[Today's post is brought to you by Carol Bailey]
When you read the product documentation for using Internet-based client management in Configuration Manager 2007, you will see in the overview information that there are three different management states that a Configuration Manager client can be in when assigned to a site that's configured for Internet-based client management:
An intranet-only client is a client that's assigned to a site configured for Internet-based management but isn't currently configured to be managed over the Internet. It has the capability to be managed over the Internet but cannot do so until it is assigned to the Internet-based management point. Not everybody wants all their clients to be configured for Internet client management - and there's little point in making an additional configuration for servers and workstations that do not move.
An Internet-only client will never attempt to find the default management point on the intranet, and consequently will never be managed as an intranet client with all the features that this offers. This includes finding the nearest distribution points when roaming into another site on the intranet, Network Access Protection, Wake on LAN, operating system deployment, and features that require access to Active Directory Domain Services - such as distributing software to users rather than computers.
A client that supports both intranet and Internet client management can seamlessly move between being managed on the intranet as an intranet client, and being managed on the Internet. This can even include switching from an Internet-based distribution point to an intranet-based distribution point in the middle of a download. When the client detects a change in network, this kicks off service location to find its intranet management point (the default management point in its assigned site or proxy management point if it's within the boundaries of a secondary site that belongs to its assigned site). If service location fails, the client deduces that it must be on the Internet and so tries to communicate with its assigned Internet-based management point. The assigned Internet-based management point always directs the client to the Internet-based site systems in the site, and never to intranet-based site systems or to Internet-based site systems in another site.
Being able to move seamlessly from the intranet to the Internet was one of the main feature requirements for the product group. As long as you have configured the client with the Internet-based management point, there's nothing extra to configure on the client to support this behavior. In comparison, there is extra configuration to support Internet-only client management because this is a client installation property and cannot be changed post installation. So why would you ever configure a client for Internet-only management?
The documentation tells you that this is applicable for two scenarios:
However, as a tip or trick, I'm proposing that you also consider using Internet-only management on the intranet, for the following two reasons:
When a Configuration Manager client is installed as Internet-only and is connected to the intranet, the client continues to behave as if it is still connected to the Internet, without affecting non-Configuration Manager functionality. This means that the client will continue to contact the Internet-based management point to download policy and upload information such as inventory, compliance information, and status messages. The client will download packages from any of the Internet-based distribution points in its site (they are all considered equal because there is no concept of "nearest distribution point" with Internet-based client management), even if it's within the boundaries of another site in the hierarchy. It will scan against the Internet-based software update point, and it will continue to communicate with the Internet-based fallback status point.
For this scenario to work, both of these conditions must be met:
I know customers who use this configuration for the simplicity factor, but I particularly like this strategy for testing when the site is first configured for Internet-based client management. Configuring Internet-based client management in Configuration Manager isn't difficult - but it is "bitty" and it's easy to slip up with something like a typo in an FQDN or simply miss out one of the steps. Testing on the intranet helps to narrow the scope for more efficient troubleshooting.
For Internet-based client management to work, these are the key configuration steps within Configuration Manager:
For a more complete list of checks, see the following:
To install the client as Internet-only, use the CCMALWAYSINF=1 property with CCMSetup.exe. You will also need to specify at minimum, /native and the site code and the Internet FQDN of the management point. When the client has installed, view the Configuration Manager client properties and confirm that the ConfigMgr Connection Type on the General tab displays Always Internet. When this is displayed, the client will never communicate with the intranet-based site systems, so if the client successfully communicates with the site, it must be using the Internet-based site systems. If this works when the client is on the intranet but no longer works when the client is moved to the Internet, you have eliminated misconfiguration within Configuration Manager, and it's time to look over the network infrastructure between the client and the intranet.
There are a number of ways to confirm that the client is successfully communicating with the site, including:
If you decide to use Internet-only client management on the intranet as a long term strategy, rather than a short term testing strategy, make sure that you don't need any of the features or capabilities that are not supported in this configuration. Review "Features that Are Not Supported on the Internet" in the topic Overview of Internet-Based Client Management. If you install clients as Internet-only and later decide that you need any of these intranet features, reinstall the client without the CCMALWAYSINF=1 property.
Although the Internet-only capability wasn't designed with these two uses in mind, this configuration can be a useful tip or trick to keep in your arsenal.
This posting is provided "AS IS" with no warranties and confers no rights.
Carol Bailey had another great post over on the System Center Configuration Manager team blog yesterday.
Feed: The Configuration Manager Support Team Blog Posted on: Wednesday, March 04, 2009 10:29 AM Author
In case you missed them, the following posts were published on the System Center Configuration Manager
Feed: Configuration Manager Writers - Announcements, Comments and other Stuff Posted on: Friday, March
Just to let everybody know there is a problem with switching back from Internet based clients and that is that the client record in the DB stills says the client belongs to the internet and this prevents the computer from installing a new operating system. The client says its still on the internet and cant install itself even if the client is reinstalled as mentioned above.
Great blog, but if you use always internet you will not be able to define any slow or fast links.
That means the clients will be able to download whatever size application on whatever type of link.
That may become an issue.
@Fredrik - I haven't had any problems with that. The clients switch back and forth. If I force them to be always internet and then goes back to letting the client find out for it self - it works very well :) It's important to know that you will have to re-install the client, not only remove the FQDN string from the internet tab on the client settings.
Trying to find guidances/Reference articles how to Use a Public CA (Wildcard CA from DigiCert.com) to manage Internet-Client with Configuration Manager 2012. Thanks
Just a word of warning, I have taken this approach on 2012 SP1 and have had issues recently with updates; clients attempt to get update content from Windows Update as a primary source, which isnt ideal if your client doesnt have internet access. Even though it should failover to my internal (internet) distribution point, it never does and it causes the clients to hang. I have found a temporary workaround however it is propbably not supported so I am still seeking a final solution...