04 – How To Configure Internet-Based Client Management (IBCM) in Microsoft SCCM

by | Jun 1, 2018 | IBCM, SCCM Guides | 27 comments

Overview

In this step-by-step guide, we will walk through the process of installing and configuring a Microsoft SCCM site to use Internet-Based Client Management.

Topics in Video

Reviewing Internet-Based Client Management Prerequisites – https://youtu.be/GbIOxNhJ9lU?t=1
Requesting the IIS Certificate on the Internet-Facing Site System – https://youtu.be/GbIOxNhJ9lU?t=508
Changing WSUS to require SSL – https://youtu.be/GbIOxNhJ9lU?t=806
Installing the Software Update Point – https://youtu.be/GbIOxNhJ9lU?t=1203
Installing the Management Point and Distribution Point – https://youtu.be/GbIOxNhJ9lU?t=1656
Verify Client Gets New IBCM MP – https://youtu.be/GbIOxNhJ9lU?t=2019
Verify Content Gets Distributed To IBCM DP – https://youtu.be/GbIOxNhJ9lU?t=2119
Checking the MPLIST and MPCERT on the Internet-Facing Management Point – https://youtu.be/GbIOxNhJ9lU?t=2160
Client Testing on the Internet – https://youtu.be/nChKKM9APAQ?t=1176

Documentation for Topics in this Guide:

Plan for Internet-based client management in System Center Configuration Manager – https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management
Features that Are Not Supported on the Internet – https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management
Considerations for client communications from the Internet or untrusted forest – https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management#considerations-for-client-communications-from-the-internet-or-untrusted-forest
Prerequisites for Internet-Based Client Management (IBCM) in Configuration Manager – https://blogs.technet.microsoft.com/jchalfant/prerequisites-for-internet-based-client-management-ibcm-in-configuration-manager/
How To Configure Microsoft SCCM to Use HTTPS/PKI – https://setupconfigmgr.com/how-to-configure-microsoft-sccm-to-use-https-pki
How to Publish the CRL on a Separate Web Server – https://cloudblogs.microsoft.com/enterprisemobility/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server/
Common HTTPS errors in Configuration Manager – http://blogs.msdn.com/b/ameltzer/archive/2008/04/14/common-native-mode-client-mp-error-messages-and-what-to-do-about-them.aspx
Ports Required for a Site System in DMZ in Configuration Manager – https://blogs.technet.microsoft.com/b/jchalfant/archive/2015/04/08/ports-required-for-a-site-system-in-dmz-in-configuration-manager.aspx
IIS Error 403.13 Client Certificate Revoked if IIS can’t access the Clients CRL Distribution Point – https://support.microsoft.com/en-us/help/294305/iis-returns-http-403-13-client-certificate-revoked-error-message-altho
How to Configure the WSUS Web Site to Use SSL – https://technet.microsoft.com/en-us/library/bb633246.aspx

Share1

1 Shares

27 Comments

Kevin Johnston on June 1, 2018 at 5:36 PM

My company is looking to manage some of the servers located in our dmz. They have their own domain as well. I am not sure they will want any infrastructure in the dmz to get updates. We have a single primary server. What would be your high level recommendation on leveraging the existing primary and wsus, to get these servers patched? Our server team hates dealing with these servers as it is all manual.
Reply
- Justin Chalfant on June 1, 2018 at 11:34 PM
  
  If you don’t want to put any infrastructure out there, you will need to open the ports used by clients to connect back to your site systems on your local network so they can be managed. Here are the ports used by SCCM: https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/ports#BKMK_CommunicationPorts. Since this is an untrusted domain, you will need to define the sitecode and MP: https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-installation-properties in the install properties. Also, you would need to manually approve the clients in order for them to be approved and get policy after the install if you are using the default client approval in SCCM.
  Reply
  - Kevin Johnston on June 3, 2018 at 7:29 PM
    
    Great advice, thank you for these videos!!
    Reply
Matt on August 2, 2018 at 12:57 PM

Hello Justin! Great Videos-thank you for the insight! We are trying to deploy patches to our internet based machines without any success. We can deploy apps , but not patches…
Reply
- Justin Chalfant on August 2, 2018 at 3:43 PM
  
  What are you seeing in CCMMesseging, WUAHandler.log, ScanAgent.log, LocationServices.log, and ClientLocation.log?
  Reply
  - Fredrik on September 20, 2018 at 7:53 AM
    
    Great Videos, got it working With apps!
    
    However we got the same issue regarding patches.
    
    Scanlog:
    Sources are current, but invalid. TTL is also invalid.
    failed at OnScanComplete With error=0x87d00631
    Reply
    - Justin Chalfant on September 20, 2018 at 8:28 AM
      
      Is it just update scans failing?
      Reply
      - Jeff on April 2, 2020 at 7:37 AM
        
        Did this ever get solved? Is SUP role needed on the IBCM? My internet clients still seem to be trying to connect to my internal SUP.
- Simranjeet on October 19, 2020 at 11:09 PM
  
  I’m also facing the same issue application deployment works for VPN clients but not the Software updates.
  
