HTTPS Communication SCCM 2012 SP1 (Part 3)

Posted on by
3

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that’s HTTP also.

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (HERE) I explained the Certificates needed, the second (HERE) and third one (this one) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

What is going to happen:

  • Have HTTPS traffic from and to the Distribution Point

 

So I have got my clients communicating over HTTPS, with my PKI Infrastructure, to the Management Point. Nice!
But now I want the traffic from and to the Distribution Point also over HTTPS.

 

ConfigMgr Configuration

Under Administration – Overview – Site Configuration – Servers and Site System Roles select the server with the Distribution Point Role. Select Properties.

Import Certificate.
You need the ConfigMgr Client Distribution Point certificate (the .PFX), supply the password and OK.

 

And now the data is flowing secure from and to your DP.

 

Part 1 Here.

Part 2 Here.

HTTPS Communication SCCM 2012 SP1 (Part 2)

Posted on by
7

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that’s HTTP also.

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (HERE) I explained the Certificates needed, the second (this one) and third one (HERE) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

What is going to happen in this post:

  • Have the Clients talk over HTTPS to the site server (Management Point)

 

With all the certificates in place let’s see if I can change the Client to communicate over PKI and HTTPS instead of HTTP and a self-signed certificate.

 

Site Server Communication

Export the Root CA Certificate as a DER encoded binairy X.509 (.CER) Certificate.

In the ConfigMgr console go to Administration – Overview – Site Configuration – Sites and select your Site.

Right-click and select Properties.

Go to the tab Client Computer Communication and change the setting to HTTPS Only. If you still have clients with HTTP then you can select HTTP or HTTPS.

Under Trusted Root Certification Authorities select your Root CA Certificate.

 

For a client that has already been deployed just wait and the Client Certificate will change to PKI.

And I am communicating over HTTPS with my PKI:

As I can also see in my ClientLocation.log

 

From the ccmsetup.log is visible that all communication is secure.

 

Part 1 Here.

Part 3 Here.

HTTPS Communication SCCM 2012 SP1 (Part 1)

Posted on by
3

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that’s HTTP also.

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (this one) I explained the Certificates needed, the second (HERE) and third one (HERE) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

As you could read in previous post my PKI Infrastructure is already in place.
Time to put it to its full use!

For full background details look here: http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_clientdistributionpoint2008_cm2012

 

ConfigMgr 2012 SP1 needs 3 certificates to fully function:

  1. Client Certificate
  2. Web Server Certificate
  3. Client certificate for Distribution Points

 

The Client Certificate will be deployed through Active Directory with an auto-enrollment GPO. The other 2 will be imported on the SCCM 2012 SP1 server.

The Web Server Certificate will be configured in Internet Information Server (IIS), and the Client certificate for Distribution Points will be used authenticate the Distribution Point to HTTPS and for PXE support to clients. This will be configured in SCCM 2012 SP1.

 

Client Certificate

On the Certificate Authority (CA) server open up your CA and Duplicate Template.
The template you need for this is the Workstation Authentication.
Make sure to select ‘Windows Server 2003 Enterprise’ as ‘Windows Server 2008 Enterprise’ is NOT supported by ConfigMgr 2012 SP1!

On the security tab select ‘Read’ and ‘Autoenroll’ for Domain Computers, do not clear ‘Enroll’.

Back in the CA console, right-click Certificate Templates, New and Certificate Template to Issue. Choose your Client Certificate.


 

Auto-enrollment of the Client Certificate

For auto-enrollment use a Group Policy Object (GPO).

Best practice is to use a separate GPO for the auto-enrollment.
In the Group Policy Management console, Create a GPO in this domain, and Link it here.
(be sure to point to the right Organizational Unit (OU)).

Now go to Computer Configuration – Policies – Windows Settings – Security Settings – Public Key Policies.

 

Right-click and Enable auto-enrollment:


 

Web Server Certificate

On the Certificate Authority (CA) server open up your CA and Duplicate Template.
The template you need for this is the Web Server.
Make sure to select ‘Windows Server 2003 Enterprise’ as ‘Windows Server 2008 Enterprise’ is NOT supported by ConfigMgr 2012 SP1!

On the security tab select ‘Read’ and ‘Enroll’ for your SCCM Site (IIS) Server(s), clear ‘Enroll’ for Enterprise Admins.

