Tag Archives: Distribution Point

HTTPS Communication SCCM 2012 SP1 (Part 3)

Posted on by
3

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that’s HTTP also.

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (HERE) I explained the Certificates needed, the second (HERE) and third one (this one) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

What is going to happen:

  • Have HTTPS traffic from and to the Distribution Point

 

So I have got my clients communicating over HTTPS, with my PKI Infrastructure, to the Management Point. Nice!
But now I want the traffic from and to the Distribution Point also over HTTPS.

 

ConfigMgr Configuration

Under Administration – Overview – Site Configuration – Servers and Site System Roles select the server with the Distribution Point Role. Select Properties.

Import Certificate.
You need the ConfigMgr Client Distribution Point certificate (the .PFX), supply the password and OK.

 

And now the data is flowing secure from and to your DP.

 

Part 1 Here.

Part 2 Here.

HTTPS Communication SCCM 2012 SP1 (Part 2)

Posted on by
7

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that’s HTTP also.

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (HERE) I explained the Certificates needed, the second (this one) and third one (HERE) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

What is going to happen in this post:

  • Have the Clients talk over HTTPS to the site server (Management Point)

 

With all the certificates in place let’s see if I can change the Client to communicate over PKI and HTTPS instead of HTTP and a self-signed certificate.

 

Site Server Communication

Export the Root CA Certificate as a DER encoded binairy X.509 (.CER) Certificate.

In the ConfigMgr console go to Administration – Overview – Site Configuration – Sites and select your Site.

Right-click and select Properties.

Go to the tab Client Computer Communication and change the setting to HTTPS Only. If you still have clients with HTTP then you can select HTTP or HTTPS.

Under Trusted Root Certification Authorities select your Root CA Certificate.

 

For a client that has already been deployed just wait and the Client Certificate will change to PKI.

And I am communicating over HTTPS with my PKI:

As I can also see in my ClientLocation.log

 

From the ccmsetup.log is visible that all communication is secure.

 

Part 1 Here.

Part 3 Here.

HTTPS Communication SCCM 2012 SP1 (Part 1)

Posted on by
3

If you do a default installation of ConfigMgr 2012 the clients will communicate over HTTP with the Management Point. Also all traffic from the Distribution Point will be over HTTP. And if you use the Application Catalog, well that’s HTTP also.

In this 3 post series I will explain the steps to go from HTTP to HTTPS communication.
The first post (this one) I explained the Certificates needed, the second (HERE) and third one (HERE) will do the actual work of transforming ConfigMgr from HTTP to HTTPS.

As you could read in previous post my PKI Infrastructure is already in place.
Time to put it to its full use!

For full background details look here: http://technet.microsoft.com/en-us/library/gg682023.aspx#BKMK_clientdistributionpoint2008_cm2012

 

ConfigMgr 2012 SP1 needs 3 certificates to fully function:

  1. Client Certificate
  2. Web Server Certificate
  3. Client certificate for Distribution Points

 

The Client Certificate will be deployed through Active Directory with an auto-enrollment GPO. The other 2 will be imported on the SCCM 2012 SP1 server.

The Web Server Certificate will be configured in Internet Information Server (IIS), and the Client certificate for Distribution Points will be used authenticate the Distribution Point to HTTPS and for PXE support to clients. This will be configured in SCCM 2012 SP1.

 

Client Certificate

On the Certificate Authority (CA) server open up your CA and Duplicate Template.
The template you need for this is the Workstation Authentication.
Make sure to select ‘Windows Server 2003 Enterprise’ as ‘Windows Server 2008 Enterprise’ is NOT supported by ConfigMgr 2012 SP1!

On the security tab select ‘Read’ and ‘Autoenroll’ for Domain Computers, do not clear ‘Enroll’.

Back in the CA console, right-click Certificate Templates, New and Certificate Template to Issue. Choose your Client Certificate.


 

Auto-enrollment of the Client Certificate

For auto-enrollment use a Group Policy Object (GPO).

Best practice is to use a separate GPO for the auto-enrollment.
In the Group Policy Management console, Create a GPO in this domain, and Link it here.
(be sure to point to the right Organizational Unit (OU)).

Now go to Computer Configuration – Policies – Windows Settings – Security Settings – Public Key Policies.