  Scan Agent logs gives below error: ScanCompleteCallback – failed at OnScanComplete with error=0x87d00631
  Reply
  - Justin Chalfant on December 1, 2020 at 11:42 AM
    
    0x87d00631 = Scan retry is pending
    Reply
Radouane LARIS on December 4, 2018 at 3:59 AM

Hello Justin,
Such a great article that helped me to understand a lot of things !
I have a request:
We have currently a single SCCM 2012 R2 server with all roles (DP,SUP,MP…) set in our LAN, it manages all clients & servers (~1000) for application/package deployments and software updates (no OSD), and it is not configured to use SSL.
We have a domain in signle forest and a PKI already in place.
All clients are domain joined and trust our CA.
We won’t accept untrusted domain.
We have a DMZ where we put Internet facing servers.
We want to manage/update the clients by the DMZ SCCM server when they in Internet. When they connect to LAN, they will be managed/updated by the LAN SCCM.

If my understanding is good, we will need another SCCM to be placed in this DMZ where we install DP,SUP,MP roles and set SSL on it.

I am wondering whether this scenario is possible and how can I answer that.

Many thanks for your help.
Radouane
Reply
- Justin Chalfant on December 4, 2018 at 8:03 AM
  
  I think for you guys Cloud Management Gateway makes a lot more sense than IBCM. It will be MUCH easier check guide 11 i did on CMG.
  Reply
  - Radouane LARIS on December 6, 2018 at 6:50 AM
    
    Thanks Justin,
    I already suggested this option but for laws and regulations we are far from adopting any cloud services.
    Back to my request, what would be the best scenario for on-premise solution ?
    Reply
    - Justin Chalfant on December 6, 2018 at 10:05 AM
      
      Yeah, you would need to set up a site system with MP/DP/SUP to serve internet-facing clients.
      Reply
Krish on September 24, 2019 at 7:00 PM

Hello Justin,

How was the WSUS setup? Downstream or WSUS with using the same SQL database as the Primary WSUS?
Reply
- Justin Chalfant on September 25, 2019 at 2:09 AM
  
  In my testing, I believe it may have been a shared WSUS DB, but either is fine.
  Reply
  - Krish on September 25, 2019 at 8:57 AM
    
    Great Justin. Thank you for responding promptly.
    Reply
Stefan V on May 13, 2020 at 7:35 AM

Hi Justin,

again a great video!

We have 1 CAS and 4 Primary Sites. It is possible to use 1 IBCM for all Primary Sites?

If so, how?

Currently IBCM is MP for Primary Site 1 and ony clients for Primary Site 1 “knows” the IBCM.

Thanks!
Reply
- Justin Chalfant on May 27, 2020 at 4:51 AM
  
  That’s a good question I want to say you would need one at each primary, but I could be wrong. I would have to check the docs.
  Reply
Diba on June 18, 2020 at 11:47 PM

Hi Justin,
Is it possible to deploy SCUP updates to IBCM clients?
Reply
- Justin Chalfant on June 19, 2020 at 8:38 AM
  
  Yeah, they should work just fine.
  Reply
EV on September 11, 2020 at 9:26 PM

Hello Justin,

Great info here. my question is, can you use a single public certificate (like the ones you buy for an https website) for all of these configs? all clients and servers should trust that public certificate, right?

Thank you.
Reply
- Justin Chalfant on October 14, 2020 at 5:35 PM
  
  That should work for the public DNS name for the public-facing MP.
  Reply
Daniel Atencio on November 26, 2020 at 1:21 PM

Hi Justin, I do have a question. At 9:21 you mention that there’s this new server (IBCM); is this another server running sccm? Is this a requisite or can everything be run from a single site? You didn’t mention this before and it makes it impossible (at least for me since I am a complete newbie) to follow the rest of the video/series. Thanks a lot!
Reply
- Justin Chalfant on December 1, 2020 at 11:39 AM
  
  The IBCM server was a different site system in my environment (in DMZ) for example.
  Reply
Duncan Simpson on December 1, 2020 at 11:33 AM

Hi Justin!
Great videos! We’ve almost got our IBCM working with by way having a domain in our DMZ (trusts and firewalls all good!). PKI is fine as well. But, the SCCM server that will be the IBCM host for external clients is having getting issues connecting to our SQL server. I see Kerberos error messages on the IBCM server, and in mpcontrol.log on the same server it gets Target Principle name incorrect for MP_CONTROL_ACCESS.
I think I’ve checked everything I can think of, DNS suffix settings on both IBCM and SCCM Site server as well as Kerberos Forest Search on each side as well.
On the main SCCM Site server, the local sql service is running as a domain account, and I’ve tried using the same account under the management point connection account as well as others…
Seem to be stuck at a loose end somewhere.
Any ideas?
Reply
- Justin Chalfant on December 1, 2020 at 11:37 AM
  
  Did you configure a connection account for the MP to connect to the database?
  Reply