On the Subject Name tab be sure the Supply in the request is selected.

Back in the CA console, right-click Certificate Templates, New and Certificate Template to Issue. Choose your ConfigMgr Web Server Certificate.

 

Enrollment of the ConfigMgr Web Server Certificate

Open a MMC and add the Certificate snapin for Local Computer.

Right-click Certificates and Request New Certificate. Select the ConfigMgr Web Server Certificate you created.

Select More information is required to enroll for this certificate. Click here to configure settings.

In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS.

In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box.

Examples:

  • If the site system will only accept client connections from the intranet, and the intranet FQDN of the site system server is sccm2012.lab.local: Type sccm2012.lab.local, and then click Add.
  • If the site system will accept client connections from the intranet and the Internet, and the intranet FQDN of the site system server is sccm2012.lab.local and the Internet FQDN of the site system server is sccm2012.wibier.me:
    • Type sccm2012.lab.local, and then click Add.
    • Type sccm2012.wibier.me, and then click Add.

 

Configure IIS to use the ConfigMgr Web Server Certificate

On the SCCM Web Server open Internet Information Services (IIS) Manager.

Expand Sites, right-click your site (usually ‘Default Web Site’) and select Edit Bindings.

Select the HTTPS entry and Edit.

OK and Close.

(You can check the site by opening Internet Explorer and browse to your site with https://. There should not be a warning about a certificate.)

 

Client certificate for Distribution Points

On the Certificate Authority (CA) server open up your CA and Duplicate Template.
The template you need for this is the Workstation Authentication.
Make sure to select ‘Windows Server 2003 Enterprise’ as ‘Windows Server 2008 Enterprise’ is NOT supported by ConfigMgr 2012 SP1!

On the security tab select ‘Read’ and ‘Enroll’ for your SCCM Site Server(s), clear ‘Enroll’ for Enterprise Admins.

On the Request Handling tab select the Allow private key to be exported.

Back in the CA console, right-click Certificate Templates, New and Certificate Template to Issue. Choose your ConfigMgr Client Certificate for Distribution Points.

 

Enrollment of the Client certificate for Distribution Points

Open a MMC and add the Certificate snapin for Local Computer.

Right-click Certificates and Request New Certificate. Select the Client certificate for Distribution Points you created.

After that Export the certificate WITH the private key.

Part 2 HERE!

Part 3 HERE!

Create Cloud Distribution Point on Windows Azure with SCCM 2012 SP1 (Part 2)

Posted on by
1

Cloud, everybody is talking about that.
And with the new ConfigMgr 2012 SP1 fully integrating with Windows Azure it’s time to see how this works.

You need to have some things in place first, so here we go:

  • A Windows Azure subscription (duh)
  • A working PKI Infrastructure
  • 2 (a .cer and a .pfx) certificates to talk to the Management service of Windows Azure
  • A certificate (the .cer) added to the Management service of Windows Azure
  • Your Windows Azure Subscription ID. This can be found on the Management Portal of Windows Azure.
  • And well, uh SCCM 2012 SP1 😉

 

In Part 1 I took care of the setup of the necessary PKI Infrastructure and take care of the Certificate part..
In Part 2 I will configure SCCM 2012 SP1 for talking to that big Cloud called Windows Azure.

 

So we took care of the Certificate, now we have upload it to Windows Azure.

 

Upload Certificate

Log on to the Windows Azure Management Portal.
Under Settings you can upload your Certificate (this will be the .CER one)

And the result is visible:

Create the Windows Azure Cloud Distribution Point:

Now it’s time to create the Distribution Point in the Cloud!

Launch you ConfigMgr Console and let’s start.

Under Administration – Overview – Hierarchy Configuration – Cloud is the Create Cloud Distribution Point.

 

And here you need your Subscription ID and Certificate (the .PFX one)

 

Select your Region, and Certificate:

 

Specify the alerts:

 

And off we go

 

Look good:

 

You can follow the process by looking in the CloudMgr.log.

 

This can take a while! So be patient, it will come eventually.

Still working:

 

 

 

And there we are!

 

And also in the Windows Azure Management Portal:

 

Distribute content to the Windows Azure Cloud Distribution Point:

There are no extra steps needed to distribute content to a Windows Azure DP.
You take an application and distribute it to the Cloud.

