Implementing Native Mode and Internet Based Client Management

chunkyscreechServers

Dec 4, 2013 (3 years and 7 months ago)

454 views

Implementing Native Mode and
Internet Based Client Management




Next version of SMS


Released in Aug 2007


SP1 in April 2008


R2 released in Oct 2008


What does it mean


Secures your environment by signing communication between
your server and clients.


Benefits


Reduces the ability of attacker to set up bogus site and
distribution points and encrypts communication through SSL


Considerations


With added security comes added complexity and
administration


PKI is not something to just throw in. Make sure to plan a
proper deployment before you attempt to tackle native mode


http://www.microsoft.com/windowsserver2003/technologies/pki/default.mspx


http://technet.microsoft.com/en
-
us/library/cc772670.aspx


http://www.windowsecurity.com/articles/Microsoft
-
PKI
-
Quick
-
Guide
-
Part1.html


Internet Based Client Management


Allows you to manage clients outside of intranet or
VPN


Supported

Functions


Software Distribution (targeting computers, not users)


Software Updates (SUP)


Desired Configuration Management


Inventory


Software Metering


Non
-
Supported


Operating System Deployment


WOL (Wake on LAN)


Remote Tools (remote connection, remote assistance)


PKI Certificates


More Info: “Deploying the PKI Certificates Required
for Native Mode”
http://technet.microsoft.com/en
-
us/library/bb680312.aspx


System

Center Configuration Manager


Perimeter server to host roles


Perimeter server for FSP role



This can be your own

CA or external CA
(Network Solutions,
Verisign
, etc…)


This demonstration is using a Microsoft

Windows
Server 2003 CA.


Clients must be able to trust the certificates
issuing authority (Trusted Root, Intermediate

Root
)


Clients must be able to see published CRL*



Certificate

Revocation List


Used to determine if
certificate is valid or has been
revoked.


Path to list needs to be
accessible to internet clients


Must be defined before
creating cert (gets placed in
the certificate


see image)




1.
Manual installation

2.
Request through http://<ca server>/
certsrv

3.
Autoenrollment

through Group Policy



Make sure client can trust the certificate
authority


Download into trusted root


Publish through GPO


Add CTL to IIS




Three primary types of
certs

needed

1.
Computer/Workstation


Used for authentication


Autoenrollment


How to revoke


How to request for non
-
domain

2.
Doc Signing


Custom cert for ConfigMgr

Site Servers

3.
Web


Needed

for all servers hosting site server roles (IIS)


Standard

Computer certificate


can be
provided by intermediate CA


Can be configured in Group Policy for
autoenrollment


Demo

GPO




Standard IIS web server certificate


If

internet, cert must support SAN


SAN


Subject Alternative Name


To add option to MS CA


certutil

-
setreg

policy
\
EditFlags

+EDITF_ATTRIBUTESUBJECTALTNAME2


To add to a web based cert request
-

in attributes
section:


san:dns
=<
fqdn_internet
>&
dns
=<
fqdn_intranet
>[&…]




The

name of the certificate needs to be the

following:



The site code of this site server is <
sitename
>



Demo




More information:


http://technet.microsoft.com/en
-
us/library/cc872789.aspx



Configure Templates


Install web cert to ConfigMgr1


Install site signing cert to ConfigMgr1


Configure AD for client
autoenrollment


Configure IIS for cert


Configure ConfigMgr Site for native mode



Demo


Install web cert to ConfigMgr2 (SAN)


Install computer cert on ConfigMgr2


Configure IIS for cert on both headers and IP


Verify IIS works from internal and external


Deploy roles to ConfigMgr2


Verify Logs



Demo




Options to add to install


ccmsetup

is
bootstrapper

for
client.msi


Client.msi options can be passed through
ccmsetup
, but not
vise versa.


CCMSetup.exe


/mp:
mp2.mylab.com



used to define location to pull down client install files


/native
-

sets the communication mode for the client (http

vs

https)
. MUST be defined if client will be
internet only


additional options CRL | FALLBACK | CRLANDFALLBACK


Client.msi


FSP=
mp2.mylab.com



used to define fallback status point when client can’t communicate to mp
(cert errors). This should be separate server than MP since it is unsecure site.


SMSSITECODE=
A00



defines the site the client will communicate to


CCMALWAYSINF=
1



the “1” option defines the client as always internet


CCMHOSTNAME=
mp2.mylab.com



defines the internet FQDN management point the client
will report to.


SMSMP=
mp2.mylab.com



defines the management point the client will report to


Demo


Domain Member


Will always be on local
network


Pulls information from
AD for assignment


Non
-
Domain (not
trusted or workgroup)


Will never connect to
local network


Assignment defined via
installation options


Domain Member


Will connect to local
network and be external
on internet


Assignment defined via
installation options


Client and Server must share cert information


Clients need to have a copy of the site signing cert so that
they can decrypt the communication


stored in registry, not
cert store


Domain clients can obtain from AD (secure)


Non
-
Domain get it during install (secure) or from MP after
install (less secure)


To install


SMSSIGNCERT=
.
\
.
\
A00SSC.cer

-

defines the site server self
-
signing
cert when clients cannot connect to AD. This is the file path to exported
certificate from the site server.


Client installs the site signing cert WITHOUT the private
key


Key can also be pre
-
staged, pulled from GC, or pulled from
MP




Certificate errors will manifest in the client and server
logs as WINHTTP errors


<![LOG[[CCMHTTP]
AsyncCallback
():
-----------------------------------------------------------------
]LOG]!><time="19:19:12.348+300" date="11
-
17
-
2008" component="CCMEXEC" context="" type="3" thread="2924" file="ccmhttperror.cpp:49">

<![LOG[[CCMHTTP]
AsyncCallback
():
WINHTTP_CALLBACK_STATUS_SECURE_FAILURE
Encountered
]LOG]!><time="19:19:12.348+300" date="11
-
17
-
2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:50">

<![LOG[[CCMHTTP]


:
dwStatusInformationLength

is 4

]LOG]!><time="19:19:12.348+300" date="11
-
17
-
2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:51">

<![LOG[[CCMHTTP]



: *
lpvStatusInformation

is 0x9

]LOG]!><time="19:19:12.348+300" date="11
-
17
-
2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:52">

<![LOG[[CCMHTTP]


:
WINHTTP_CALLBACK_STATUS_FLAG_CERT_REV_FAILED

is set

]LOG]!><time="19:19:12.348+300" date="11
-
17
-
2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:56">

<![LOG[[CCMHTTP]


:
WINHTTP_CALLBACK_STATUS_FLAG_INVALID_CA

is set

]LOG]!><time="19:19:12.348+300" date="11
-
17
-
2008" component="CCMEXEC" context="" type="3" thread="2924"
file="ccmhttperror.cpp:68">


More information about
winhttp

errors can be found
on MSDN


http://msdn.microsoft.com/en
-
us/library/aa383917(VS.85).aspx