Management point selection

I know this has been discussed multiple times, but I need some additional help with clients selecting a management point.

We have an SCCM server in the DMZ whose purpose will be mainly to support MACs.  The server in the DMZ is joined to the domain.  I've installed the MP, DP, Enrollment point and Enrollment proxy point on it.

So, the MACs will use this as their MP, DP, etc.

However, is there a way to get Windows clients to use the internal MP or will the selection always be random?  All of our Windows clients are HTTPS capable.We have a PKI infrastructure and all (Windows) clients have the root cert

I wasn't sure if there was a way to put a selection priority on a MP (vs. http/https).

Where/when does the client push install properties come into play if I've specified the internal MP here, but the client still finds the MP in the DMZ?

Our environment is server 21012 R2, SCCM 2012 R2, SQL 2012.  SCCM is one primary site.

February 4th, 2014 7:33pm

The only prioritization that ever happens is HTTPS MPs over HTTP ones. There is no manual manipulation of MP priorities.

Using the SMSMP property simply sets the initial MP, clients then randomly pick which one to use every 22 hours (I think).

Free Windows Admin Tool Kit Click here and download it now
February 4th, 2014 8:34pm

as jason said, there isn't a way to prioritize an MP.  The only option is to install a secondary and then assign the clients to that 'site'
February 4th, 2014 8:52pm

Thanks - that's what I thought, but networks was concerned about (the potential) increased traffic between the internal servers and the DMZ....

Free Windows Admin Tool Kit Click here and download it now
February 4th, 2014 8:54pm

But a secondary site is not possible in a DMZ; secondary sites are not gateways and clients must be able to directly communicate with MPs in the primary site.
February 4th, 2014 8:57pm

Consider installing the client as IBCM or install a Sec site in DMZ. When the client gets the default MP from Primary site, then it will query the proxy MP from default MP, which is the MP on the Sec site.
Free Windows Admin Tool Kit Click here and download it now
February 5th, 2014 5:24pm

 or install a Sec site in DMZ.

No, that is not accurate or correct at all as I specifically stated above. Secondary Sites in any type of controlled or restricted zones do *not* work; they are *not* gateways.
February 5th, 2014 6:31pm

Yes, they are not gateway. But if the clients in SEC can communicate MP in Primary, then the proxy MP will be used in Sec. All the polices will be pulled from Proxy MP in SEC.
Free Windows Admin Tool Kit Click here and download it now
February 7th, 2014 9:43am

If the clients can talk to the primary site's MP, why would you consider putting a secondary site in the DMZ then? The whole point of a secondary is remote connectivity, not segregated/restricted connectivity. Also, there's no such thing as a proxy MP anymore. The MP on secondary sites in 2012 was completely redesigned and pulls policies from a local SQL instance and thus does not proxy anything.
February 7th, 2014 3:35pm

The secondary site global data, for example, provides links to full policy at the primary site, so clients can quickly determine if there is new applicable policy. Also, this secondary site data provides management and distribution point lookup information and the Name of sec MP is still listed as Proxy MP in Client Properties.

The CU just want to the computers in DMZ to communicate with a dedicated MP. This is a practical way.

Free Windows Admin Tool Kit Click here and download it now
February 18th, 2014 12:11pm

Sorry, but that does not change the fact that clients require a connection to the primary's MP -- this is an immutable requirement.

If this is possible, why have a secondary at all? DMZs are not remote locations, they are simply segregated locations thus proxying and throttling are irrelevant, so once again, if the clients can communicate with the primary's MP, the secondary serves no purpose.

Thus, it's not a practical way because it's not technically feasible to use a secondary site in DMZ where communication is not allowed back to the primary MP.

February 18th, 2014 3:33pm

We are still having discussions about our 2 MP's.  (We are on CM2012 R2 CU1).  The HTTPs MP is in our admin DMZ.  the HTTP MP is in our internal network.  The machines that are domain joined and have the CM2012 client on them use the HTTPs MP (because of selecting the HTTPs first vs. HTTP)

Both MP's are in the same boundary group.  In this boundary group we also have the IP subnets that are used for machines to be imaged and are not yet joined to the domain.

The boundary group is used for site assignment and content location.

The HTTPS MP also has the boot and OS Images on it as it is also a DP.

If I remove the HTTPs MP from the boundary group will the clients currently pointing to this have any issues?  Esp. since the "renewal" time is in the 20-25 hour range?

If there is a combination of HTTP and HTTPs MPs, what is the best way to handle this for imaging?

Free Windows Admin Tool Kit Click here and download it now
May 18th, 2015 3:54pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics