Setup Internet-Based Client Management (IBCM) in Microsoft SCCM to Manage Internet Clients

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi my name is Justin shellphone I'm the engineering lead at patch my PC we develop a solution to allow you to easily integrate third-party updates into SCCM prior to that I was also a senior premier field engineer at Microsoft supporting SCCM in this video we're going to be talking about internet-based client management some of the things that you need to know about it and how we can set it up before you get started this is a rather complex topic probably one of the hardest feature areas to set up within SCCM so I think it's important to really understand some of the prereqs that we need to have in place and a lot of these are actually outside of config manager itself some external things that we need to have so the first thing that we need is a public DNS name so when our clients are out on the internet we need to have a public DNS name that's going to route back to our site so I've already configured this what I'll be using today is IBC MDOT set up config manager comm so that's going to be pointing back to my lab the next thing we need is a PKI setup so if you haven't watched my previous video right before this one we actually did a step-by-step guide on how you can configure and install Active Directory certificate services which will allow you to have the PKI infrastructure we also go through the process of creating the templates that we need for SCCM so this would include the client distribution point and the is certificate that we need so that whole video would be something that you would want to check out before this if you don't have your SEM site configured for HTTPS we do need to have trust between our site system that we'll be hosting our internet-facing site system roles and our clients so if your site system is part of the same domain and it's trusted and you're issuing them from the same certificate authority there that's just going to happen by default this can come into play if you're using a untrusted domain for example for your site system that will be hosting those internet-facing site system rules for your clients if it's untrusted you would have to make sure that you either issue the certificate for the web server that's going to be hosting that from your internal domain that clients trust or you could possibly use a third-party trusted web server certificate because your client should also trust that as well now there is no requirement that you have to use a Microsoft Active Directory certificate services but it is going to make issuing certificates to your clients and your web servers and renewing them much easier so that would probably be the best way to go in most scenarios obviously internet connectivity from our clients we're going to need that in order to connect back to our site the port's so this can be a big one if you are using a DMZ for your site system that's going to be facing the Internet you're going to have to make sure you have the necessary ports for your site server to connect into that site system and for that site system to connect back to your database so I do have a separate blog post that will go in detail all the ports that we need and the way that those ports would have to be configured so that's going to be important to check out if you are using a DMZ for your internet facing MPD piensa and the site system that's going to be hosting these does have to be domain joined so like I mentioned it could be an untrusted domain in a DMZ but it does have to be in a domain it can't be a workgroup now if you do use a untrusted domain there are some things that can come into play with certificate revocation checking so within the blog post I'll link out for the prereqs I will talk about this but essentially what would happen is if you have a site system in a DMZ you would have to make sure that the certificate revocation list for the certificate we issue is accessible so for example say that you created a web server certificate on your internal Active Directory domain you allowed the private key to be exported and then we use that on the DMZ and the untrusted forest we would have to make sure that we could check the certificate revocation list unless you disable that feature which obviously wouldn't be a best practice because you couldn't see if the client certificates checking in are revoked in order to do that the default option is just an LDAP query so what we would have to do if you are using Active Directory certificate services is to configure what's called a HTTP certificate revocation list distribution point it's actually quite easy to do but that would just allow us to use an HTTP path like we can see here I will link out to one of the config manager product group blogs that does talk about how you can configure that so that DMZ server in the untrusted domain could still check whether client certificates are revoked or not and the other thing that's going to be important is how we're configuring our connection to come to our site server so I'm actually going to jump over to the internet-based client management Microsoft dock website and there's going to be a option here that talks about the different options while I'm on this page there are some features that aren't supported so things obviously like wake-on-lan operating system deployment remote control would not be supported there for internet-facing clients this documentation does also talk about the untrusted forced scenario where user policy would not work because there's no trust to do those lookups but here's what I want to talk about this is really going to be most likely handled by your security team generally this falls outside of the scope of the SCCM admin but there are essentially two different ways that we can route traffic to our site that would be supported by config manager one is going to be SSL bridging numb so that's