Logging under DistrMgr.log.

 

And in the console:

 

Cloud rules!

 

Read Part 1 Here!

Create Cloud Distribution Point on Windows Azure with SCCM 2012 SP1 (Part 1)

Posted on by
2

Cloud, everybody is talking about that.
And with the new ConfigMgr 2012 SP1 fully integrating with Windows Azure it’s time to see how this works.

You need to have some things in place first, so here we go:

  • A Windows Azure subscription (duh)
  • A working PKI Infrastructure
  • 2 (a .cer and a .pfx) certificates to talk to the Management service of Windows Azure
  • A certificate (the .cer) added to the Management service of Windows Azure
  • Your Windows Azure Subscription ID. This can be found on the Management Portal of Windows Azure.
  • And well, uh SCCM 2012 SP1 😉

 

The subscription isn’t much of a hassle. Takes about 10 min!

In Part 1 I will setup the necessary PKI Infrastructure and take care of the Certificate part..
In Part 2 I will configure SCCM 2012 SP1 for talking to that big Cloud called Windows Azure.

 

PKI Infrastructure

Nothing fancy here as this is a lab environment. Just setup the PKI infrastructure.

Add Server Role à Active Directory Certificate Services

 

Certificate Authority:

 

Enterprise:

 

Root CA:

 

New private key:

 

Select 2048 for Key character length:

 

CA Name:

 

Validity period (I don’t think my lab will last this long ;-))

 

Now Install the CA.

 

Deploy the Certificate

 

So that’s up and running, now for the fun part.

Microsoft has some good info on what certificates you need.

 

Source:

  • Deployment of the PKI Certificates for Configuration Manager:

http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_clouddpcreating2008

  • PKI Certificate Requirements for Configuration Manager:

http://technet.microsoft.com/en-us/library/gg699362.aspx

We will go from there.

  • Create a Security Group that contains the member servers to install System Center 2012 Configuration Manager SP1 primary site servers that will manage cloud-based distribution points.
  • On your Certificate Authority (CA) server go to the console and right-click Certificate Templates, choose Manage.
  • Right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
  • Select Windows Server 2003, Enterprise Edition
  • On the General tab enter a name (ConfigMgr Cloud-Based Distribution Point Certificate)
  • On the Request Handling tab – Allow private key to be exported.
  • Security tab – Remove Enroll for Enterprise Admins and Add your Security Group.
  • Click OK and close the Template console.
  • Right-click Certificate Templates, NewCertificate Template to Issue.
  • Select your Template and select OK.

Request the Certificate

Now we have to request the certificate.

  • Go to your site server.
  • Open up a MMC and add Certificates – Local computer as snap-in.
  • Go to Personal and in All Tasks select Request New Certificate.

Now you have to enter some information:

The info you need for Windows Azure is:
– the name of your Windows Azure Cloud Distribution Point

 

  • Select and Enroll.

 

 

  • Enrollment successful.

 

 

  • The Certificate will be visible in the CA console under Issued Certificates.

 

Export the Certificate

You will have to export the Certificate twice, once with and once without the private key!

  • Without the Private Key:

 

  • And with the Private Key:

 

The certificate is now ready to be imported when you create a cloud-based distribution point.

In Part 2 I will continue!

System Center 2012 SP1 – Evaluation VHDs

Posted on by
Reply

Want to test, play or evaluate the new System Center 2012 SP1 products?

Microsoft launched the public VHD’s for System Center 2012 SP1.
The download consists of a single pre-configured VHD file for the System Center 2012 SP1 product.

These downloads are free for everyone who wants to see what the new System Center 2012 SP1 products are about.

System Center 2012 Service Pack 1 Evaluation VHDs can be found at the following locations:

System Requirements:

Microsoft Windows Server 2008R2 with Hyper-V is required to use this VHD to create a virtual machine.

Happy testing!

Hide Management Pack (MP) from Operations Manager Console – SCOM 2012

Posted on by
Reply

So you got Operations Manager 2012 installed.
The console looks fine and you can select which Management Packs (MP) you want to see and which ones you don’t.


Every admin who logs in to the console will have to do this and this is fine for sealed MP’s.
But what about your own, unsealed, MP’s?

