Jason Sandys Senior Lead Consultant Catapult Systems, Inc. Session Code: MGT312 Native Mode Setup Dialogs.
Download ReportTranscript Jason Sandys Senior Lead Consultant Catapult Systems, Inc. Session Code: MGT312 Native Mode Setup Dialogs.
Jason Sandys Senior Lead Consultant Catapult Systems, Inc. Session Code: MGT312 Native Mode Setup Dialogs Overview What Is Native Mode Benefits Pre-requisites PKI Refresher Misperceptions Certificate Deployment & Demo Implications Notes from the Field What Is Native Mode? A site mode for Configuration Manager that dictates key client to site system communication DP* MP SUP SMP Benefits Enables Internet Based Client Management (IBCM) Inventory Software Distribution Software Updates Desired Configuration Management Compliance Security in general Prerequisites Certificates (aka Public Key Infrastructure) DP* MP SUP SM P Clients ConfigMgr 2007 only Windows 2000 not supported PKI Refresher Certificates Trust iv Pr ic bl Trusted source Pu How do I get your Public Key? at e Key Distribution PKI Refresher Certificate Revocation Lists (CRL) Certificate Distribution Points (CDP) CRL CDP LDAP FTP SMB HTTP Misperceptions PKI is Easy You must use a Microsoft PKI AMT takes advantage of Native Mode Misperceptions Enterprise Edition = Enterprise CA Misperceptions Internet-based clients can roam Fallback Status Points (FSP) are only for Native Mode An FSP in a Native Mode site can happily co-exist with other site roles Misperceptions Mixed mode does not use certificates Native mode protects all site communication Only domain joined systems can participate in a Native Mode site Certificate Deployment Three Primary Certificate Types Primary Site Server Signing Cert Site System Server Authentication Cert(s) Client Authentication Certs All Clients must have their own, unique client authentication certificate Secondary site servers do not need a site server signing certificate Certificate Deployment Implications Agent Deployment Certificates on the clients By default SLPs are not used “Internet only” clients must be installed manually CCMSetup.exe /native:CRL SMSSITECODE=ABC SMSMP=mgmtpoint Implications WSUS/SUP Must manually add the Web server cert in IIS Must manually configure IIS for SSL Require SSL on virtual directories APIRemoting30, ClientWebService, DSSAuthWebService, ServerSyncWebService, and SimpleAuthWebService <WSUS Installation Folder>\Tools: WSUSUtil.exe configuressl <Intranet FQDN of the software update point site system> Implications OSD PXE Boot Images require client certificates and a copy of the Root CA certificate Build and Capture reference systems are not on the domain CDP must be available Notes from the Field Initial Installation Install in mixed mode and migrate Easier to troubleshoot Better when no PKI in place already Better for organizations unfamiliar with ConfigMgr Install in native mode Requires PKI Compounding issues Notes from the Field PKI Decisions Some decisions are not reversible without a lot of pain CRL Distribution Points Certificate Validity Period Key Length Just because it works in the lab, does not mean it will work in production Notes from the Field Intra-SUP Communication SUP to SUP communication is mostly HTTPS in native mode Internet Based Active SUP SUP EULAs Update Metadata Configuration Notes from the Field PKI Timing Certificate deployment is not instantaneous Templates are stored in AD Clients must be active and have connectivity to request a certificate Plan for this delay Other Notables Native Mode is not a one-way choice Parent sites must be migrated first Mixed mode parent sites do not support Native Mode child sites Secondary site modes are dictated by their parent site’s mode Native Mode Readiness Tool http://technet.microsoft.com/enus/library/bb680986.aspx Links MS Internet Clients & Native Mode Forum http://social.technet.microsoft.com/Forums/en /configmgribcm/threads/ System Center ConfigMgr TechCenter Library http://technet.microsoft.com/enus/library/bb735860.aspx Configuration Manager Team Blog http://blogs.technet.com/configmgrteam/ My Blog http://myitforum.com/cs2/blogs/jsandys Resources www.microsoft.com/teched www.microsoft.com/learning Sessions On-Demand & Community Microsoft Certification & Training Resources http://microsoft.com/technet http://microsoft.com/msdn Resources for IT Professionals Resources for Developers www.microsoft.com/learning Microsoft Certification and Training Resources Related Content MGT304 Deploying Microsoft System Center Configuration Manager 2007, Part 1: Site Deployment MGT305 Deploying Microsoft System Center Configuration Manager 2007, Part 2: Client Deployment MGT306 Deploying Microsoft System Center Configuration Manager 2007, Part 3: Hierarchy Design and Implementation Best Practices MGT02-HOL Microsoft System Center Configuration Manager: Migrating from Mixed Mode to Native Mode Management Track Resources Key Microsoft Sites System Center on Microsoft.com: http://www.microsoft.com/systemcenter System Center on TechNet: http://technet.microsoft.com/systemcenter/ Virtualization on Microsoft.com: http://www.microsoft.com/virtualization Community Resources System Center Team Blog: http://blogs.technet.com/systemcenter System Center on TechNet Edge: http://edge.technet.com/systemcenter System Center on Twitter: http://twitter.com/system_center Virtualization Feed: http://www.virtualizationfeed.com System Center Influencers Program: Content, connections, and resources for influencers in the System Center Community. For information, contact [email protected] Complete an evaluation on CommNet and enter to win! © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.