04 – How To Configure Internet-Based Client Management (IBCM) in Microsoft SCCM

by | Jun 1, 2018 | IBCM, SCCM Guides | 19 comments

Overview

In this step-by-step guide, we will walk through the process of installing and configuring a Microsoft SCCM site to use Internet-Based Client Management.

Topics in Video

Reviewing Internet-Based Client Management Prerequisites – https://youtu.be/GbIOxNhJ9lU?t=1
Requesting the IIS Certificate on the Internet-Facing Site System – https://youtu.be/GbIOxNhJ9lU?t=508
Changing WSUS to require SSL – https://youtu.be/GbIOxNhJ9lU?t=806
Installing the Software Update Point – https://youtu.be/GbIOxNhJ9lU?t=1203
Installing the Management Point and Distribution Point – https://youtu.be/GbIOxNhJ9lU?t=1656
Verify Client Gets New IBCM MP – https://youtu.be/GbIOxNhJ9lU?t=2019
Verify Content Gets Distributed To IBCM DP – https://youtu.be/GbIOxNhJ9lU?t=2119
Checking the MPLIST and MPCERT on the Internet-Facing Management Point – https://youtu.be/GbIOxNhJ9lU?t=2160
Client Testing on the Internet – https://youtu.be/nChKKM9APAQ?t=1176

Documentation for Topics in this Guide:

Plan for Internet-based client management in System Center Configuration Manager – https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management
Features that Are Not Supported on the Internet – https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management
Considerations for client communications from the Internet or untrusted forest – https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management#considerations-for-client-communications-from-the-internet-or-untrusted-forest
Prerequisites for Internet-Based Client Management (IBCM) in Configuration Manager – https://blogs.technet.microsoft.com/jchalfant/prerequisites-for-internet-based-client-management-ibcm-in-configuration-manager/
How To Configure Microsoft SCCM to Use HTTPS/PKI – https://setupconfigmgr.com/how-to-configure-microsoft-sccm-to-use-https-pki
How to Publish the CRL on a Separate Web Server – https://cloudblogs.microsoft.com/enterprisemobility/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server/
Common HTTPS errors in Configuration Manager – http://blogs.msdn.com/b/ameltzer/archive/2008/04/14/common-native-mode-client-mp-error-messages-and-what-to-do-about-them.aspx
Ports Required for a Site System in DMZ in Configuration Manager – https://blogs.technet.microsoft.com/b/jchalfant/archive/2015/04/08/ports-required-for-a-site-system-in-dmz-in-configuration-manager.aspx
IIS Error 403.13 Client Certificate Revoked if IIS can’t access the Clients CRL Distribution Point – https://support.microsoft.com/en-us/help/294305/iis-returns-http-403-13-client-certificate-revoked-error-message-altho
How to Configure the WSUS Web Site to Use SSL – https://technet.microsoft.com/en-us/library/bb633246.aspx

Share1

1 Shares

19 Comments

Kevin Johnston on June 1, 2018 at 5:36 PM

My company is looking to manage some of the servers located in our dmz. They have their own domain as well. I am not sure they will want any infrastructure in the dmz to get updates. We have a single primary server. What would be your high level recommendation on leveraging the existing primary and wsus, to get these servers patched? Our server team hates dealing with these servers as it is all manual.
Reply
- Justin Chalfant on June 1, 2018 at 11:34 PM
  
  If you don’t want to put any infrastructure out there, you will need to open the ports used by clients to connect back to your site systems on your local network so they can be managed. Here are the ports used by SCCM: https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/ports#BKMK_CommunicationPorts. Since this is an untrusted domain, you will need to define the sitecode and MP: https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-installation-properties in the install properties. Also, you would need to manually approve the clients in order for them to be approved and get policy after the install if you are using the default client approval in SCCM.
  Reply
  - Kevin Johnston on June 3, 2018 at 7:29 PM
    
    Great advice, thank you for these videos!!
    Reply
Matt on August 2, 2018 at 12:57 PM

Hello Justin! Great Videos-thank you for the insight! We are trying to deploy patches to our internet based machines without any success. We can deploy apps , but not patches…
Reply
- Justin Chalfant on August 2, 2018 at 3:43 PM
  
  What are you seeing in CCMMesseging, WUAHandler.log, ScanAgent.log, LocationServices.log, and ClientLocation.log?
  Reply
  - Fredrik on September 20, 2018 at 7:53 AM
    
    Great Videos, got it working With apps!
    