the most secure option essentially what would happen there is your client would send the connection to that public facing DNS name and then there would be a bridging server so this could be something like TMZ threat management gateway but that's actually going out very soon by Microsoft it could be something like an f5 server but basically what bridging does is the the service that's that's implementing that bridging can basically take that client communication inspect it close the connection and then create a new connection back to your server so it allows you to do things like inspecting the traffic for different type of exploits that would be known about it so that's going to be the most secure option but it is a bit more complex to get set up and then there's a tunneling option which is where we basically just ensure that the traffic coming from our internet clients is using a valid certificate and then we just kind of for that along to your site system that's going to be I'm using in this video I have used TMG in the past that does require server 2008 and it's actually going out of support soon so that probably wouldn't be the best method to use if you did want to go with the bridging option um but what I'm doing in my lab just to kind of show you what that's going to look like is on my router I'm going to just Ford HTTP traffic coming in from the internet so we're going to do port 443 and I'm going to for that to my site system that's going to be hosting my role so let me just grab the IP address of that will paste that in and it's also going to be port 443 on the internal server that we're going to be listening on so I configure that and then apply that so that's pretty much all the considerations that you would have to think about even before we start adding any type of site system role in SCCM so what I'm going to do is I have a new server called SCCM - IB cm so I'm running a standalone primary site right now I just have one site system that is my site system running on my site server so nothing too complex this is actually coming right from our install guide and then our basic config and then HTTP guide where is where we're at right now so jumping over to my domain controller if you remember in the previous video if you haven't watched that you're going to want to start there we created the SCC mis certificate template we gave a security group called SCCM is service permissions to enroll so what we're going to do we're going to come in and add the computer account of our new server to add it to that group so we can enroll this certificate in order for that change to take effect on the server side we do have to restart that otherwise we would get denied when we come in and request that now while we're on the debate controller and the certificate authority I will show you what we could do if we did have a certificate that we wanted to issue to a server that is any untrusted forced what we could do here is duplicate the IAS certificate that we created and then we could just name this something like SCCM is certificate - dmz what we would do in this case under the request handling we would allow the private key to be exported and then what we would do is we would request this on a computer that is part of the domain so this could be your your site server for example and then we could export it with the private key we would just have to make sure that for the DNS names we give it the name of that DMZ server and then the public domain for your internet facing domain name and we'll go through that process but that's what that would look like you know we'd come in here and give the SCCM is group read and enroll permissions and then okay and then we could request that export it and then use that on our server alright so that site system that we're going to use to install our internet facing roles on and that did reboot so what we're going to do we're going to come in and go to our certificate snap-in we're going to choose the computer account local computer and then finish and then okay so just like we did when we switched our site over to HTTP in the first video we're going to come in here and we are going to request a certificate we're going to choose the SCC MIS certificate and then we're going to choose the alternative name and the DNS name so this is we're gonna add the DNS name of our server so this is going to be SCCM - ib CM so that's going to be just the host name we're then going to add the internal fully qualified domain name so that's going to be the host name contoso dot local and then we want to add that public dns name that we are going to use for our internet facing clients so let me just copy that and I'm just going to ping that to make sure that I got that correct and we have that public IP so that looks good then what we're going to do is give it a friendly name I'll just call this SCCM I BCM I assert and then okay and then enroll now one thing I'm noticing is we don't have any client certificate on this machine that's because back in our lab we only configured the auto enrollment domain policy for the oh you for our testing lab for this site so what I'm going to do is move that server to thatöyou and then let me come over here and run a gpupdate forward slash force so we will need the client cert in order for us to successfully check whether the management point is up and running because it will require authentication so we can see that that certificate did auto enroll now that we're in that oh you so we can see that client cert template did get issued and enroll on that machine now that we have our web server certificate we can come into is and come to our websites and you're gonna see here we have two websites now I did pre-installed wsus but I do cover this in the first video for installing SCCM so if you did want to walk through that it's basically just installing the wsus role so we do have the two websites here now what we want to do is under the