I am looking for some guidance for setting up a IBCM server.  My setup is currently one site server, one sql server, and several DPs.  I will be using the internet url for laptops only, no MDM as we already have a solution in place. What I am thinking is setup a new server for IBCM, install DP role and NAT an public IP to (public DNS also) this server, this is correct thinking?  I will be using a public cert for H

Hi,

It sounds like a valid plan, however there is no need to use a public certificate for the IBCM as all you clients will trust the internal one..

Here are som useful information as well if you haven't seen it already.

http://blogs.technet.com/b/configurationmgr/archive/2013/12/11/a-closer-look-at-internet-based-client-management-in-configmgr-2012.aspx

Regards,
Jrgen

SCCM doesn't work with NATs.  If you are setting up a DMZ box then you would need to set the site server or Secondary to have a DP, WSUS and MP role depending on what you are trying to accomplish.  Then set that box for Https mode.  Also you would set the site system to be "site initiated" so the box on the inside of the network reaches into the DMZ and pulls back the data.

You only need a few ports from the inside to the perimeter network box that will be supporting https clients.

Thank you.  The reason for using a public cert is my current CA is a mess!  No one has the time or the urgency from mgt to fix it.  

The others already touched on this, but you need more than just a DP to support Internet clients as they must also be able to communicate with an MP.

Also, using a cert from a public CA will get expensive real quick as you need more than just server auth certs for your site role. You also need a unique client auth cert for each and every client that you will be managing over the Internet -- buying these from a public CA will get expensive quick and be a nightmare to manage and deploy.

I am going to make a MP as well, keep my current SUP that is for intranet.

If I use godaddy for my cert, the CA is already published with MS.  This is not correct thinking?

Is it not like applying a cert to a web server?  You cert that webserver with a valid public cert that has a valid public CA?

OK, but are they going to pay $100+ every year for *every* client managed over the Internet? Even for just 100 clients that's $10,000 per year and doesn't include actually deploying them to clients which will *not* be easy. Note that I have no idea what a client auth cert actually costs from a public CA so I'm just guessing at the $100 and I'm sure that depends upon the vendor also.

I was thinking the say thing yesterday and had a talk with my director about it.  now I have some time to try and fix my CA.

You'll probably be best served to stand up a new PKI (as trhere's no reason you have to use the existing one) with the help of someone who is PKI smart. It is *very* easy to make bad choices when setting up a PKI if you do not have PKI experience and knowledge -- it's not difficult necessarily, however, there are a ton of "ins and outs".