1 / 30

Native Mode in Microsoft System Center Configuration Manager

Native Mode in Microsoft System Center Configuration Manager . Jason Sandys Senior Lead Consultant Catapult Systems, Inc. Session Code: MGT312. Native Mode Setup Dialogs. Overview. What Is Native Mode Benefits Pre-requisites PKI Refresher Misperceptions

obert
Download Presentation

Native Mode in Microsoft System Center Configuration Manager

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Native Mode in Microsoft System Center Configuration Manager Jason Sandys Senior Lead Consultant Catapult Systems, Inc. Session Code: MGT312

  2. Native Mode Setup Dialogs

  3. Overview • What Is Native Mode • Benefits • Pre-requisites • PKI Refresher • Misperceptions • Certificate Deployment & Demo • Implications • Notes from the Field

  4. What Is Native Mode? • A site mode for Configuration Manager that dictates key client to site system communication DP* MP SUP SMP

  5. Benefits • Enables Internet Based Client Management (IBCM) • Inventory • Software Distribution • Software Updates • Desired Configuration Management Compliance • Security in general

  6. Prerequisites • Certificates (aka Public Key Infrastructure) • Clients • ConfigMgr 2007 only • Windows 2000 not supported DP* MP SUP SMP

  7. PKI Refresher Key Distribution • How do I get your Public Key? • Trusted source • Certificates • Trust

  8. PKI RefresherCertificate Revocation Lists (CRL)Certificate Distribution Points (CDP) CRL CDP LDAP FTP SMB HTTP

  9. Misperceptions • PKI is Easy • You must use a Microsoft PKI • AMT takes advantage of Native Mode

  10. MisperceptionsEnterprise Edition = Enterprise CA

  11. Misperceptions • Internet-based clients can roam • Fallback Status Points (FSP) are only for Native Mode • An FSP in a Native Mode site can happily co-exist with other site roles

  12. Misperceptions • Mixed mode does not use certificates • Native mode protects all site communication • Only domain joined systems can participate in a Native Mode site

  13. Certificate Deployment • Three Primary Certificate Types • Primary Site Server Signing Cert • Site System Server Authentication Cert(s) • Client Authentication Certs • All Clients must have their own, unique client authentication certificate • Secondary site servers do not need a site server signing certificate

  14. demo Certificate Deployment

  15. ImplicationsAgent Deployment • Certificates on the clients • By default SLPs are not used • “Internet only” clients must be installed manually • CCMSetup.exe /native:CRL SMSSITECODE=ABC SMSMP=mgmtpoint

  16. ImplicationsWSUS/SUP • Must manually add the Web server cert in IIS • Must manually configure IIS for SSL • Require SSL on virtual directories • APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet FQDN of the software update point site system>

  17. ImplicationsOSD • Boot Images require client certificatesand a copy of the Root CA certificate • Build and Capture reference systems are not on the domain • CDP must be available PXE

  18. Notes from the FieldInitial Installation • Install in mixed mode and migrate • Easier to troubleshoot • Better when no PKI in place already • Better for organizations unfamiliar with ConfigMgr • Install in native mode • Requires PKI • Compounding issues

  19. Notes from the FieldPKI Decisions • Some decisions are not reversible without a lot of pain • Just because it works in the lab, does not mean it will work in production CRL Distribution Points Certificate Validity Period Key Length

  20. Notes from the FieldIntra-SUP Communication • SUP to SUP communication is mostly HTTPS in native mode Active EULAs SUP SUP Internet Based Update Metadata Configuration

  21. Notes from the FieldPKI Timing • Certificate deployment is not instantaneous • Templates are stored in AD • Clients must be active and have connectivity to request a certificate • Plan for this delay

  22. Other Notables • Native Mode is not a one-way choice • Parent sites must be migrated first • Mixed mode parent sites do not support Native Mode child sites • Secondary site modes are dictated by their parent site’s mode • Native Mode Readiness Toolhttp://technet.microsoft.com/en-us/library/bb680986.aspx

  23. Links • MS Internet Clients & Native Mode Forumhttp://social.technet.microsoft.com/Forums/en/configmgribcm/threads/ • System Center ConfigMgrTechCenter Libraryhttp://technet.microsoft.com/en-us/library/bb735860.aspx • Configuration Manager Team Bloghttp://blogs.technet.com/configmgrteam/ • My Blog http://myitforum.com/cs2/blogs/jsandys

  24. Resources • www.microsoft.com/teched Sessions On-Demand & Community • www.microsoft.com/learning • Microsoft Certification & Training Resources • http://microsoft.com/technet • Resources for IT Professionals • http://microsoft.com/msdn Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources

  25. Related Content MGT304 Deploying Microsoft System Center Configuration Manager 2007, Part 1: Site Deployment MGT305 Deploying Microsoft System Center Configuration Manager 2007, Part 2: Client Deployment MGT306 Deploying Microsoft System Center Configuration Manager 2007, Part 3: Hierarchy Design and Implementation Best Practices MGT02-HOL Microsoft System Center Configuration Manager: Migrating from Mixed Mode to Native Mode

  26. Management Track Resources • Key Microsoft Sites • System Center on Microsoft.com: http://www.microsoft.com/systemcenter • System Center on TechNet: http://technet.microsoft.com/systemcenter/ • Virtualization on Microsoft.com: http://www.microsoft.com/virtualization • Community Resources • System Center Team Blog: http://blogs.technet.com/systemcenter • System Center on TechNet Edge: http://edge.technet.com/systemcenter • System Center on Twitter: http://twitter.com/system_center • Virtualization Feed: http://www.virtualizationfeed.com • System Center Influencers Program: Content, connections, and resources for influencers in the System Center Community. For information, contact scnetsup@microsoft.com

  27. Complete an evaluation on CommNet and enter to win!

  28. question & answer

  29. © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related