default website we want to edit the bindings and then we're going to add our HTTP binding and then choose that IBC M certificate so that should be good here so if we close that and if we open a web browser what we should be able to do is browse out to http SCCM - IBC M and we can see the certificate is now valid and we can also verify the fully qualified internal domain name it should be working there too and it should probably be able to work on our public name now - if that's a resolve of all it looked like it was so we can see it's also working using that public name as well so that's that can just kind of verify that we are up and running in is and our certificate is configured now the next thing that we're going to do is configure our W server to use the same website as the default website now usually with Server 2012 and newer wsus does by default install on a separate website so it uses port 8 five thirty and eight five thirty one now this is going to be best practice generally because it's going to split up your default website which would be running things like the management point distribution point any other is site systems in SCCM it would separate that out so it's easier to troubleshoot because we would have a different is log for wsus and the other component but when we're talking about IB CM it's pretty common that you would want to open as few ports as possible so what we were going to do here is switch our wsus server to use 443 instead of 8 531 so instead of opening up the two ports we can now just use the one port for port 4/4 so in order to do to do that I am going to bring up one of the guides here about how to switch wsus to only use SSL so I will link to this in the the notes but what we're going to do we're gonna come into our website for wsus under the api remoting folder we're gonna click the ssl settings and we need to make sure that set the require certificate or I'm sorry require SSL we want the client surf to be set to ignore we're then going to repeat that for the client web service the dss off service the simple sync and the simple auth so we want to make sure we set those five directories to require SSL once we do that we can then come into our wsus you tilt utility so I'm going to come over here we're gonna CD to Program Files Update Services tools and within the tools folder there's going to be a tool called wsus util so we are going to run aw so sweet ol command and then we want to actually before I switch over to SSL what we need to do is run the use custom website option so we're gonna run wsus retail use custom website equals false so what that's going to do is it's going to move our wsus from using this custom website we can see that looks like it's already gone and it's going to start moving those directories over to the default website so it looks like that did switch over now let me just check these folders I don't yeah so it looks like that did reset my configurations so you're probably gonna want to run this command first if you haven't already figure the require SSL option because I'm gonna have to come back in here real quick and just configure all these directories back to using SSL okay and then the last one for the off service so now that we're on the default website and we have those directories configured if we come back to the wsus retail we're going to run another command so up here there's going to be a configure SSL option so let me copy that we're gonna run W so sweet till configure SSL and then we're going to enter the fully qualified internal domain name of our server so there's gonna be SCCM - ib c m dot contoso dot local what that command is going to do we can see it was successful is it's gonna switch wsus to only use port 443 so that looks good and we'll just make sure our certificate should still be binded let me just make sure it all looks good because we did move that so that looks good so we're all set here for our is requirements for the cert as well as wsus being ready for us to install on our software update point so the next thing that i'm going to do is add the computer account of our site server to the local administrators group on this remote site system we're going to use for our internet facing site system roles so this is going to allow the server for our site server to connect in and install the the new site systems for our MPD piense up that i'm going to install on this machine now within the install wizard you can use a service account if you wanted if you're using a untrusted forest in fact you're gonna have to use a service account for that untrusted domain to connect in to configure that but since I'm in the same domain I'm just gonna make sure my computer account for my site server has local admin rights on my IBC M site system that I'm going to install right so what I've done I do want to show that I did copy the note SMS on Drive to my C Drive and then I have a Content folder where all the site system components are going to get installed so that no SMS on Drive that just tells SCCM that we don't want to install any content folders for SCCM on this drive so back on my primary site what I'm going to do here is under servers on site system roles I'm going to create a new site system server we're going to go ahead and browse out to my computer for SCCM - IB cm so that looks good if this was a untrusted domain you would just type in the fully qualified domain name we're gonna install this for our primary site now this option is important we do need to specify the fqdn for use on the internet so there's going to be that IBC m dot setup config MGR com I do just want to copy that and we'll run a quick ping command cuz I would not want to type on that and it looks like that that looks good the next thing there is an option here to require the site server to initiate connections to the site system for doing things like copying inventory files that could just reduce the number of ports so the site