They also appear in the console and you can select them whether to display them or not. But the MP’s you will add are most of the time ‘Override’ Management Packs, containing your overrides (per Management Pack…).


Of course this is possible:


But it is also possible to hide these MP’s from everybody while keeping all the benefits from having them!

Here we go:

  • Export the Management Pack

Administration à Management Packs à
Your MP à ‘Export Management Pack…’
(and Yes those 3 dots are there ;-))

This will produce a XML file with all your override parameters in it.

  • Now take a Text editor (Notepad will do, or even better Notepad++) and open up the file:



The high-lighted part will have to be removed.

  • Save the Management Pack.
  • Import the Management Pack back into SCOM 2012.


and Install the MP.

  • The unsealed Management Pack is still there:


But not here:


Or here:



  • Of course it is still usable!




Be sure to back up your Management Pack before you edit them… Just in case.

Operations Manager 2012 (SCOM) Activation

Posted on by
10

When you install Operations Manager 2012 (SP1) you may notice is that there is no request for a product key when you install Operations Manager 2012.  Once the install is complete and you open up the console the following is displayed:


When you click Help à About à will show that you are running an Evaluation copy.


The way to do it is described here: http://support.microsoft.com/kb/2699998, and here is the visual version.

To register your product key with Operations Manager 2012 and move from the Evaluation edition to the Retail edition you will need to launch the Operations Management Shell and run a PowerShell cmdlet.

So start up the Operations Manager Shell:


And type:

Set-SCOMLicense –ProductId {YourProductKey}

(Tip: type the first letters and then push <TAB> for PowerShell to complete the command)


On completion restart the Operations Manager 2012 server for the key to validate.

After the reboot, check back in Help à About you will see it is now a Retail version.



Strange way to activate a Microsoft product but this is how it works!

SCCM 2012 SP1 and SQL Server

Posted on by
4

Here is an overview of the SQL Server configurations and requirements for supported SQL Server installations for ConfigMgr 2012.

Source: http://technet.microsoft.com/en-us/library/gg682077.aspx

 

Configurations for the SQL Server Site Database

Each System Center 2012 Configuration Manager site database can be installed on either the default instance or a named instance of a SQL Server installation. The SQL Server instance can be co-located with the site system server, or on a remote computer.

When you use a remote SQL Server, the instance of SQL Server used to host the site database can also be configured as a SQL Server failover cluster in a single instance cluster, or a multiple instance configuration. The site database site system role is the only System Center 2012 Configuration Manager site system role supported on an instance of a Windows Server cluster. If you use a SQL Server cluster for the site database, you must add the computer account of the site server to the Local Administrators group of each Windows Server cluster node computer.

Note
SQL Server database mirroring is not supported for the Configuration Manager site database.

 

When you install a secondary site, you can use an existing instance of SQL Server or allow Setup to install and use an instance of SQL Server Express. Whichever option that you choose, SQL Server must be located on the secondary site server. The version of SQL Server Express that Setup installs depends on the version of Configuration Manager that you use:

  • Configuration Manager without a service pack: SQL Server 2008 Express
  • Configuration Manager with SP1: SQL Server 2012 Express

The following table lists the SQL Server versions that are supported by System Center 2012 Configuration Manager.

SQL Server version SQL SP SQL CU ConfigMgr version ConfigMgr Site type
SQL Server 2008

  • Standard (1)
  • Enterprise
  • Datacenter
 SP2 Min CU9
  • ConfigMgr NO SP
  • ConfigMgr SP1
  • CAS
  • Primary
  • Secondary
SP3 Min CU4
  • ConfigMgr NO SP
  • ConfigMgr SP1
  • CAS
  • Primary
  • Secondary
SQL Server 2008 R2

  • Standard (1)
  • Enterprise
  • Datacenter
 SP1 Min CU6
  • ConfigMgr NO SP (2)
  • ConfigMgr SP1
  • CAS
  • Primary
  • Secondary
SP2 NO CU
  • ConfigMgr NO SP (2)
  • ConfigMgr SP1
  • CAS
  • Primary
  • Secondary
SQL Server 2012

