Overview
In this step-by-step guide, we will walk through the process of installing and configuring a Microsoft SCCM site to use Internet-Based Client Management.
Topics in Video
- Reviewing Internet-Based Client Management Prerequisites – https://youtu.be/GbIOxNhJ9lU?t=1
- Requesting the IIS Certificate on the Internet-Facing Site System – https://youtu.be/GbIOxNhJ9lU?t=508
- Changing WSUS to require SSL – https://youtu.be/GbIOxNhJ9lU?t=806
- Installing the Software Update Point – https://youtu.be/GbIOxNhJ9lU?t=1203
- Installing the Management Point and Distribution Point – https://youtu.be/GbIOxNhJ9lU?t=1656
- Verify Client Gets New IBCM MP – https://youtu.be/GbIOxNhJ9lU?t=2019
- Verify Content Gets Distributed To IBCM DP – https://youtu.be/GbIOxNhJ9lU?t=2119
- Checking the MPLIST and MPCERT on the Internet-Facing Management Point – https://youtu.be/GbIOxNhJ9lU?t=2160
- Client Testing on the Internet – https://youtu.be/nChKKM9APAQ?t=1176
Documentation for Topics in this Guide:
- Plan for Internet-based client management in System Center Configuration Manager – https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management
- Features that Are Not Supported on the Internet – https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management
- Considerations for client communications from the Internet or untrusted forest – https://docs.microsoft.com/en-us/sccm/core/clients/manage/plan-internet-based-client-management#considerations-for-client-communications-from-the-internet-or-untrusted-forest
- Prerequisites for Internet-Based Client Management (IBCM) in Configuration Manager – https://blogs.technet.microsoft.com/jchalfant/prerequisites-for-internet-based-client-management-ibcm-in-configuration-manager/
- How To Configure Microsoft SCCM to Use HTTPS/PKI – https://setupconfigmgr.com/how-to-configure-microsoft-sccm-to-use-https-pki
- How to Publish the CRL on a Separate Web Server – https://cloudblogs.microsoft.com/enterprisemobility/2009/05/01/how-to-publish-the-crl-on-a-separate-web-server/
- Common HTTPS errors in Configuration Manager – http://blogs.msdn.com/b/ameltzer/archive/2008/04/14/common-native-mode-client-mp-error-messages-and-what-to-do-about-them.aspx
- Ports Required for a Site System in DMZ in Configuration Manager – https://blogs.technet.microsoft.com/b/jchalfant/archive/2015/04/08/ports-required-for-a-site-system-in-dmz-in-configuration-manager.aspx
- IIS Error 403.13 Client Certificate Revoked if IIS can’t access the Clients CRL Distribution Point – https://support.microsoft.com/en-us/help/294305/iis-returns-http-403-13-client-certificate-revoked-error-message-altho
- How to Configure the WSUS Web Site to Use SSL – https://technet.microsoft.com/en-us/library/bb633246.aspx
I'm Justin Chalfant! I'm the founder of 
My company is looking to manage some of the servers located in our dmz. They have their own domain as well. I am not sure they will want any infrastructure in the dmz to get updates. We have a single primary server. What would be your high level recommendation on leveraging the existing primary and wsus, to get these servers patched? Our server team hates dealing with these servers as it is all manual.
If you don’t want to put any infrastructure out there, you will need to open the ports used by clients to connect back to your site systems on your local network so they can be managed. Here are the ports used by SCCM: https://docs.microsoft.com/en-us/sccm/core/plan-design/hierarchy/ports#BKMK_CommunicationPorts. Since this is an untrusted domain, you will need to define the sitecode and MP: https://docs.microsoft.com/en-us/sccm/core/clients/deploy/about-client-installation-properties in the install properties. Also, you would need to manually approve the clients in order for them to be approved and get policy after the install if you are using the default client approval in SCCM.
Great advice, thank you for these videos!!
Hello Justin! Great Videos-thank you for the insight! We are trying to deploy patches to our internet based machines without any success. We can deploy apps , but not patches…
What are you seeing in CCMMesseging, WUAHandler.log, ScanAgent.log, LocationServices.log, and ClientLocation.log?
Great Videos, got it working With apps!
However we got the same issue regarding patches.
Scanlog:
Sources are current, but invalid. TTL is also invalid.
failed at OnScanComplete With error=0x87d00631
Is it just update scans failing?
Did this ever get solved? Is SUP role needed on the IBCM? My internet clients still seem to be trying to connect to my internal SUP.
I’m also facing the same issue application deployment works for VPN clients but not the Software updates.