server would always initiate communication to get information about things like inventory and things like that in my case I don't have a DMZ and I'm not worried about ports so we can just have that site system for the internet facing roles just send the the files up to our site system through the normal our site server through the normal flow here's the site installation account so we configured our computer account to have local admin right so I'm just going to use the site server computer account but if you did want to use a service account or if you were in an untrusted domain for your DMZ server or your site system for IBC M you would have to define account in that other domain that would have local admin rights on that computer so I don't have a proxy so I'm not worried about that what I'm going to do initially I'm just going to install the software update point because that takes the longest amount of time to get configured because we do have to synchronize our updates in order for our internet clients to actually be configured to use that so that can take a little bit to get that first catalog sync done so we'll come back and do the NP + DP after we get this configured so for wsus we are going to be using port 80 and 443 because we did switch that wsus server to use that now by default if you're using Windows Server 2012 or above like I mentioned the default port would be 85 30 but since we set that over we're going to keep that and then we are going to require SSL because we did configure our wsus server to require that now cloud management gateway will probably talk about this in another video this is similar to IBC M but your components are going to run in Azure and then that's going to sink on to your site so it's kind of like IBC M but you're hosting out those site systems that your clients talk to out and as your so it's a little bit easier to get set up you don't have to worry about DM Z's and things like that now in my case I'm only going to allow internet only clients to connect against this software update point you could also allow intranet clients if you wanted to but in my case I'm gonna install this site system so that it would only be used for Internet clients so what we're gonna do on the back end we just want to make sure that that installs successfully this becomes especially important if you're doing things like a DMZ where it's pretty likely if you don't have ports open the first attempt that you try this might fell so what we're gonna look at is the site comp dot log on our site server so this is the site component manager this is going to show us copying files and installing the SMS executive service to that remote machine so we can see it's now copying all the files to the admin dollar sign and starting to install that service so if we look over on that machine so I'm gonna browse out to SCCM - IB cm backslash d dollar sign because that's gonna be the drive that it gets installed on so there's going to be some log files that come in soon it doesn't look like we're quite there where we're installing the components yet but that should happens all right so we can see that we just installed the wsus component for our software update point so if we come back to our logs folder we should now have the subset update log so this is the log that would be running on our remote site system that we're using and we just want to make sure that the installation was successful now more importantly that install almost always is successful what we're really worried about here is the wsus control dot log we want to make sure that we can successfully connect to the W server on that remote system that we're installing and that we can successfully configure it so we can see that we did successfully connect and configure it to basically be a downstream server of our main software update point so now what I'm going to do just to get that initial catalog syncing we're gonna go ahead and kick off a software update point sync on my primary and I'm just gonna jump over to my site server logs on my primary and then review the W sync manager log all right so we can see if we scroll up a little bit our wsus sync was successful on our main primary and then what we can see at the end of that log file we now detect we have an additional replica W server that we need to synchronize with our primary so we'll see that it starts to synchronize the categories and then it will go through and start synchronizing the updates so at this point it looks like things are good but that initial sync can take about 30 minutes or so on average for a lab so while that's running in the background we'll go ahead and install the MPD piensa I'm sorry the MP NDP now one thing I might not have called out within that installation of the sup there is going to be within that proxy server there is something called a connection account so if you were using a server that was untrusted the connection account would be the account that allows that wsus server to connect to configure it so if you had a WCS and untrusted domain you would make sure that you entered credentials here that could connect to that remote wsus server in order for us to configure to tell it to point to our primary software update point internally for the sink so moving back over to our machine we're going to go ahead and add new site system roles on that DMZ or internet facing site system and then we're going to do our MP and DP so we're gonna do the management point and the distribution point I am going to choose to install and configure is if required now I did install it and I should have had all the components that I needed but just in case we can go ahead and install the additional is role services if we did miss something we are going to configure the distribution point to use HTTPS because that's what we need for clients and we're going to configure it to only use Internet clients so I'm going to have all my roles for MPD piense up