350 likes | 622 Views
Ohio System Center User Group Nov 2008. Configmgr 2007. Implementing Native Mode and Internet Based Client Management. Configuration Manager. Next version of SMS Released in Aug 2007 SP1 in April 2008 R2 released in Oct 2008. Why Native. What does it mean
E N D
Ohio System Center User GroupNov 2008 Configmgr 2007 Implementing Native Mode and Internet Based Client Management
Configuration Manager • Next version of SMS • Released in Aug 2007 • SP1 in April 2008 • R2 released in Oct 2008
Why Native • What does it mean • Secures your environment by signing communication between your server and clients. • Benefits • Reduces the ability of attacker to set up bogus site and distribution points and encrypts communication through SSL • Considerations • With added security comes added complexity and administration • PKI is not something to just throw in. Make sure to plan a proper deployment before you attempt to tackle native mode • http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx • http://technet.microsoft.com/en-us/library/cc772670.aspx • http://www.windowsecurity.com/articles/Microsoft-PKI-Quick-Guide-Part1.html
What is IBCM • Internet Based Client Management • Allows you to manage clients outside of intranet or VPN • Supported Functions • Software Distribution (targeting computers, not users) • Software Updates (SUP) • Desired Configuration Management • Inventory • Software Metering • Non-Supported • Operating System Deployment • WOL (Wake on LAN) • Remote Tools (remote connection, remote assistance)
Prerequisites • PKI Certificates • More Info: “Deploying the PKI Certificates Required for Native Mode” http://technet.microsoft.com/en-us/library/bb680312.aspx • System Center Configuration Manager • Perimeter server to host roles • Perimeter server for FSP role
PKI – Certificate Authority • This can be your own CA or external CA (Network Solutions, Verisign, etc…) • This demonstration is using a Microsoft Windows Server 2003 CA. • Clients must be able to trust the certificates issuing authority (Trusted Root, Intermediate Root) • Clients must be able to see published CRL*
CRL • Certificate Revocation List • Used to determine if certificate is valid or has been revoked. • Path to list needs to be accessible to internet clients • Must be defined before creating cert (gets placed in the certificate – see image)
Distribution Method • Manual installation • Request through http://<ca server>/certsrv • Autoenrollment through Group Policy • Make sure client can trust the certificate authority • Download into trusted root • Publish through GPO • Add CTL to IIS
Certificates • Three primary types of certs needed • Computer/Workstation • Used for authentication • Autoenrollment • How to revoke • How to request for non-domain • Doc Signing • Custom cert for ConfigMgr Site Servers • Web • Needed for all servers hosting site server roles (IIS)
Computer Certificate • Standard Computer certificate – can be provided by intermediate CA • Can be configured in Group Policy for autoenrollment • Demo GPO
Web Certificate • Standard IIS web server certificate • If internet, cert must support SAN • SAN • Subject Alternative Name • To add option to MS CA certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 • To add to a web based cert request - in attributes section: • san:dns=<fqdn_internet>&dns=<fqdn_intranet>[&…]
ConfigMgr Doc Signing Cert • The name of the certificate needs to be the following: • “The site code of this site server is <sitename>” • Demo • More information: • http://technet.microsoft.com/en-us/library/cc872789.aspx
Steps to deploy native mode • Configure Templates • Install web cert to ConfigMgr1 • Install site signing cert to ConfigMgr1 • Configure AD for client autoenrollment • Configure IIS for cert • Configure ConfigMgr Site for native mode • Demo
Steps to enable IBCM • Install web cert to ConfigMgr2 (SAN) • Install computer cert on ConfigMgr2 • Configure IIS for cert on both headers and IP • Verify IIS works from internal and external • Deploy roles to ConfigMgr2 • Verify Logs • Demo
Install Internet Client • Options to add to install – ccmsetup is bootstrapper for client.msi • Client.msi options can be passed through ccmsetup, but not vise versa. • CCMSetup.exe • /mp:mp2.mylab.com – used to define location to pull down client install files • /native - sets the communication mode for the client (httpvs https). MUST be defined if client will be internet only – additional options CRL | FALLBACK | CRLANDFALLBACK • Client.msi • FSP=mp2.mylab.com – used to define fallback status point when client can’t communicate to mp (cert errors). This should be separate server than MP since it is unsecure site. • SMSSITECODE=A00 – defines the site the client will communicate to • CCMALWAYSINF=1 – the “1” option defines the client as always internet • CCMHOSTNAME=mp2.mylab.com – defines the internet FQDN management point the client will report to. • SMSMP=mp2.mylab.com – defines the management point the client will report to • Demo
SOFXP01 • Domain Member • Will always be on local network • Pulls information from AD for assignment
SOFXP02 • Non-Domain (not trusted or workgroup) • Will never connect to local network • Assignment defined via installation options
SOFXP03 • Domain Member • Will connect to local network and be external on internet • Assignment defined via installation options
Notes on Cert Security • Client and Server must share cert information • Clients need to have a copy of the site signing cert so that they can decrypt the communication – stored in registry, not cert store • Domain clients can obtain from AD (secure) • Non-Domain get it during install (secure) or from MP after install (less secure) • To install • SMSSIGNCERT=.\.\A00SSC.cer - defines the site server self-signing cert when clients cannot connect to AD. This is the file path to exported certificate from the site server. • Client installs the site signing cert WITHOUT the private key • Key can also be pre-staged, pulled from GC, or pulled from MP
Troubleshooting Certificate Errors • Certificate errors will manifest in the client and server logs as WINHTTP errors <![LOG[[CCMHTTP] AsyncCallback(): -----------------------------------------------------------------]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924" file="ccmhttperror.cpp:49"> <![LOG[[CCMHTTP] AsyncCallback(): WINHTTP_CALLBACK_STATUS_SECURE_FAILURE Encountered]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924" file="ccmhttperror.cpp:50"> <![LOG[[CCMHTTP] : dwStatusInformationLength is 4 ]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924" file="ccmhttperror.cpp:51"> <![LOG[[CCMHTTP] : *lpvStatusInformation is 0x9 ]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924" file="ccmhttperror.cpp:52"> <![LOG[[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED is set ]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924" file="ccmhttperror.cpp:56"> <![LOG[[CCMHTTP] : WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA is set ]LOG]!><time="19:19:12.348+300" date="11-17-2008" component="CCMEXEC" context="" type="3" thread="2924" file="ccmhttperror.cpp:68"> • More information about winhttp errors can be found on MSDN • http://msdn.microsoft.com/en-us/library/aa383917(VS.85).aspx