 

Right-click and Enable auto-enrollment:


 

Web Server Certificate

On the Certificate Authority (CA) server open up your CA and Duplicate Template.
The template you need for this is the Web Server.
Make sure to select ‘Windows Server 2003 Enterprise’ as ‘Windows Server 2008 Enterprise’ is NOT supported by ConfigMgr 2012 SP1!

On the security tab select ‘Read’ and ‘Enroll’ for your SCCM Site (IIS) Server(s), clear ‘Enroll’ for Enterprise Admins.

On the Subject Name tab be sure the Supply in the request is selected.

Back in the CA console, right-click Certificate Templates, New and Certificate Template to Issue. Choose your ConfigMgr Web Server Certificate.

 

Enrollment of the ConfigMgr Web Server Certificate

Open a MMC and add the Certificate snapin for Local Computer.

Right-click Certificates and Request New Certificate. Select the ConfigMgr Web Server Certificate you created.

Select More information is required to enroll for this certificate. Click here to configure settings.

In the Certificate Properties dialog box, in the Subject tab, do not make any changes to the Subject name. This means that the Value box for the Subject name section remains blank. Instead, from the Alternative name section, click the Type drop-down list, and then select DNS.

In the Value box, specify the FQDN values that you will specify in the Configuration Manager site system properties, and then click OK to close the Certificate Properties dialog box.

Examples:

  • If the site system will only accept client connections from the intranet, and the intranet FQDN of the site system server is sccm2012.lab.local: Type sccm2012.lab.local, and then click Add.
  • If the site system will accept client connections from the intranet and the Internet, and the intranet FQDN of the site system server is sccm2012.lab.local and the Internet FQDN of the site system server is sccm2012.wibier.me:
    • Type sccm2012.lab.local, and then click Add.
    • Type sccm2012.wibier.me, and then click Add.

 

Configure IIS to use the ConfigMgr Web Server Certificate

On the SCCM Web Server open Internet Information Services (IIS) Manager.

Expand Sites, right-click your site (usually ‘Default Web Site’) and select Edit Bindings.

Select the HTTPS entry and Edit.

OK and Close.

(You can check the site by opening Internet Explorer and browse to your site with https://. There should not be a warning about a certificate.)

 

Client certificate for Distribution Points

On the Certificate Authority (CA) server open up your CA and Duplicate Template.
The template you need for this is the Workstation Authentication.
Make sure to select ‘Windows Server 2003 Enterprise’ as ‘Windows Server 2008 Enterprise’ is NOT supported by ConfigMgr 2012 SP1!

On the security tab select ‘Read’ and ‘Enroll’ for your SCCM Site Server(s), clear ‘Enroll’ for Enterprise Admins.

On the Request Handling tab select the Allow private key to be exported.

Back in the CA console, right-click Certificate Templates, New and Certificate Template to Issue. Choose your ConfigMgr Client Certificate for Distribution Points.

 

Enrollment of the Client certificate for Distribution Points

Open a MMC and add the Certificate snapin for Local Computer.

Right-click Certificates and Request New Certificate. Select the Client certificate for Distribution Points you created.

After that Export the certificate WITH the private key.

Part 2 HERE!

Part 3 HERE!

Create Cloud Distribution Point on Windows Azure with SCCM 2012 SP1 (Part 2)

Posted on by
1

Cloud, everybody is talking about that.
And with the new ConfigMgr 2012 SP1 fully integrating with Windows Azure it’s time to see how this works.

You need to have some things in place first, so here we go:

  • A Windows Azure subscription (duh)
  • A working PKI Infrastructure
  • 2 (a .cer and a .pfx) certificates to talk to the Management service of Windows Azure
  • A certificate (the .cer) added to the Management service of Windows Azure
  • Your Windows Azure Subscription ID. This can be found on the Management Portal of Windows Azure.
  • And well, uh SCCM 2012 SP1 😉

 

In Part 1 I took care of the setup of the necessary PKI Infrastructure and take care of the Certificate part..
In Part 2 I will configure SCCM 2012 SP1 for talking to that big Cloud called Windows Azure.

 

So we took care of the Certificate, now we have upload it to Windows Azure.