to only allow connections from the Internet now this certificate down here is actually a little bit confusing so we don't actually need to import any certificate here for our distribution point this would be if you were using HTTPS internally you would want to make sure you import the distribution point cert and that would be used for clients during operating system deployment to authenticate back to our MP and DP to get content and policy since Internet clients would never be doing OSD we don't really need to worry about inserting the distribution point cert but this is something we do cover in the previous guide that we talked about for switching SCCM to HTTPS drive settings I'm going default I did set up my no SMS on drive for my C Drive so that's gonna force everything to install on the D Drive not worried about a poor distribution point not worried about pixie multicast none of this would apply content validation that won't apply now boundary groups this is something that I do want to call out for internet based client management the clients out on the Internet are not boundary aware so they actually don't use boundaries at all so we can see here a client that connect for Internet only communicate with site systems configured for internet only but what we can see here is that let me see if I can find it all right took a minute to found what I wanted to show you so internet clients do not support roaming so what that means is they don't support any type of boundaries so they can't determine what internet facing site systems they should use based on speed or anything like that clients that are internet facing will always communicate with a internet facing site system but they do that in a they don't do that in a type of way that allows you to specify which one to connect to or it doesn't take any type of location or bandwidth and due consideration it would just randomly select one so usually in most environments you would probably just have one internet facing site system anyways but just note if you did have multiple it would kind of be random with what Internet clients choose when they talk to that initial site system so we don't have to worry about any type of boundary groups for our server we're going to configure our mp4 HTTP and we are going to allow internet only connections okay all right so this part we're not going to use a replica but the management point connection account could come into play if you were in a untrusted domain in my case I'm not so that we can use the computer account of that remote site system to authenticate back to our sequel server running our primary site but if you were in an untrusted domain you would have to use a connection account that has sequel permissions to connect back to your primary site database for the MP to do things like content lookups against the database and then next we should already have our site comp log oder okay so we can see in the site comp that it is currently installing the SMS management point so if we go back to that folder for our logs on that remote site system there should be a MP set up that log that shows up so this will give you more details about what's actually happening on that remote server we can see that it did install successfully so that looks good we'll just wait a few minutes for that distribution point and all the other components to install and we'll just monitor site comp to make sure everything looks good all right so I gave that a minute looks like all the components are now done if we go back to the logs I do want to check the MP control dot log on that remote system and we want to make sure that it's successfully checked for the management point availability so we verify that it could in fact check in that the management point is up and listening on port 4 for 3 so that's a good sign so what we should be able to do at this point as well is come to a client machine and we can basically browse out to make sure that the web page is listening so I should have the default is website just listening here I don't have any type of filtering so we can see we are in fact able to communicate from a client so that's a good sign that we're able to access the server publicly as well all right let's go back to our W Sync manager and just see what's going on there it looks like that initial synchronization is still happening so on the client side once that switches over to the Internet it wouldn't actually give you internet-facing software update point until we do have this first sink completely done but what we should be able to do is over on our client we can at least get it so it we can do some policy updates and try to get our internet facing servers showing up in here so if we look at the config manager properties in the control panel applet this is where we can verify whether or not it does have a internet based management point within the site now you would expect that a policy update would usually bring this down so if we came in here and actually ran a check that will give us some information but this property won't actually update until it does a new MP list check so that's not quite as frequent as the policy is by default so what I'm going to do to force this on the client is will restart the SMS exec and give that a couple minutes but your clients would definitely get this within a couple hours or so when they do a MP list lookup to see if there are any new management points available all right so I just gave that service a minute to kick in so what we can do to check whether that got the new management point for our internet machine is under client location we should see that there's a new management point that becomes available so that does looks like it picked that up so if we come back into our configuration manager applet under network we can now see that it does see that public fully qualified domain name for internet based management point so while we wait for that software update