of all, if Internet users periodically come back into the intranet environment, the Configuration Manager client automatically detects the network change and switches from Internet operation to intranet operation – for example resuming a download where it left off.
For more information, see Overview of Internet-Based Client Management
Configuring Your Site for Internet-Based Client Management
First and foremost, connections over the Internet need additional security – to protect not just the computers or devices on the Internet that are being managed, but more importantly to protect your intranet resources. You wouldn’t want any computer with a Configuration Manager client installed connecting to your site server and requesting policies! This additional security comes when the site is configured for “native mode”, which is the term used to describe how Configuration Manager integrates with a public key infrastructure (PKI) solution using SSL, mutual authentication, and signing. For more information, see Benefits of using Native Mode
To use native mode, you need to deploy three different types of PKI certificates:
- A certificate that includes document signing capability for the site server
- Web server certificates that include server authentication capability for the Internet-based site systems: management point, distribution points, software update point
- Client certificates that include client authentication capability on all clients that will be managed over the Internet, and the management point itself
For more information about the certificates and configuring native mode, see my previous article Now Is The Time – To Brush-Up On Your PKI
Second, you need to plan your network infrastructure: server placement; firewall configuration; and optionally, proxy server configuration. There are several server placement scenarios that are supported for Internet-based client management. For additional security, you can physically separate the site systems that support Internet connections from the site systems that support only intranet connections, and locate these in a different forest to your site server (no forest or domain trust required). Alternatively, the Internet-based site systems could accept connections from both Internet clients and intranet clients. This is your call here, and you need to make the design decision in conjunction with your security and network infrastructure team. For more information about each supported scenario see Supported Scenarios for Internet-Based Client Management and the related network diagrams.
To help you make that decision, the table in Determine Server Placement for Internet-Based Client Management lists the pros and cons for each solution, so that you can make an informed decision based on your company’s security policies and business requirements. Once you have made that decision, or to help you make the server placement decision, you will need to know the network ports that might need to be configured on intervening network devices such as firewalls and proxy servers. For port information, see Determine the Ports Required for Internet-Based Client Management
Third, you need to ensure that you can publish host records on public DNS servers for the Internet-based site systems. Technically, this is fairly simple but never underestimate how difficult it is to achieve an external process with political and security implications!
Then you’re ready to install and configure the Internet-based site systems in your chosen server placement, with the following configurations:
- Internet FQDNs that match the public DNS entries
- Connections that accept clients from the Internet
- Data retrieval from the site server, depending on your server placement
- Software update point synchronization
- Distribution points transfer content using BITS, HTTP, and HTTPS
- SQL Server replica, depending on your server placement
For more information about each of these, see Configuring Internet-Based Client Management
Want an overview of these processes? See Administrator Workflow: Configuring a Site for Internet-Based Client Management
Want a breakdown of each step and how to achieve it? See Administrator Checklist: Configuring a Site for Internet-Based Client Management
The biggest challenge you will probably come across in setting up a site for Internet-based client management is not the configuration, but the planning. You will need to consult with others to agree a design, and then get the processes in place that you need to support your design – such as deploying the certificates, connecting servers to the Internet, configuring firewalls, and registering entries in public DNS servers. Start these discussions early and get buy-in from management to help drive the process and changes that are required so that everything is ready to go by the time Configuration Manager 2007 releases later this year.
And so to the clients, because a beautifully configured site that can support Internet connections is not much use unless it has clients on the Internet that it can manage.
Configuring Your Clients for Internet-Based Client Management
Before you install clients for Internet-based client management, make sure that they have their client certificate installed and it’s issued by a CA that is trusted by the Internet-based site systems. If you are using a CRL (certificate revocation list) with your PKI, make sure that clients on the Internet can access it.
Then the main difference in installing these clients from the intranet-bound clients is that you need to directly assign them to the Internet-based site, and assign them to the Internet-based client management point
There are two ways to install clients that will be managed over the Internet:
- Install the Configuration Manager client on the intranet, either by physically connecting to the intranet (schedule the installation for when you know these users will next be in the office) or by logically connecting to the intranet over a VPN connection.
- Install the Configuration Manager client on the Internet, using an out-of-band mechanism such as mailing users removable media that contains the client source files, and a script to run CCMSetup with all the switches and client.msi installation properties needed for Internet-based client management. Typically this would include options for native mode, site code, Internet-based management point, Internet-based fallback status point, and the media location for the source files. And don’t forget that the client certificate must be installed before the client can make a successful connection to a management point!
Note that installing clients from the Internet-based management point is not supported.
For a checklist of client configuration steps:
- Administrator Checklist: Configuring Client Computers for a Site that Supports Internet-Based Client Management
- Administrator Checklist: Configuring Mobile Devices for a Site that Supports Internet-Based Client Management
After careful planning, site configuration and client configuration, you’re now able to manage those elusive clients even if you don’t see them for months on end and your VPN solution goes kaput.
You receive inventory data and compliance information from them on a daily basis, and you can send them software distributions and urgent software updates, knowing that successful installation doesn’t rely on the users coming into the office or connecting over the VPN. Instead, you’re managing these computers and devices while their owners are waiting at the airport, sending e-mail from home or a hotel room, working on other customer sites, or even if they’re chilling out at their favorite coffee store that has Internet access.
But what happens if these clients don’t report back to your site? How do you know if silence means that there’s a problem (for example, their certificate has expired), or the computer simply doesn’t have Internet connectivity for a period of time? That’s when the fallback status point comes in, collecting error messages from clients if they can’t communicate with their management point. Use the client reports to identify these problem clients, and proactively troubleshoot them.
So what should you do with all that time you’ve saved trying to manage these elusive computers and devices? Well, the local coffee store gets my vote ….
For any other questions, and feedback on the documentation for Internet-based client management: email me at email@example.com or the Configuration Manager documentation team at SMSDocs@microsoft.com
This article is provided AS IS with no warranties and confers no rights.