    However we got the same issue regarding patches.
    
    Scanlog:
    Sources are current, but invalid. TTL is also invalid.
    failed at OnScanComplete With error=0x87d00631
    Reply
    - Justin Chalfant on September 20, 2018 at 8:28 AM
      
      Is it just update scans failing?
      Reply
      - Jeff on April 2, 2020 at 7:37 AM
        
        Did this ever get solved? Is SUP role needed on the IBCM? My internet clients still seem to be trying to connect to my internal SUP.
Radouane LARIS on December 4, 2018 at 3:59 AM

Hello Justin,
Such a great article that helped me to understand a lot of things !
I have a request:
We have currently a single SCCM 2012 R2 server with all roles (DP,SUP,MP…) set in our LAN, it manages all clients & servers (~1000) for application/package deployments and software updates (no OSD), and it is not configured to use SSL.
We have a domain in signle forest and a PKI already in place.
All clients are domain joined and trust our CA.
We won’t accept untrusted domain.
We have a DMZ where we put Internet facing servers.
We want to manage/update the clients by the DMZ SCCM server when they in Internet. When they connect to LAN, they will be managed/updated by the LAN SCCM.

If my understanding is good, we will need another SCCM to be placed in this DMZ where we install DP,SUP,MP roles and set SSL on it.

I am wondering whether this scenario is possible and how can I answer that.

Many thanks for your help.
Radouane
Reply
- Justin Chalfant on December 4, 2018 at 8:03 AM
  
  I think for you guys Cloud Management Gateway makes a lot more sense than IBCM. It will be MUCH easier check guide 11 i did on CMG.
  Reply
  - Radouane LARIS on December 6, 2018 at 6:50 AM
    
    Thanks Justin,
    I already suggested this option but for laws and regulations we are far from adopting any cloud services.
    Back to my request, what would be the best scenario for on-premise solution ?
    Reply
    - Justin Chalfant on December 6, 2018 at 10:05 AM
      
      Yeah, you would need to set up a site system with MP/DP/SUP to serve internet-facing clients.
      Reply
Krish on September 24, 2019 at 7:00 PM

Hello Justin,

How was the WSUS setup? Downstream or WSUS with using the same SQL database as the Primary WSUS?
Reply
- Justin Chalfant on September 25, 2019 at 2:09 AM
  
  In my testing, I believe it may have been a shared WSUS DB, but either is fine.
  Reply
  - Krish on September 25, 2019 at 8:57 AM
    
    Great Justin. Thank you for responding promptly.
    Reply
Stefan V on May 13, 2020 at 7:35 AM

Hi Justin,

again a great video!

We have 1 CAS and 4 Primary Sites. It is possible to use 1 IBCM for all Primary Sites?

If so, how?

Currently IBCM is MP for Primary Site 1 and ony clients for Primary Site 1 “knows” the IBCM.

Thanks!
Reply
- Justin Chalfant on May 27, 2020 at 4:51 AM
  
  That’s a good question I want to say you would need one at each primary, but I could be wrong. I would have to check the docs.
  Reply
Diba on June 18, 2020 at 11:47 PM

Hi Justin,
Is it possible to deploy SCUP updates to IBCM clients?
Reply
- Justin Chalfant on June 19, 2020 at 8:38 AM
  
  Yeah, they should work just fine.
  Reply