point to complete what I am going to do is just verify that our distribution point is up and running for that remote site system we installed so what I'll actually do is I'll distribute a application to it just to get that tested out to see whether we can distribute content so I'm just going to add it directly here you could use a boundary group if you wanted to add that management point or that distribution point to get content that we target to a group that could certainly be another option here so we'll give that a minute and what alright so that content did go out so our DP is working and functioning we got the content out it looks like we're still waiting on our software update pointment got a couple more minutes before that first sync happens so while we wait for that I'll actually go a bit deeper into how we can verify that the management point is in fact functioning so if you watch the PKI video we actually talked about how we could do this but I'll also show you how we can do this to check it on the internet side of things so what I'm going to do is do a MP list lookup now this is really easy for sites that use HTTPS because they don't require client authentication so you would just work by appending to the domain or the fully qualified website /sm s underscore NP for SMS underscore aut question MP list and that would just show you a list of management points now with HTTPS what we need is a client certificate so we can basically simulate what a client would look like when it connects by importing a certificate into Internet Explorer now we did cover this in the PKI video but what we've done here is we've already Requested the distribution point certificate and that certificate allows the private key to be exported because when we use the distribution point certificate we export it with the private key and then we import it into our console so then clients using OSD can authenticate because they have that private key when they're in when PE to our site but what we can also do with that certificate is import it into Internet Explorer if we want to run a quick test and enter the password that I use when I exported that and then finish that now what that's going to allow us to do when we go and check this MP list and we're even using that public that public name when we're checking it this does require a internet restart so if I close ie now that I imported that cert and if we paste that in again now one thing I did notice is that with IE it does have a notification but sometimes it's show in the backend so what it's basically doing is the the is server is saying that we require authentication what certificate do you want to use so this is the client certificate for our DP we'll select that and what that's going to allow us to do is basically validate that our management point is functioning and it will list out the MPS within the site for internal communication so this is coming from our internet facing MP so it is listening and it is functioning we can notice that it doesn't have that internet facing management point because that's not going to be Averett advertised in the MP let's check up because it's internet facing but this can validate that we are in fact listening and we can also to validate it again there's also a MP search check that we can check to make sure that the management point has a cert and it is functioning and running so I just wanted to kill some time I figured I'd kind of show you what that could look like if you did want to validate that using a client cert that you import into IE so now that that's done we're gonna go ahead and remove that but what that should do is validate that the management point is functioning and it would be able to serve clients because they have their client all cert out on the Internet all right so we are back we can see that the replica synchronization did complete so we should have that software update point all configured and completely synchronized and ready to take scans from clients so what I'm going to do is we have a Windows 10 machine and it's currently on the intranet so this is the machine that we were just looking at right here we verified it got policy it did an MP location lookup and it does now have that internet facing management point in its policy and in its list so what we're going to do is go and configure that and it's currently using it's a VM it's currently using a Ethernet adapter connect to my local net but what we're going to do is switch that over to a wireless emulated switch that is connected to a guest network so what that should do is eliminate access from this machine to have any type of communication with my domain so it should then be considered a internet facing client when we do this switch here okay so I'll just refresh this make sure we still have internet that looks good just to run a quick check let's do a ping contoso dot local so that's my domain looks like we are offline from our network so we'll ping SC cm3 contoso dot local so it looks like that guest network did do what we wanted it to do so we're now can't communicate with our site at all so what I'm going to do when my client logs we're going to go look at client location and we are going to look at location services now one thing I did notice that is when we switch from our hyper-v switch using the internal Ethernet and to the Wi-Fi that doesn't detect any type of network change on the client side so what I'm going to do is go ahead and restart the SMS agent just so we can do a location request when we restart now obviously if a client were to connect to Wi-Fi for example if they would be out on the internet what would happen is the client would automatically detect that location change and then it would see you know it would switch over to the management point for the internet so what we can see in a client location dot log is we can now see it's the main joined but it now says it's on the internet so that did switch over