 

Upload Certificate

Log on to the Windows Azure Management Portal.
Under Settings you can upload your Certificate (this will be the .CER one)

And the result is visible:

Create the Windows Azure Cloud Distribution Point:

Now it’s time to create the Distribution Point in the Cloud!

Launch you ConfigMgr Console and let’s start.

Under Administration – Overview – Hierarchy Configuration – Cloud is the Create Cloud Distribution Point.

 

And here you need your Subscription ID and Certificate (the .PFX one)

 

Select your Region, and Certificate:

 

Specify the alerts:

 

And off we go

 

Look good:

 

You can follow the process by looking in the CloudMgr.log.

 

This can take a while! So be patient, it will come eventually.

Still working:

 

 

 

And there we are!

 

And also in the Windows Azure Management Portal:

 

Distribute content to the Windows Azure Cloud Distribution Point:

There are no extra steps needed to distribute content to a Windows Azure DP.
You take an application and distribute it to the Cloud.

Logging under DistrMgr.log.

 

And in the console:

 

Cloud rules!

 

Read Part 1 Here!

Create Cloud Distribution Point on Windows Azure with SCCM 2012 SP1 (Part 1)

Posted on by
2

Cloud, everybody is talking about that.
And with the new ConfigMgr 2012 SP1 fully integrating with Windows Azure it’s time to see how this works.

You need to have some things in place first, so here we go:

  • A Windows Azure subscription (duh)
  • A working PKI Infrastructure
  • 2 (a .cer and a .pfx) certificates to talk to the Management service of Windows Azure
  • A certificate (the .cer) added to the Management service of Windows Azure
  • Your Windows Azure Subscription ID. This can be found on the Management Portal of Windows Azure.
  • And well, uh SCCM 2012 SP1 😉

 

The subscription isn’t much of a hassle. Takes about 10 min!

In Part 1 I will setup the necessary PKI Infrastructure and take care of the Certificate part..
In Part 2 I will configure SCCM 2012 SP1 for talking to that big Cloud called Windows Azure.

 

PKI Infrastructure

Nothing fancy here as this is a lab environment. Just setup the PKI infrastructure.

Add Server Role à Active Directory Certificate Services

 

Certificate Authority:

 

Enterprise:

 

Root CA:

 

New private key:

 

Select 2048 for Key character length:

 

CA Name:

 

Validity period (I don’t think my lab will last this long ;-))

 

Now Install the CA.

 

Deploy the Certificate

 

So that’s up and running, now for the fun part.

Microsoft has some good info on what certificates you need.

 

Source:

  • Deployment of the PKI Certificates for Configuration Manager:

http://technet.microsoft.com/en-us/library/230dfec0-bddb-4429-a5db-30020e881f1e#BKMK_clouddpcreating2008

  • PKI Certificate Requirements for Configuration Manager:

http://technet.microsoft.com/en-us/library/gg699362.aspx

We will go from there.

  • Create a Security Group that contains the member servers to install System Center 2012 Configuration Manager SP1 primary site servers that will manage cloud-based distribution points.
  • On your Certificate Authority (CA) server go to the console and right-click Certificate Templates, choose Manage.
  • Right-click the entry that displays Web Server in the column Template Display Name, and then click Duplicate Template.
  • Select Windows Server 2003, Enterprise Edition
  • On the General tab enter a name (ConfigMgr Cloud-Based Distribution Point Certificate)
  • On the Request Handling tab – Allow private key to be exported.
  • Security tab – Remove Enroll for Enterprise Admins and Add your Security Group.
  • Click OK and close the Template console.
  • Right-click Certificate Templates, NewCertificate Template to Issue.
  • Select your Template and select OK.

Request the Certificate

Now we have to request the certificate.

  • Go to your site server.
  • Open up a MMC and add Certificates – Local computer as snap-in.
  • Go to Personal and in All Tasks select Request New Certificate.

Now you have to enter some information:

The info you need for Windows Azure is:
– the name of your Windows Azure Cloud Distribution Point

 

  • Select and Enroll.

 

 

  • Enrollment successful.

 

 

  • The Certificate will be visible in the CA console under Issued Certificates.

 

Export the Certificate

You will have to export the Certificate twice, once with and once without the private key!

  • Without the Private Key:

 

  • And with the Private Key:

 

The certificate is now ready to be imported when you create a cloud-based distribution point.

In Part 2 I will continue!