Overview
In this step-by-step guide, we will walk through the process of installing and configuring a Microsoft SCCM site to use Internet-Based Client Management.
Topics in Video
- Reviewing Internet-Based Client Management Prerequisites – https://youtu.be/GbIOxNhJ9lU?t=1
- Requesting the IIS Certificate on the Internet-Facing Site System – https://youtu.be/GbIOxNhJ9lU?t=508
- Changing WSUS to require SSL – https://youtu.be/GbIOxNhJ9lU?t=806
- Installing the Software Update Point – https://youtu.be/GbIOxNhJ9lU?t=1203
- Installing the Management Point and Distribution Point – https://youtu.be/GbIOxNhJ9lU?t=1656
- Verify Client Gets New IBCM MP – https://youtu.be/GbIOxNhJ9lU?t=2019
- Verify Content Gets Distributed To IBCM DP – https://youtu.be/GbIOxNhJ9lU?t=2119
- Checking the MPLIST and MPCERT on the Internet-Facing Management Point – https://youtu.be/GbIOxNhJ9lU?t=2160
- Client Testing on the Internet – https://youtu.be/nChKKM9APAQ?t=1176
Documentation for Topics in this Guide:
- Plan for Internet-based client management in System Center Configuration Manager – https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management
- Features that Are Not Supported on the Internet – https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management
- Considerations for client communications from the Internet or untrusted forest – https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management#considerations-for-client-communications-from-the-internet-or-untrusted-forest
- Prerequisites for Internet-Based Client Management (IBCM) in Configuration Manager – https://blogs.technet.microsoft.com/jchalfant/prerequisites-for-internet-based-client-management-ibcm-in-configuration-manager/
- How To Configure Microsoft SCCM to Use HTTPS/PKI – https://setupconfigmgr.com/how-to-configure-microsoft-sccm-to-use-https-pki
- How to Publish the CRL on a Separate Web Server – https://cloudblogs.microsoft.com/enterprisemobility/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server/
- Common HTTPS errors in Configuration Manager – http://blogs.msdn.com/b/ameltzer/archive/2008/04/14/common-native-mode-client-mp-error-messages-and-what-to-do-about-them.aspx
- Ports Required for a Site System in DMZ in Configuration Manager – https://blogs.technet.microsoft.com/b/jchalfant/archive/2015/04/08/ports-required-for-a-site-system-in-dmz-in-configuration-manager.aspx
- IIS Error 403.13 Client Certificate Revoked if IIS can’t access the Clients CRL Distribution Point – https://support.microsoft.com/en-us/help/294305/iis-returns-http-403-13-client-certificate-revoked-error-message-altho
- How to Configure the WSUS Web Site to Use SSL – https://technet.microsoft.com/en-us/library/bb633246.aspx
I'm Justin Chalfant! I'm the founder of 
My company is looking to manage some of the servers located in our dmz. They have their own domain as well. I am not sure they will want any infrastructure in the dmz to get updates. We have a single primary server. What would be your high level recommendation on leveraging the existing primary and wsus, to get these servers patched? Our server team hates dealing with these servers as it is all manual.
If you don’t want to put any infrastructure out there, you will need to open the ports used by clients to connect back to your site systems on your local network so they can be managed. Here are the ports used by SCCM: https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/ports#BKMK_CommunicationPorts. Since this is an untrusted domain, you will need to define the sitecode and MP: https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-installation-properties in the install properties. Also, you would need to manually approve the clients in order for them to be approved and get policy after the install if you are using the default client approval in SCCM.
Great advice, thank you for these videos!!
Hello Justin! Great Videos-thank you for the insight! We are trying to deploy patches to our internet based machines without any success. We can deploy apps , but not patches…
What are you seeing in CCMMesseging, WUAHandler.log, ScanAgent.log, LocationServices.log, and ClientLocation.log?
Great Videos, got it working With apps!
However we got the same issue regarding patches.
Scanlog:
Sources are current, but invalid. TTL is also invalid.
failed at OnScanComplete With error=0x87d00631
Is it just update scans failing?