that that network did switch it over so it no longer detects that it's on our local net so what we're gonna do next is I'm going to look at the CCM messaging dot log so the CCM messaging dot log it's going to show as any type of HTTP requests that are is going to our site so for example what we can see here is we were previously talking to our internal management point so we can see SCC m3s CCM 3 contoso dot local but when we switch that service over what we can see is we now have new requests going in and it's going into IBC MDOT set up config manager comm so we did switch over to the internet we can verify we are getting good HTTP result codes when we're talking to our management point the next thing I want to look at I'm not sure if this has happened yet but under wua you handler what that would do that will show us when we switched to our internet facing software update point so it looks like there's not really much activity going there I don't think this will switch over until we do a software update scan cycle but what we can see is we are currently on the internet and what we're going to do here is perform a software update scan cycle and we can see that that scan cycle did in fact switch our client to the internet facing software update point so previously I did clear the log file so we don't see any previous activity I was pointing to that SCC m3 dot s contoso dot local so it did switch it over automatically on the client side because we're now on the Internet and so what it's going to do next if we go and look at the scan agent log oh that's not what I wanted to do I mean get that guy back over here it looks like I wasn't passing my Windows key so it would snap that over so if we go back to our VM under scan agent we can see that we're currently performing a full scan so that's going against our internet-facing software update pointment so i'll pause this while we wait for that to complete alright so we can see the the scan was successful here so if we zoom in we can see the scan did perform I do like going into a bit of detail sometimes about what's actually happening on the back end so what I've done on my software update point for my internet facing role I've gone into the is log files for my default website so this is the old wsus website and we move that over so we just look at the default folder here and then the log file so we can see all the activity of the software update point syncing from our primary SCC m30 server but what we're interested in is seeing this client actually communicate with ies so if we look down here we can see the client right over here it looks like it's using an ipv6 for my internet address it's doing all these scans against the web service so that's where we're doing our client scans we can also see the client over here doing the different is post for the SCCM server as well so for example here's the CCM folders here that we're connecting with the is-4 so that looks pretty good here so jumping back over to my client we do have a deployment targeting that so what we can do is open up Software Center and hopefully we can just verify that things are in fact working over the internet like app deployment for example so if I come over here and click on install we can see that all looks like it installed now it might be common that you might run into some issues if things aren't quite working right for your internet clients the first thing that we would look at is the kaz request so we can see that in the cache that's the content requests that come in that's going to be where we see whether or not we found the content so here we go we can see that request being made for that app occasion for 7-zip and we can see that it is pointing to our internet facing distribution point now to actually monitor the download if something were to happen in the download the data transfer service will actually show us when we're connecting in and downloading that content from our internet facing a distribution point so that's where we could monitor that as well now I did also target an update so this might be an interesting one to walk through as well what should happen in this scenario let me try to kick this off just to see if this will work but the way updates work from Microsoft is they should for internet clients actually download from the internet from Microsoft Update because that makes sense right if they're already out on the Internet there'd be no purpose to come back into your environment to use bandwidth when that update is actually available so here we can see for the Internet client we're actually pointing out to the Windows Update service so we grab that update from there and that's what we're actually gonna download into our cache looks like the download has actually already happened and now we're just verifying that it was installed and looks like that all works successfully and I think that's all I was looking to cover so I think we hit the main points we set up I BCM set up our sup dpmp verified the client could download an app and scan and install an update I didn't cover the application catalog that could potentially be a site system role that you could install but since that's going to be deprecated since we can now do user deployments natively in the new software Center I don't think that would really be too big of a deal to cover within this video if you have any questions this is a deep topic if you have any DMZ untrusted force questions hit me up on Twitter at Chalfont Justin leave a comment in the video and/or blog post and I'm more than happy to help with anything that you might be interested in in getting answers for thank you for watching

Info

Channel: Patch My PC

Views: 40,741

Rating: 4.9478259 out of 5

Keywords: SCCM, SCCM IBCM, SCCM Internet-Based Client Management, SCCM PKI, SCCM Guides, Patch My PC, Justin Chalfant

Id: GbIOxNhJ9lU

Channel Id: undefined

Length: 48min 39sec (2919 seconds)

Published: Thu May 31 2018