Help with SCCM 2012 R2

glenimp617

glenimp617

glenimp617

Soldato
Joined
30 Sep 2005
Posts
16,735
Hi all,

One for the SCCM gurus please (IBCM)

I have put a site server into the DMZ with all the required certs. The dp is configured for Internet/HTTPS only

Clients on users machines have all been configured with an Internet FQDN

External DNS record set and firewall is natting through to it (443)

It suddenly dawned on me, now the site server is in the DMZ, how will the primary site server and AD communicate with it :confused:

This is the only server in our DMZ
 
Last edited:
I'm not an SCCM guru I'm afraid so I can't advise whether your current config is recommended. However, I know there is lots of info online for placing active directory in a DMZ. Generally, I always tend to avoid it and run standalone servers and route the minimum ports required to the LAN.

I think if you absoloutley must have domain services in your DMZ, I would look into creating a read only domain controller in the DMZ and forwarding only the recommended ports from that server to a DC in your LAN.

I'm sure there are some Microsoft guides out there detailing how best to do this.

P.S. Don't forget to make sure your perimeter servers can contact a synchronised time source on your LAN.
 
Is there any reason for actually placing it in the DMZ? Would it not be easier to have it on the LAN and then VPN clients on the PC's that need to communicate with it?


M.
 
Thanks guys,

I've looked for guides on sccm and dmz, but they are focused just on the sccm part which I know already. It's just the network / dmz part im struggling with

I really don't want to use a VPN client

Direct Access if needs must, but not vpn
 
a little bit more googling and I find another article from MS which sheds a bit more light on the situation

3 options I have:

The Internet-based management point is in the perimeter network where a read-only domain controller resides to authenticate the user and an intervening firewall allows Active Directory packets.

The user account is in Forest A (the intranet) and the Internet-based management point is in Forest B (the perimeter network). Forest B trusts Forest A, and an intervening firewall allows the authentication packets.

The user account and the Internet-based management point are in Forest A (the intranet). The management point is published to the Internet by using a web proxy server.

I think I am going with the bottom option as provisioning another dc just for one server is a bit daft imho. We have a decent firewall so I will lock it down through that.
 
You must log in or register to reply here.
Back
Top Bottom