Certificate Deployment Options for Internet-Based Site Systems
My previous post warned you that our documented Step-By-Step Example Deployment of the PKI Certificates Required for Configuration Manager Native Mode would not be sufficient for when you come to creating certificates for Internet-based site systems. You need to do your own homework or enlist expertise before deploying PKI in a production environment, but you can follow these tips to help you get a proof of concept together for testing Internet-based client management with Configuration Manager 2007.
First, decide which of the supported scenarios you will be using: Supported Scenarios for Internet-Based Client Management. This will help to determine your certificate requirements for the Internet-based site systems.
If these servers will support clients on the Internet only, and not clients on the intranet, then their certificates need to include their Internet FQDN only in the certificate Subject Name field or Subject Alternative Name field. You can’t use the step-by-step procedure for this certificate creation, because that automatically creates the certificate with the intranet FQDN. So you will need another method, such as using the default Web Server certificate template without modification, so that it has the Supplied in the Request option specified in the Subject Name tab. Then you can request the certificate using the Web enrollment method, selecting the Web Server certificate template, and specifying the Internet FQDN in the Subject Name field.
If these servers will support clients on the Internet and clients on the intranet, you might have to specify multiple FQDNs (the Internet FQDN and the intranet FQDN) in the certificate. I say might, because you might be using split-brain DNS, where you use the same namespace for your public and private DNS, with external requests resolving to an external IP address and internal requests resolving to an internal IP address. When this is the case, the Internet FQDN and the intranet FQDN will be the same, and you need specify it only once in the certificate Subject Name field.
If you do have to specify multiple FQDNs in a certificate (and the same requirement applies if you are configuring management point or software update point NLBs in a native mode site), then the standard method to achieve this is to use Subject Alternative Names (SANs). Microsoft CAs don’t support SANs by default, so you need to enable this before requesting a certificate with SANs, for example using the Web enrollment form. See the note added the topic Deploying the Web Server Certificates to Site System Servers that points you to the relevant Microsoft PKI article.
Supporting both Internet clients and intranet clients on the same server is not a security recommended best practice because it bridges a security boundary. However, I can appreciate why it’s useful for a proof of concept. Look out for an added scenario in the November documentation release to the topic Example Scenarios for Implementing Internet-Based Client Management in Configuration Manager.
The new scenario will cover exactly this configuration, with an A-Z breakdown of the steps required to get Internet-based client management up & running quickly with the minimal number of steps and computers. If you’re interested in reviewing this documented scenario before the November release, let us know using the SMSDocs@Microsoft.com feedback email alias - and be sure to include any other feedback you have about the documentation related to native mode and Internet-based client management.
- Carol Bailey
This posting is provided “AS IS” with no warranties and confers no rights.