  • Standard (1)
  • Enterprise
 NO SP Min CU2
  • ConfigMgr SP1
  • CAS
  • Primary
  • Secondary
SQL Server 2008 R2 Express SP1 Min CU6
  • ConfigMgr NO SP
  • ConfigMgr SP1
  • Secondary
SP2 NO CU
  • ConfigMgr NO SP
  • ConfigMgr SP1
  • Secondary
SQL Server 2012 Express NO SP Min CU2
  • ConfigMgr SP1
  • Secondary

 

  1. When you use SQL Server Standard for the database at the central administration site, the hierarchy can only support up to 50,000 clients. For more information, see Site and Site System Role Scalability.
  2. Configuration Manager with no service pack does not support the site database on any version of a SQL Server 2008 R2 cluster. This includes any service pack version or cumulative update version of SQL Server 2008 R2. With Configuration Manager SP1, the site database is supported on a SQL Server 2008 R2 cluster.

 

SQL Server Requirements

The following are required configurations for each database server with a full SQL Server installation, and on each SQL Server Express installation that you manually configure for secondary sites. You do not have to configure SQL Server Express for a secondary site if SQL Server Express is installed by Configuration Manager.

Configuration More Information
Database collation At each site, both the instance of SQL Server that is used for the site database and the site database must use the following collation: SQL_Latin1_General_CP1_CI_AS.
SQL Server features Only the Database Engine Services feature is required for each site server.

(Configuration Manager database replication does not require the SQL Server replication feature.)
Windows Authentication Configuration Manager requires Windows authentication to validate connections to the database.
SQL Server instance You must use a dedicated instance of SQL Server for each site.
SQL Server memory When you use a database server that is co-located with the site server, limit the memory for SQL Server to 50 to 80 percent of the available addressable system memory.

When you use a dedicated SQL Server, limit the memory for SQL Server to 80 to 90 percent of the available addressable system memory.

Configuration Manager requires SQL Server to reserve a minimum of 8 gigabytes (GB) of memory in the buffer pool used by an instance of SQL Server for the central administration site and primary site and a minimum of 4 gigabytes (GB) for the secondary site. This memory is reserved by using the Minimum server memory setting under Server Memory Options and is configured by using SQL Server Management Studio. For more information about how to set a fixed amount of memory, see How to: Set a Fixed Amount of Memory (SQL Server Management Studio).

 

SQL Server Optional Configuration

The following configurations either support multiple choices or are optional on each database server with a full SQL Server installation.

Configuration More Information
SQL Server service On each database server, you can configure the SQL Server service to run by using a domain local account or the local system account of the computer that is running SQL Server.

  • Use a domain user account as a SQL Server best practice. This kind of account can be more secure than the local system account but might require you to manually register the Service Principle Name (SPN) for the account.
  • Use the local system account of the computer that is running SQL Server to simplify the configuration process. When you use the local system account, Configuration Manager automatically registers the SPN for the SQL Server service. Be aware that using the local system account for the SQL Server service is not a SQL Server best practice.

For information about SQL Server best practices, see the product documentation for the version of Microsoft SQL Server that you are using. For information about SPN configurations for Configuration Manager, see How to Manage the SPN for SQL Server Site Database Servers. For information about how to change the account that is used by the SQL Service, see How to: Change the Service Startup Account for SQL Server (SQL Server Configuration Manager).
SQL Server Reporting Services Required to install a reporting services point that lets you run reports.
SQL Server ports For communication to the SQL Server database engine, and for intersite replication, you can use the default SQL Server port configurations or specify custom ports:

  • Intersite communications use the SQL Server Service Broker, which by default uses port TCP 4022.
  • Intrasite communication between the SQL Server database engine and various Configuration Manager site system roles by default use port TCP 1433. The following site system roles communicate directly with the SQL Server database:
    • Management point
    • SMS Provider computer
    • Reporting Services point
    • Site server

When a SQL Server hosts a database from more than one site, each database must use a separate instance of SQL Server, and each instance must be configured to use a unique set of ports.

 

Configuration Manager does not support dynamic ports. Because SQL Server named instances by default use dynamic ports for connections to the database engine, when you use a named instance, you must manually configure the static port that you want to use for intrasite communication.

 

If you have a firewall enabled on the computer that is running SQL Server, make sure that it is configured to allow the ports that are being used by your deployment and at any locations on the network between computers that communicate with the SQL Server.

For an example of how to configure SQL Server to use a specific port, see How to: Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager) in the SQL Server TechNet library.