Configuration Manager 2007 - The Microsoft Solution Center
Download
Report
Transcript Configuration Manager 2007 - The Microsoft Solution Center
Implementing Native Mode and
Internet Based Client Management
Next version of SMS
Released in Aug 2007
SP1 in April 2008
R2 released in Oct 2008
What does it mean
Benefits
Secures your environment by signing communication between
your server and clients.
Reduces the ability of attacker to set up bogus site and
distribution points and encrypts communication through SSL
Considerations
With added security comes added complexity and
administration
PKI is not something to just throw in. Make sure to plan a
proper deployment before you attempt to tackle native mode
http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx
http://technet.microsoft.com/en-us/library/cc772670.aspx
http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part1.html
Internet Based Client Management
Allows you to manage clients outside of intranet or
VPN
Supported Functions
Software Distribution (targeting computers, not users)
Software Updates (SUP)
Desired Configuration Management
Inventory
Software Metering
Non-Supported
Operating System Deployment
WOL (Wake on LAN)
Remote Tools (remote connection, remote assistance)
PKI Certificates
More Info: “Deploying the PKI Certificates Required
for Native Mode” http://technet.microsoft.com/enus/library/bb680312.aspx
System Center Configuration Manager
Perimeter server to host roles
Perimeter server for FSP role
This can be your own CA or external CA
(Network Solutions, Verisign, etc…)
This demonstration is using a Microsoft Windows
Server 2003 CA.
Clients must be able to trust the certificates
issuing authority (Trusted Root, Intermediate
Root)
Clients must be able to see published CRL*
Certificate Revocation List
Used to determine if
certificate is valid or has been
revoked.
Path to list needs to be
accessible to internet clients
Must be defined before
creating cert (gets placed in
the certificate – see image)
1.
2.
3.
Manual installation
Request through http://<ca server>/certsrv
Autoenrollment through Group Policy
Make sure client can trust the certificate
authority
Download into trusted root
Publish through GPO
Add CTL to IIS
Three primary types of certs needed
1.
Computer/Workstation
Used for authentication
Autoenrollment
How to revoke
How to request for non-domain
2.
Doc Signing
Custom cert for ConfigMgr Site Servers
3.
Web
Needed for all servers hosting site server roles (IIS)
Standard Computer certificate – can be
provided by intermediate CA
Can be configured in Group Policy for
autoenrollment
Demo GPO
Standard IIS web server certificate
If internet, cert must support SAN
SAN
Subject Alternative Name
To add option to MS CA
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
To add to a web based cert request - in attributes
section:
san:dns=<fqdn_internet>&dns=<fqdn_intranet>[&…]
The name of the certificate needs to be the
following:
“The site code of this site server is <sitename>”
Demo
More information:
http://technet.microsoft.com/enus/library/cc872789.aspx
Configure Templates
Install web cert to ConfigMgr1
Install site signing cert to ConfigMgr1
Configure AD for client autoenrollment
Configure IIS for cert
Configure ConfigMgr Site for native mode
Demo
Install web cert to ConfigMgr2 (SAN)
Install computer cert on ConfigMgr2
Configure IIS for cert on both headers and IP
Verify IIS works from internal and external
Deploy roles to ConfigMgr2
Verify Logs
Demo
Options to add to install – ccmsetup is bootstrapper for
client.msi
Client.msi options can be passed through ccmsetup, but not
vise versa.
CCMSetup.exe
/mp:mp2.mylab.com – used to define location to pull down client install files
/native - sets the communication mode for the client (http vs https). MUST be defined if client will be
internet only – additional options CRL | FALLBACK | CRLANDFALLBACK
Client.msi
FSP=mp2.mylab.com – used to define fallback status point when client can’t communicate to mp
(cert errors). This should be separate server than MP since it is unsecure site.
SMSSITECODE=A00 – defines the site the client will communicate to
CCMALWAYSINF=1 – the “1” option defines the client as always internet
CCMHOSTNAME=mp2.mylab.com – defines the internet FQDN management point the client
will report to.
SMSMP=mp2.mylab.com – defines the management point the client will report to
Demo
Domain Member
Will always be on local
network
Pulls information from
AD for assignment
Non-Domain (not
trusted or workgroup)
Will never connect to
local network
Assignment defined via
installation options
Domain Member
Will connect to local
network and be external
on internet
Assignment defined via
installation options
Client and Server must share cert information
Clients need to have a copy of the site signing cert so that
they can decrypt the communication – stored in registry, not
cert store
Domain clients can obtain from AD (secure)
Non-Domain get it during install (secure) or from MP after
install (less secure)
To install
SMSSIGNCERT=.\.\A00SSC.cer - defines the site server self-signing
cert when clients cannot connect to AD. This is the file path to exported
certificate from the site server.
Client installs the site signing cert WITHOUT the private
key
Key can also be pre-staged, pulled from GC, or pulled from
MP
Certificate errors will manifest in the client and server
logs as WINHTTP errors
<![LOG[[CCMHTTP] AsyncCallback(): -----------------------------------------------------------------]LOG]!><time="19:19:12.348+300" date="1117-2008" component="CCMEXEC" context="" type="3" thread="2924" file="ccmhttperror.cpp:49">
<![LOG[[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE
Encountered]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:50">
<![LOG[[CCMHTTP]
: dwStatusInformationLength is 4
]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:51">
<![LOG[[CCMHTTP]
: *lpvStatusInformation is 0x9
]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:52">
<![LOG[[CCMHTTP]
: WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set
]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:56">
<![LOG[[CCMHTTP]
: WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set
]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:68">
More information about winhttp errors can be found
on MSDN
http://msdn.microsoft.com/en-us/library/aa383917(VS.85).aspx