Scan Agent logs gives below error: ScanCompleteCallback – failed at OnScanComplete with error=0x87d00631
0x87d00631 = Scan retry is pending
Hello Justin,
Such a great article that helped me to understand a lot of things !
I have a request:
We have currently a single SCCM 2012 R2 server with all roles (DP,SUP,MP…) set in our LAN, it manages all clients & servers (~1000) for application/package deployments and software updates (no OSD), and it is not configured to use SSL.
We have a domain in signle forest and a PKI already in place.
All clients are domain joined and trust our CA.
We won’t accept untrusted domain.
We have a DMZ where we put Internet facing servers.
We want to manage/update the clients by the DMZ SCCM server when they in Internet. When they connect to LAN, they will be managed/updated by the LAN SCCM.
If my understanding is good, we will need another SCCM to be placed in this DMZ where we install DP,SUP,MP roles and set SSL on it.
I am wondering whether this scenario is possible and how can I answer that.
Many thanks for your help.
Radouane
I think for you guys Cloud Management Gateway makes a lot more sense than IBCM. It will be MUCH easier check guide 11 i did on CMG.
Thanks Justin,
I already suggested this option but for laws and regulations we are far from adopting any cloud services.
Back to my request, what would be the best scenario for on-premise solution ?
Yeah, you would need to set up a site system with MP/DP/SUP to serve internet-facing clients.
Hello Justin,
How was the WSUS setup? Downstream or WSUS with using the same SQL database as the Primary WSUS?
In my testing, I believe it may have been a shared WSUS DB, but either is fine.
Great Justin. Thank you for responding promptly.
Hi Justin,
again a great video!
We have 1 CAS and 4 Primary Sites. It is possible to use 1 IBCM for all Primary Sites?
If so, how?
Currently IBCM is MP for Primary Site 1 and ony clients for Primary Site 1 “knows” the IBCM.
Thanks!
That’s a good question I want to say you would need one at each primary, but I could be wrong. I would have to check the docs.
Hi Justin,
Is it possible to deploy SCUP updates to IBCM clients?
Yeah, they should work just fine.
Hi Justin,
I am facing certificate problems when machines comunication comes outsite of my network. I followed your entire tutorial, but when I type my my external DNS name on IE, the IIS default page does not show (Internal names works), so i think this problem is only external.
Is possible that is some problem with BIG IP, where is managed the external access?
Did you create a public dns?
Hello Justin,
Great info here. my question is, can you use a single public certificate (like the ones you buy for an https website) for all of these configs? all clients and servers should trust that public certificate, right?
Thank you.
That should work for the public DNS name for the public-facing MP.
Hi Justin, I do have a question. At 9:21 you mention that there’s this new server (IBCM); is this another server running sccm? Is this a requisite or can everything be run from a single site? You didn’t mention this before and it makes it impossible (at least for me since I am a complete newbie) to follow the rest of the video/series. Thanks a lot!
The IBCM server was a different site system in my environment (in DMZ) for example.
Hi Justin!
Great videos! We’ve almost got our IBCM working with by way having a domain in our DMZ (trusts and firewalls all good!). PKI is fine as well. But, the SCCM server that will be the IBCM host for external clients is having getting issues connecting to our SQL server. I see Kerberos error messages on the IBCM server, and in mpcontrol.log on the same server it gets Target Principle name incorrect for MP_CONTROL_ACCESS.
I think I’ve checked everything I can think of, DNS suffix settings on both IBCM and SCCM Site server as well as Kerberos Forest Search on each side as well.
On the main SCCM Site server, the local sql service is running as a domain account, and I’ve tried using the same account under the management point connection account as well as others…
Seem to be stuck at a loose end somewhere.
Any ideas?
Did you configure a connection account for the MP to connect to the database?
Hi Justin, amazing video.
Clients remotely and no VPN and I am going to deploy CMG. After the deployment how can I make sure the clients get the new settings and will be able to point to CMG?
Check the bulk token video I did for CMG
Hi Justin,
great video!
I did set up a SUP on an additional site server (MP, DP and SUP) with a shared WSUS DB (according to another video you published) using the standard ports 8530 and 8531.
Works fine!
Now I want to use IBCM on that additional site server.
Since I only want to open port 443 on my reverse proxy: can I change the SUP (WSUS) ports on that additional site server without uninstall and reinstalling the SUP?
Yeah, you can change it on an existing SUP. Just use WSUSUtil: https://docs.microsoft.com/de-de/security-updates/windowsupdateservices/18127651. After that set the SUP to use port 80/443 in the SUP in ConfigMgr.