Configuration Manager 2007 - The Microsoft Solution Center

Download Report

Transcript Configuration Manager 2007 - The Microsoft Solution Center 

Implementing Native Mode and
Internet Based Client Management




Next version of SMS
Released in Aug 2007
SP1 in April 2008
R2 released in Oct 2008

What does it mean


Benefits


Secures your environment by signing communication between
your server and clients.
Reduces the ability of attacker to set up bogus site and
distribution points and encrypts communication through SSL
Considerations


With added security comes added complexity and
administration
PKI is not something to just throw in. Make sure to plan a
proper deployment before you attempt to tackle native mode
 http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx
 http://technet.microsoft.com/en-us/library/cc772670.aspx
 http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part1.html



Internet Based Client Management
Allows you to manage clients outside of intranet or
VPN
Supported Functions






Software Distribution (targeting computers, not users)
Software Updates (SUP)
Desired Configuration Management
Inventory
Software Metering
Non-Supported



Operating System Deployment
WOL (Wake on LAN)
Remote Tools (remote connection, remote assistance)

PKI Certificates

More Info: “Deploying the PKI Certificates Required
for Native Mode” http://technet.microsoft.com/enus/library/bb680312.aspx



System Center Configuration Manager
Perimeter server to host roles
Perimeter server for FSP role

This can be your own CA or external CA
(Network Solutions, Verisign, etc…)



This demonstration is using a Microsoft Windows
Server 2003 CA.
Clients must be able to trust the certificates
issuing authority (Trusted Root, Intermediate
Root)
Clients must be able to see published CRL*

Certificate Revocation List



Used to determine if
certificate is valid or has been
revoked.
Path to list needs to be
accessible to internet clients
Must be defined before
creating cert (gets placed in
the certificate – see image)
1.
2.
3.

Manual installation
Request through http://<ca server>/certsrv
Autoenrollment through Group Policy
Make sure client can trust the certificate
authority
Download into trusted root
 Publish through GPO
 Add CTL to IIS


Three primary types of certs needed
1.
Computer/Workstation
 Used for authentication
 Autoenrollment
 How to revoke
 How to request for non-domain
2.
Doc Signing
 Custom cert for ConfigMgr Site Servers
3.
Web
 Needed for all servers hosting site server roles (IIS)


Standard Computer certificate – can be
provided by intermediate CA
Can be configured in Group Policy for
autoenrollment

Demo GPO


Standard IIS web server certificate
If internet, cert must support SAN

SAN
 Subject Alternative Name
 To add option to MS CA
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
 To add to a web based cert request - in attributes
section:
 san:dns=<fqdn_internet>&dns=<fqdn_intranet>[&…]

The name of the certificate needs to be the
following:
“The site code of this site server is <sitename>”
Demo

More information:



http://technet.microsoft.com/enus/library/cc872789.aspx

Configure Templates
Install web cert to ConfigMgr1
Install site signing cert to ConfigMgr1
Configure AD for client autoenrollment
Configure IIS for cert
Configure ConfigMgr Site for native mode

Demo






Install web cert to ConfigMgr2 (SAN)
Install computer cert on ConfigMgr2
Configure IIS for cert on both headers and IP
Verify IIS works from internal and external
Deploy roles to ConfigMgr2
Verify Logs

Demo







Options to add to install – ccmsetup is bootstrapper for
client.msi
Client.msi options can be passed through ccmsetup, but not
vise versa.

CCMSetup.exe
 /mp:mp2.mylab.com – used to define location to pull down client install files
 /native - sets the communication mode for the client (http vs https). MUST be defined if client will be
internet only – additional options CRL | FALLBACK | CRLANDFALLBACK

Client.msi
 FSP=mp2.mylab.com – used to define fallback status point when client can’t communicate to mp
(cert errors). This should be separate server than MP since it is unsecure site.
 SMSSITECODE=A00 – defines the site the client will communicate to
 CCMALWAYSINF=1 – the “1” option defines the client as always internet
 CCMHOSTNAME=mp2.mylab.com – defines the internet FQDN management point the client
will report to.
 SMSMP=mp2.mylab.com – defines the management point the client will report to

Demo



Domain Member
Will always be on local
network
Pulls information from
AD for assignment



Non-Domain (not
trusted or workgroup)
Will never connect to
local network
Assignment defined via
installation options



Domain Member
Will connect to local
network and be external
on internet
Assignment defined via
installation options





Client and Server must share cert information
Clients need to have a copy of the site signing cert so that
they can decrypt the communication – stored in registry, not
cert store
Domain clients can obtain from AD (secure)
Non-Domain get it during install (secure) or from MP after
install (less secure)
To install



SMSSIGNCERT=.\.\A00SSC.cer - defines the site server self-signing
cert when clients cannot connect to AD. This is the file path to exported
certificate from the site server.
Client installs the site signing cert WITHOUT the private
key
Key can also be pre-staged, pulled from GC, or pulled from
MP

Certificate errors will manifest in the client and server
logs as WINHTTP errors
<![LOG[[CCMHTTP] AsyncCallback(): -----------------------------------------------------------------]LOG]!><time="19:19:12.348+300" date="1117-2008" component="CCMEXEC" context="" type="3" thread="2924" file="ccmhttperror.cpp:49">
<![LOG[[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE
Encountered]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:50">
<![LOG[[CCMHTTP]
: dwStatusInformationLength is 4
]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:51">
<![LOG[[CCMHTTP]
: *lpvStatusInformation is 0x9
]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:52">
<![LOG[[CCMHTTP]
: WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set
]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:56">
<![LOG[[CCMHTTP]
: WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:68">

More information about winhttp errors can be found
on MSDN

http://msdn.microsoft.com/en-us/library/aa383917(VS.85).aspx